SlideShare a Scribd company logo

Unix Security

Download as PPT, PDF
R
replay21

A powerpoint presentation on UNIX security.

1 of 47
 
Being a multi-user system - UNIX and Linux have a tremendous amount of security to offer; many being open source, which can be validated and modified to meet anyone’s needs. With live system patch upgrades, open source customized firewalls, encrypted disk and swamp space, one super-user account, MAC permissions, salted passwords, checksum packages, system monitoring, chroot and jail system services, limited known viruses and worms, and hundred more features; UNIX/Linux tops security on any other operating system.
List of things to go over… Each have 1-3 slides… try not to fall asleep! =)
Most basic level of security - giving users permission of what files they can: read, write, or execute. Access Control List Mandatory Access Control Almost modern files systems, include ACLs to give unprivileged access to only certain users. Permissions are separated by owner , group , and others . On UNIX systems permissions are displayed as rwx rwx rwx With a few more special settings, Desktop environments also provide GUI settings for easy modifying. More sophisticated form of permissions handling. This is more like application patching, it limits what permission each program is given. MAC programs include: AppArmor, SELinux, SEBSD, GrSecurity, Trusted Solaris and Trusted BSD.
Permissions are set in Octal unmask – Sets default file permissions. You can set files to have same permissions as you create them. Special files have symbolic notations in front of the first ‘r’ in their permissions, these include… - Denote regular file d Denote a directory b Denote a block special file c Denote a character special file l Denote a symbolic link p Denote a named pipe s Denote a domain socket SUID – chmod a +s to a file to make the program run as the owner. SGID – chmod a +u to a file to make the program run as the group. Sticky – chmod a +t to files or directories prevents anyone except the owner from renaming of deleting them. Note* - Attributes and flags can also be made to certain files but this differs from file system and OS used.
Examples… $ umask  Default Permissions 0033 $ umask –S  Human Readable u=rwx,g=r,o=r $ touch ok  Create empty file $ ls -l ok  Look permissions -rw-r--r-- 1 root wheel 0 Dec 5 05:08 ok $ chmod a+x ok  Give all execute permissions $ ls -l ok -rwxr-xr-x 1 root wheel 0 Dec 5 05:08 ok $ mkdir ok  Make a directory $ ls -ld ok  Directory permissions drw-r--r-- 2 root wheel 512 Dec 5 05:13 ok Denote ‘d’ means it’s a directory. $ ls -l /usr/bin/passwd -r-sr-xr-x The ‘passwd’ on all UNIX systems have a SUID +s because only the root account can change your password, running this program as ‘root’ even being a normal user will enable anyone to change their own password.
UNIX/Linux all have salted hashes, which make rainbow tables completely useless especially with more powerful encrypted hashes available today. The location of the passwords differ from UNIX operating system, and weather the user has changed the default location or not. In addition to the location, the files are separated into two ‘passwd’ and ‘shadow’. Only the root can access the ‘shadow‘ file. Using a program like ‘unshadow’ one can use both files to get a list of users and their encrypted passwords. Having this is only half the challenge. A typical ‘unshadow’ file looks like this… UserName:SaltID:Saltedhash:EncrypedPassword:UserID:GroupID:Complete_Name:home_dir:shell_bin That’s assuming you have both ‘passwd’ and ‘shadow’ files which includes root privileges.
Cracking the password - Even getting the ‘unshadow’ file with every user ‘s encrypted password and name, cracking it these days is extremely difficult, even by brute-forcing. NSA has created the sha-2 functions which have a very large encryption bit. root :$ 6 $ 9ydl1tvS/ivnSGdp $ Tr.dWu07FAQN/uPHkKAYaUm7sJ1DEH11488oUcfQLA8LAIsjT.zBrUwuTl8oQt7kOJBVi4W.1eESHagKJ2Wc71 :100:100:root:/root:/sbin/sh $1$... md5 $5$... sha256 $ 6 $... sha512 Salt ID $6$ means the password is encrypted in salted base64 sha512. The random base64 generated salt. Ends in ‘$’ Name of the user. The encrypted base64 sha512 hash. UserID:GroupID:Complete_Name:Home_Directory:Shell How to identify an ‘unshadow’ file…. Note* - There is no password cracker that handles sha384/512 salted hashes at the moment.
Maximum Security - Every UNIX OS has a security level in its kernel, the higher it is, the more secure your system is. Be aware having the level higher than ‘1’ will probably produce problems in the future. Situation… Lets say you went in the logs /var/log and changed the attribute of ‘auth.log’ to append only so an attacker getting root privileges can’t delete his trace. You type.. $ chattr +a auth.log In Linux and $ chflags sappnd auth.log In BSD. An attacker gaining root can easily just type $ chattr -a auth.log or $ chflags nosappnd auth.log After removing the attribute/flags the attacker can remove his trace, so what's the use? That’s where the secure level comes in. BSD has securelevel and Linux has ‘capabilities model’ to prevent this.
Linux To prevent even the ‘root’ account from doing this, Linux needs to remove the CAP_LINUX_IMMUTABLE capability. You will need a program called ‘lcap’ from http://packetstormsecurity.org After unzipping and compiling… ./lcap CAP_LINUX_IMMUTABLE ./lcap CAP_SYS_RAWIO First command removes the ability to change the append-only flag, second command removes the raw I/O to prevent anyone from modifying the block device the file resides on. Adding the script above to /etc/rc.local To issue the command at every startup. BSD BSD ‘s securelevel its incredibly more secure! Unlike Linux where it’s set at every start up, once you raise the securelevel in BSD, it can never be changed back, careful! In /etc/sysctl.conf You can see kern.securelevel=1 That is the current system level, FreeBSD by defauly is -1 NetBSD is -1 OpenBSD has it to 1 Once the system has been restarted with the new level, your stuck with it! Having the level higher than 0 X11 won’t work. The max level is 2 which is well.. Lets just say you can’t change ANYTHING! You can’t even change the clock at level 2! Nor can you mount new disks. Go to http://wiki.netbsd.se/Kernel_secure_levels for more information on securelevels .
Security Threats - Most major Linux distribution have their own package manager from: dpkg, rpm, source packages, and yum. BSD has either has a port collection or pkgsrc. With a simple system update, an entire system can be patches with the latest security threats, some distribution require you to restart like ‘Ubuntu’ and others like.. BSD! Can perform “live” updates. Every UNIX OS project has security threats that need patching, and most display them on their web site. Others let you know in a nice friendly popup. Patching a system is a simple task, most Linux distributions have “user-friendly” ways, while BSD users need to use ‘portmanager’ or recompile the program from source. All packages are checksum (I’ll talk more on the next slide) to make sure none of the installing packages has been modified from an intruder and tricking you in installing their own packages.
Checking Packages - Making sure your installing the right packages can be crucial. All UNIX systems have a sha256 and MD5 checksum which check every binary bit for any alteration. A program called ‘visprint’ can also be used. It creates a visual representation of an image using a any checksum. Since every file has a completely different hash, the image is always different. Linux md5sum [file] $ md5sum “ok” Md5sum (“ok”) = 444bcb3a3fcf8389296c49467f27e1d6 For BSD use ‘md5’ $ visprint | md5 “ok”  See Image
SandBoxing a user or daemon - The mistake most administrators do is run daemons and services as the ‘root’ account. That’s incredibly insecure and any security threat can get anyone root privileges to an entire system. Almost all UNIX/Linux OS’s include a mechanism to sandbox environments. What is a Sandbox? A sandbox offers various levels of isolation between a host and the sandbox. In other words… Running a daemon like a web server as root is dangerous, chroot() only lets the daemon run the files “it needs” and restrict everything else. If an attacker is able to buffer overflow a POP3 server for instance and gain root privileges. While He/She will be confined in the sandbox, and cannot run any other process. Although there are many ways to get out of the sandbox, they rely on how well you construct it. FreeBSD is the only OS that includes the jail() command. It’s a more sophisticated than chroot() and more secure.
Examples… $ mkdir -p /chroot_test/bin  Create a sandbox $ cp /bin/sh /chroot/bin/  Copy a shell $ chroot /chroot_test /bin/sh  Enter the Sanbox $ echo /*  ls won’t work only ‘echo’ /bin As you can see, your confined in a small box, the only commands you can use are the default shell commands, if you want to use ‘ls’ or anything else, You need to copy the entire program in the sandbox. Jail() is much more secure, and it creates more like a virtual server with its very own IP address! $ mkdir -p /jail_test/bin $ cp /bin/sh /jail_test/sh $ jail /jail_test jail_test 192.168.0.40 /bin/sh $ echo /* /bin
Linux and SELinux working together? - Linux on its own already includes many open source security features, the biggest one is SELinux was created by the NSA to enhance security on Linux by creating more system patches. SELinux is complex and somewhat hard to understand to new Linux users, as a result, most disable it because it interferes with their programs to often. Other than that, its basically NSA’s implementation of MAC into the Linux kernel. It’s a list of policies every user is force to follow, although this prevents users from malicious intent, its just patches; once a user gains ‘root’ privileges, this is relatively useless.
BSD’s version of SELinux - FreeBSD having a Linux compatibility, implemented SELinux modules into its kernel as well. Although this is optional and unless you’re an administrator for many security sensitive servers, this is an overkill. FreeBSD has the TrustedBSD project, which is a collection of advance security programs and features available for other BSD’s and Linux as well. Some of these projects include… file system extended attributes and UFS2, Access Control List, OpenPAM, security even auditing with OpenBSM, mandatory access control and the TrustedBSD MAC Framework, and the GEOM storage framework
Daemon’s are nice! - Daemons or Services provide others to access resources your pc/server has weather it’s a web server, SSH, telnet, ftp, or any other useful resource. Running a daemon without your notice can create a security problem. ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Inetd and xinetd are super-servers. If their started at start-up, they read off a configuration file, usually in /etc which starts all the daemons listed. BSD has all the daemons except the domain off by default, learn how to configure the inetd super-server… http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-inetd.html To run your choice daemons in a nice organized list, just uncomment them!
We need to secure Linux? - Unfortunately although Linux can be relatively secure, it can do a lot better. BSD’s can also be harden although OpenBSD is the only one, you might want to skip. Their secure by default philosophy doesn’t lie. IBM has a well documents how to on Hardening Linux http://www.ibm.com/developerworks/linux Get ready to read a lot! Hardening Linux to make it secure, it’s a long and painful process, so I won’t discuss how to here. Many distributions today: fedora, redhat, SUSE, and Ubuntu are relatively secure by default, but if your not lazy you can make it better! FreeBSD and NetBSD can be harden a little, for example its master.shadow file is still in FreeBSD md5 salted algorithm which almost any password cracker like john-the-ripper can easily crack. FreeBSD’s handbook describes all the security you can add… http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security.html
UNIX/Linux has cyber text friends - Almost anything can be encrypted: files, RAM, hard drive, swamp, network transmission, passwords, emails, web sites, everything ‘should’ be encrypted. Symmetric-key encryption involves only one key, this can be a password of some sort. Great for compress file encryption, hard drive encryption, or local encryption, hashes include… Asymmetric-key encryption is used most often to transfer data across a network. This requires a different key for encryption and decryption known as a public and private key. Examples include….
One-way hash (checksum) - are mathematically irreversible algorithms to create a random string corresponding to the plain text. These are useful like the checksum slide to check for any alterations. Its most commonly used for password hashing. Password crackers try to use every possible combination either brute-force or dictionary attack, which the string is hashed and checked for comparison against the original hash. One way hashes include…
RAM needs protection? Wah?.. - Protecting RAM from processes using more than its intended allocated space is embedded on all modern OS’s including UNIX, but protecting their data is something else. Normally RAM can be access by any program looking at the /dev/mem OpenBSD has many new features that prevent this. strlcpy() and strlcat() in C/C++ guardPages, randomzied malloc() randomized mmap() atexit() and stdioprotection All UNIX/Linux system have their own way to secure RAM, maybe not as much as OpenBSD but without this anyone can read passwords you entered in your RAM without randomizing.
Swamp should always be encrypted if its used - During installation of any UNIX/Linux system it should also set apart a Swap partition incase the RAM ever runs out. It’s a good way not to freeze a system, but just like RAM, it should be protected and always encrypted. Searching ‘encrypted swap’ on Google, will show some tutorial on how to do this on Ubuntu and Fedora and a few others. For the BSD systems, OpenBSD should already have it by default, FreeBSD has a tutorial on their site http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/swap-encrypting.html NetBSD should have one too. Having the swap partition encrypted prevents others from reading it just like RAM.
Why do I need to encrypt my hard drive? - This is always an optional choice for any user. Depending of critical your files are, you might or might not need it at all. Full disk encryption Encrypt an entire partition, except for the MBR (Master Boot Record) unencrypted. Uses symmetric key encryption, you it encrypts/decrypts with a single password. Filesystem-level encryption Encrypts individual files and folders within a running file system. I can use symmetric or asymmetric encryption depending on the software. Hardware-based full disk encryption Full hard drive encryption, including the MBR all encrypted. The symmetric key are only stored in the BIOS using Pre-Boot Authentication. There are over 40 encryption software available. http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software
Pluggable Authentication Modules - Added authentication rules used for application. Example, What if you wanted to limit the users that can log in from a specific hosts. Firewall Rules? What if you wanted to allow only ‘some’ users at specific from a specific host, at different times and dates for maintenance purposes? PAM! PAM is usually set up only on services like: SSH, ftp, telnet, that can be dangerous for potential attacks.
PAM Examples… pam_access = Module limits where a user or group may log in from. pam_time = Module limits when then user or group may log in. File /etc/pam.d/login Includes all the available modules. File /etc/pam.d/system-auth Is the configuration file. File /etc/security/access.conf Controls how the modules behave. File /etc/security/time.conf Controls how the time module behaves. ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Add ‘ account required /lib/security/$ISA/pam_time.so` Will enable the module. Configuring /etc/security/time.conf takes the form of ‘ services;devices;users;times` sshd:ttyp*;!root;Fri1900-0700 - Limits the SSH logging from 7PM-7AM. Note* - $ ls -1 /etc/pam.d Lists all the PAM supported daemons.
I thought UNIX doesn’t get a virus? - Although UNIX are rarely a prime target for viruses, due to the low market share. Doesn’t mean you can’t be prepared. The problem most viruses have is lack of ‘root’ privileges. Worst case scenario, all your personal files get deleted, leaving the system still running. Due to the popularity of UNIX increasing, the amount of UNIX viruses doubled since last year. Most of them being for Linux. UNIX systems tend to have regular up to date upgrades removing new vulnerabilities and most require no restart from the user. Some commercial and free UNIX virus scanner are available.
“ Secure by default” - Putting security above everything else. ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Iptables - Linux firewalls, are configured manually (unlike a bar in windows). There are simple GUI firewalls, even though you don’t get much control over them. ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],“ Inclusive” Only allow specific packets. “ Exclusive” Allow all packets but block specific packets.
Iptables Syntax iptables <option> <chain> <matching criteria> <target> iptables.sh #!/bin/sh IPT=“/sbin/iptables” # Location of iptables INTERNET=“eth0” # Internet-connected Interface LOOPBACK_INTERFACES=“lo” # Loopback Interface LOOPBACK=“127.0.0.0/8” # Reserved loopback address range CLASS_A=“10.0.0.0/8” # Class A private networks CLASS_B=“172.16.0.0/12” # Class B private networks CLASS_C=“192.168.0.0/16” # Class C private networks CLASS_D=“224.0.0.0/4” # Class D private networks CLASS_E=“240.0.0.0/5” # Class E private networks BROADCAST_SRC=“0.0.0.0” # Broadcast source address BROADCAST_DEST=“255.255.255.255” #broadcast destination PRIVPORTS=“0:1023” # well-known, privileged ports UNPRIVPORTS=“1024:65535” # unprivileged ports $IPT --policy INPUT DROP $IPT --policy OUTPUT ALLOW Firestarter is a GUI firewall. Much easier to use, no script making involve, except you put all your confidence on a program, you have no idea what its actually doing…
BSD only firewall - Fast, sophisticated, easier, PF is the ideal firewall for any BSD based operating system. Unlike iptables where every single thing is entered manually, PF can be all be configured with just three lines to /etc/pf.conf… set skip on lo0 block in all pass out all That’s it! Then just $ pfctl -f /etc/pf.conf To enable it, and you have a desktop firewall. * First line skips checks on lo0 If your planning in running services like “SSH” you must add rules, the last rule always wins! block in all pass in quick proto tcp to any port ssh pass out all The second line allows TCP connections to the local SSH. The `quick` stops from other rules from being seen, so this is the last rule. services = {telnet, ssh, rlogin, http, finger} Pass in quick proto tcp to any port $services Macros Macros can be used to pair up ports or daemons. Of course these are SMALL samples, PF is very powerful and can be a large topic to cover.
OpenBSD is full of projects - With emphasis on security, OpenBSD’s projects have made its replacements almost now obsolete. OpenSSH OpenSSH embedded cryptography on all these protocols for same communication. OpenBGPD BGPD is a Border Gateway Protocol (BGP) daemon which manages the network routing tables. OpenNTPD NTP is a daemon that synchronizes your local clock to remote NTP servers. OpenCVS Concurrent Versions System not yet released, its intended to replace the current CVS which many have found vulnerabilities.
What is it exactly? - When a process tries to store data beyond the boundaries of a fixed-length buffer. Trying to run a C program like this: vul.c Int main (argc, char** argv[]) { char buffer[500]; strcpy(buffer, argv[1]); return 0; } Compiling it, and adding the +s as root will make it vulnerable. Using the NOP sled typing something like this on a i386 machine, you will gain ‘root’ privileges.. $ ./vul `perl -e ‘print “90”x202;’``cat shellcode``perl -e ‘print “78f9ffbf”x88;’` root# who am I root The vulnerability lies when trying to store more bytes than it can handle. Most of the time it’s a segment fault, others you might be able to execute a command, if done correctly.
Spy on others - This is actually pretty easy to do, although most transmission is encrypted now, back in the dinosaur age all transmission was unencrypted: telnet, ftp, rlogin. Using an interface device only receives information by its unique identity, setting your interface device to ‘ promiscuous ’ mode meant, your interface device will be able to receive all packets, most not even meant for your computer. They way of doing this varies from OS but some packet sniffers like Wireshark do all this for you. Many people don’t know is setting your device to ‘ promiscuous’ mode won’t give you a lot of information. To really spy on someone, make your MAC address the same as theirs, (some routers allow you do to that, some don’t) you can do this by scanning your local network and getting a list of all IPs. The only catch is they must be running an unencrypted daemon like telnetd or ftpd. If it’s a switch, you won’t be able to see them logging in, unless do you a Man-In-Middle attack.
GNU Privacy Guard and Pretty Good Encryption - Although this can be used to transmit data across a network, its mostly use is for email. To see a Signature you will do this… $ gpg -import KEYS $ gpg -verify [packages] This is almost like checksum but instead of checking the file itself, you can download a package with the right checkup but how do you know it’s the real thing? Anyone can change the checksum. This will very if the package its from the owner itself. OpenGPG has been ported in many email clients for safe email transmission. Using asymmetric encryption, the sender uses the private key to encrypt the message, the receiver owns the private key to see them message.
The reason why we don’t need Windows anymore - Samba comes from Server Message Block (SMB) used my Microsoft Windows to share files. Samba makes it so UNIX users can share files and printers with window users. This is important because almost all UNIX and UNIX-like system have this: Mac OSX, Linux, BSD, Solaris, AIX, and others Samba has dozens of implementations: WINS, NETBIOS, SMB, CIFS, DCE/RPC, and MSRPC and including Active Directory log on. Samba allows you to share files for window clients to read. It also allowed you to view windows server shares through the use of ‘smbclient’ or mounting with the file system ‘smbfs’
The users are using up all the resources! - With the all powerful multi-user system UNIX can set limits using PAM to certain users or groups, so they won’t be able to hog the entire 100% CPU. The configuration file for setting the limits is called /etc/security/limits.conf domain type resource value Soft limit - the default value of how much resource the user can use. They may want more and raise the level, but only to the hard limit. Hard limit - the maxim limit the user can achieve, they can’t go any higher than this. Adding to the /etc/security/limits.conf guest soft nofile 1000 guest hard nofile 2000 The ‘nofile’ can be cpu, memlock, nproc, maxlogins, or fsize, they all limit them on certain things, right now it says guest can only have open 1000-2000 open files. $ Su - guest $ ulimit -a  will list the limits $ ulimit -n 2000  Have the hard limit $ ulimit -n 2001  will receive an error
Sometimes a sandbox is an overkill - Restricting users in a shell, isn’t so effective. They can break out of it if they were savvy users. Nonetheless it’s a great way if your to lazy to use chroot(). The command to restrict users, varies on what shell. For bash, typing $ bash -r Will bring up a restricted shell. These shells, you can’t use ‘cd’ nor can you change your PATH and some other restrictions. You can do this permanent by adding ‘+r’ to the .profile page. Note* - make sure they can’t edit their own .profile page, and use PATH=. with symbolic links to specify what commands they may use. $ bash -r bash: SHELL: readonly variable bash: PATH: readonly variable bash-2.05b$ ls bash: ls: No such file or directory bash-2.05b$ /bin/ls bash: /sbin/ls: restricted: cannot specify ‘/’ in command names bash-2.05b$ exit $ ln -s /bin/ls . $ bash -r $ bash-2.05b$ ls -la  list your stuff
Restrict bandwidth usage - Allowing people to hog all the internet can be restricted so only you can have the entire bandwidth all to yourself! A program called AltQ, which is now ported into OpenBSD PF, can restrict bandwidth usage as well. Although it can be a bit complicated. altq on $ext_if cbq bandwidth 2MB queue {main, ftp, udp, web, ssh, icmp} queue main bandwidth 18% cbq(default borrow red) queue ftp bandwidth 10% cbq(borrow red) queue udp bandwidth 30% cbq(borrow red) queue web bandwidth 20% cbq(borrow red) queue ssh bandwidth 20% cbq(borrow red) {ssh_interactive, ssh_bulk} queue ssh_interactive priority 7 bandwidth 20% queue ssh_bulk priority 0 bandwidth 80% queue icmp bandwidth 2% cbq Here’s a script, that sets the limit to 2MB of transfer data. The %% means how much of that limit can the daemons have.
You must know everything! - Every OS has its own logging thing. They help the administrator see what’s going on. The only problem is, most of them are to busy or lazy to actually read it. In the system level slide, I discussed how the log files can be safe from tampering. Checking the /var/log/auth.log File daily, you might be surprised, if your running a SSH server, a lot of people try to brute-force it and it ends up in there! Everything is in the /var/log directory, from Samba errors, system errors, print errors, and X11 errors.
Intrusion Detection System - A firewall might prevent a packet from entering, but most don’t detect attempted break ins. A popular open source software called Snort can keep track of any attempts in a desktop or server system. Snort can be places behind or in front of the firewall, to detect possible break ins. It can also be used as a separate server, using ‘ promiscuous ’ mode to log and scan traffic for any suspicious activity.
Network Files System - Who needs Windows Shares when UNIX has its very own file sharing system. In order to run NFS successfully, a client must have these daemons running… nfsd NFS clients daemon mountd Mounts the remote nfs share rpcbind daemon to discover what port nfs is using. After reading the how-to on setting up a NFS client or server http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-nfs.html There are some security issues. Due to the design of NFS, a user can easily spoof an IP address and gain access to an unprivileged resource in the NFS server, since they rely on the identify of the host. Also NFS does not encrypt network traffic, so your basically just using telnet (so to speak). SFS was created to solve this and many other security issues. Its basically the same as SSH is to telnet, it uses public-key encryption to share files securely with passwords.
See what your users are up to - Logging is a good way to track users, but what if your online and curious to see what their up to? There are many monitoring software that allow you to see real-time data. OpenBSD has ‘ftop’ which lets you see virtually anything of the firewall itself. All UNIX system have ‘top’ simple monitoring of the CPU and programs. Nagios is network-monitoring application, which lets you monitor virtually anything, even a 3D representation of your own network.
An administrators easy-to-use tool - Scripts can be made for simple programs. Their basically a list of commands with a little logic programming. Shell Scripting is basically a very simple programming language, useful for doing a lot of nifty things. echo &quot;Hello, $LOGNAME“ echo &quot;Current date is `date`“ echo &quot;User is `who i am`&quot; echo &quot;Current direcotry `pwd`&quot; Little scripts like this. MAX_NO=0 echo -n &quot;Enter Number between (5 to 9) : &quot; read MAX_NO if ! [ $MAX_NO -ge 5 -a $MAX_NO -le 9 ] then echo &quot;I ask to enter number between 5 and 9, Okay&quot; exit 1 fi clear for (( i=1; i<=MAX_NO; i++ )) do for (( s=MAX_NO; s>=i; s-- )) do echo -n &quot; &quot; done for (( j=1; j<=i; j++ )) do echo -n &quot; $i&quot; done echo &quot;&quot; done for (( i=1; i<=MAX_NO; i++ )) do for (( s=MAX_NO; s>=i; s-- )) do echo -n &quot; &quot; done for (( j=1; j<=i; j++ )) do echo -n &quot; .&quot; done echo &quot;&quot; done
Making sure you have something after a crash - Backing up important files to tapes, drives, disks daily is a good idea to make sure you still ‘have’ them after a system crash. ‘ cpio’ command creates tar files, which makes files compress so they you don’t end up waiting a lot of space. ‘ cpio’ can restore backup files, tar them, backup to floppy disk or any drive. Copies files to a remote location automatically. There are many other open source tools, used for backups. Backing databases like MySQL is also a good idea.
Beat forensics - Even deleting and overwriting a file 10x it can still be recovered even on a UNIX system, there are several software to prevent this. One of many useful ways to securely delete a file made by THC called ‘secure_delete’ This is secure delete the entire contents of a file system, file, folder, swamp space, memory and many other drives from forensic activity. After installation, the easiest way to delete a file is type ‘srm’ instead of ‘rm’ and that’s it, file security deleted. http://freeworld.thc.org/releases.php?s=12&q=&o=
 
 

Recommended

Linux.ppt
Linux.ppt Linux.ppt
Linux.ppt onu9
 
Kali linux os
Kali linux osKali linux os
Kali linux osSamantha Lawrence
 
Linux file system
Linux file systemLinux file system
Linux file systemMd. Tanvir Hossain
 
Linux security
Linux securityLinux security
Linux securitytrilokchandra prakash
 
Introduction to linux ppt
Introduction to linux pptIntroduction to linux ppt
Introduction to linux pptOmi Vichare
 
what is LINUX ? presentation.
what is LINUX ? presentation.what is LINUX ? presentation.
what is LINUX ? presentation.saad_khan1122
 
Kali Linux
Kali LinuxKali Linux
Kali LinuxChanchal Dabriya
 
Lecture 3 threads
Lecture 3 threadsLecture 3 threads
Lecture 3 threadsKumbirai Junior Muzavazi
 

Recommended

Linux.ppt
Linux.ppt Linux.ppt
Linux.ppt onu9
 
Kali linux os
Kali linux osKali linux os
Kali linux osSamantha Lawrence
 
Linux file system
Linux file systemLinux file system
Linux file systemMd. Tanvir Hossain
 
Linux security
Linux securityLinux security
Linux securitytrilokchandra prakash
 
Introduction to linux ppt
Introduction to linux pptIntroduction to linux ppt
Introduction to linux pptOmi Vichare
 
what is LINUX ? presentation.
what is LINUX ? presentation.what is LINUX ? presentation.
what is LINUX ? presentation.saad_khan1122
 
Kali Linux
Kali LinuxKali Linux
Kali LinuxChanchal Dabriya
 
Lecture 3 threads
Lecture 3 threadsLecture 3 threads
Lecture 3 threadsKumbirai Junior Muzavazi
 
Virtual Private Networks (VPN) ppt
Virtual Private Networks (VPN) pptVirtual Private Networks (VPN) ppt
Virtual Private Networks (VPN) pptOECLIB Odisha Electronics Control Library
 
Access control list acl - permissions in linux
Access control list acl - permissions in linuxAccess control list acl - permissions in linux
Access control list acl - permissions in linuxSreenatha Reddy K R
 
Linux operating system
Linux operating systemLinux operating system
Linux operating systemVicko Pratama Putra
 
Linux commands
Linux commandsLinux commands
Linux commandsMannu Khani
 
Software management in linux
Software management in linuxSoftware management in linux
Software management in linuxnejadmand
 
Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory StructureKevin OBrien
 
Linux
Linux Linux
Linux Kevin James
 
Linux basics
Linux basicsLinux basics
Linux basicsSantosh Khadsare
 
Windows Security in Operating System
Windows Security in Operating SystemWindows Security in Operating System
Windows Security in Operating SystemMeghaj Mallick
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to SnortHossein Yavari
 
Chapter03 Creating And Managing User Accounts
Chapter03 Creating And Managing User AccountsChapter03 Creating And Managing User Accounts
Chapter03 Creating And Managing User AccountsRaja Waseem Akhtar
 
Linux User Management
Linux User ManagementLinux User Management
Linux User ManagementGaurav Mishra
 
Introduction to Cloud Security
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud SecurityLegal Services National Technology Assistance Project (LSNTAP)
 
Unix ppt
Unix pptUnix ppt
Unix pptDr Rajiv Srivastava
 
Linux kernel
Linux kernelLinux kernel
Linux kernelGoutam Sahoo
 
Command line interface “CLI”
Command line interface “CLI”Command line interface “CLI”
Command line interface “CLI”abochoman
 
Linux Introduction
Linux IntroductionLinux Introduction
Linux IntroductionLibsoul Technologies Pvt. Ltd.
 
Architecture of operating system
Architecture of operating systemArchitecture of operating system
Architecture of operating systemSupriya Kumari
 
Ch1-Operating System Concept
Ch1-Operating System ConceptCh1-Operating System Concept
Ch1-Operating System ConceptMuhammad Bilal Tariq
 
Computing Environment
Computing EnvironmentComputing Environment
Computing Environmentkem warren
 
Unix Security
Unix SecurityUnix Security
Unix SecurityKumar Setty, HCISPP, CISA, CCSK, ITIL, CHSP
 
Unix operating system
Unix operating systemUnix operating system
Unix operating systemABhay Panchal
 

More Related Content

What's hot

Access control list acl - permissions in linux
Access control list acl - permissions in linuxAccess control list acl - permissions in linux
Access control list acl - permissions in linuxSreenatha Reddy K R
 
Software management in linux
Software management in linuxSoftware management in linux
Software management in linuxnejadmand
 
Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory StructureKevin OBrien
 
Windows Security in Operating System
Windows Security in Operating SystemWindows Security in Operating System
Windows Security in Operating SystemMeghaj Mallick
 
Chapter03 Creating And Managing User Accounts
Chapter03 Creating And Managing User AccountsChapter03 Creating And Managing User Accounts
Chapter03 Creating And Managing User AccountsRaja Waseem Akhtar
 
Linux User Management
Linux User ManagementLinux User Management
Linux User ManagementGaurav Mishra
 
Command line interface “CLI”
Command line interface “CLI”Command line interface “CLI”
Command line interface “CLI”abochoman
 
Architecture of operating system
Architecture of operating systemArchitecture of operating system
Architecture of operating systemSupriya Kumari
 
Computing Environment
Computing EnvironmentComputing Environment
Computing Environmentkem warren
 

What's hot (20)

Virtual Private Networks (VPN) ppt
Virtual Private Networks (VPN) pptVirtual Private Networks (VPN) ppt
Virtual Private Networks (VPN) ppt
 
Access control list acl - permissions in linux
Access control list acl - permissions in linuxAccess control list acl - permissions in linux
Access control list acl - permissions in linux
 
Linux operating system
Linux operating systemLinux operating system
Linux operating system
 
Linux commands
Linux commandsLinux commands
Linux commands
 
Software management in linux
Software management in linuxSoftware management in linux
Software management in linux
 
Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory Structure
 
Linux
Linux Linux
Linux
 
Linux basics
Linux basicsLinux basics
Linux basics
 
Windows Security in Operating System
Windows Security in Operating SystemWindows Security in Operating System
Windows Security in Operating System
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to Snort
 
Chapter03 Creating And Managing User Accounts
Chapter03 Creating And Managing User AccountsChapter03 Creating And Managing User Accounts
Chapter03 Creating And Managing User Accounts
 
Linux User Management
Linux User ManagementLinux User Management
Linux User Management
 
Introduction to Cloud Security
Introduction to Cloud SecurityIntroduction to Cloud Security
Introduction to Cloud Security
 
Unix ppt
Unix pptUnix ppt
Unix ppt
 
Linux kernel
Linux kernelLinux kernel
Linux kernel
 
Command line interface “CLI”
Command line interface “CLI”Command line interface “CLI”
Command line interface “CLI”
 
Linux Introduction
Linux IntroductionLinux Introduction
Linux Introduction
 
Architecture of operating system
Architecture of operating systemArchitecture of operating system
Architecture of operating system
 
Ch1-Operating System Concept
Ch1-Operating System ConceptCh1-Operating System Concept
Ch1-Operating System Concept
 
Computing Environment
Computing EnvironmentComputing Environment
Computing Environment
 

Viewers also liked

Unix operating system
Unix operating systemUnix operating system
Unix operating systemABhay Panchal
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Securitypankaj009
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security OverviewKernel TLV
 
Unix Operating System
Unix Operating SystemUnix Operating System
Unix Operating Systemsubhsikha
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction Mohamed Gad
 
Unix memory management
Unix memory managementUnix memory management
Unix memory managementTech_MX
 
UNIX Operating System
UNIX Operating SystemUNIX Operating System
UNIX Operating SystemUnless Yuriko
 
Security & protection in operating system
Security & protection in operating systemSecurity & protection in operating system
Security & protection in operating systemAbou Bakr Ashraf
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWallwebhostingguy
 
Nasa tlx
Nasa tlxNasa tlx
Nasa tlx黑豹
 
Unix operating system basics
Unix operating system basicsUnix operating system basics
Unix operating system basicsSankar Suriya
 
Some basic unix commands
Some basic unix commandsSome basic unix commands
Some basic unix commandsaaj_sarkar06
 
Ibm tivoli storage manager for databases data protection for oracle for unix ...
Ibm tivoli storage manager for databases data protection for oracle for unix ...Ibm tivoli storage manager for databases data protection for oracle for unix ...
Ibm tivoli storage manager for databases data protection for oracle for unix ...Banking at Ho Chi Minh city
 
Unix Process management
Unix Process managementUnix Process management
Unix Process managementWave Digitech
 
Unix linux vmacvwindowspptx2
Unix linux vmacvwindowspptx2Unix linux vmacvwindowspptx2
Unix linux vmacvwindowspptx2Wendy Lile
 
Two factor authentication with Laravel and Google Authenticator
Two factor authentication with Laravel and Google AuthenticatorTwo factor authentication with Laravel and Google Authenticator
Two factor authentication with Laravel and Google AuthenticatorAllan Denot
 
Ansible with AWS
Ansible with AWSAnsible with AWS
Ansible with AWSAllan Denot
 

Viewers also liked (20)

Unix Security
Unix SecurityUnix Security
Unix Security
 
Unix operating system
Unix operating systemUnix operating system
Unix operating system
 
Basic Linux Security
Basic Linux SecurityBasic Linux Security
Basic Linux Security
 
Linux Security Overview
Linux Security OverviewLinux Security Overview
Linux Security Overview
 
Unix Operating System
Unix Operating SystemUnix Operating System
Unix Operating System
 
Linux security introduction
Linux security introduction Linux security introduction
Linux security introduction
 
Unix memory management
Unix memory managementUnix memory management
Unix memory management
 
UNIX Operating System
UNIX Operating SystemUNIX Operating System
UNIX Operating System
 
Security & protection in operating system
Security & protection in operating systemSecurity & protection in operating system
Security & protection in operating system
 
Security and Linux Security
Security and Linux SecuritySecurity and Linux Security
Security and Linux Security
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
 
Nasa tlx
Nasa tlxNasa tlx
Nasa tlx
 
Unix operating system basics
Unix operating system basicsUnix operating system basics
Unix operating system basics
 
Some basic unix commands
Some basic unix commandsSome basic unix commands
Some basic unix commands
 
Ibm tivoli storage manager for databases data protection for oracle for unix ...
Ibm tivoli storage manager for databases data protection for oracle for unix ...Ibm tivoli storage manager for databases data protection for oracle for unix ...
Ibm tivoli storage manager for databases data protection for oracle for unix ...
 
Unix Process management
Unix Process managementUnix Process management
Unix Process management
 
Unix linux vmacvwindowspptx2
Unix linux vmacvwindowspptx2Unix linux vmacvwindowspptx2
Unix linux vmacvwindowspptx2
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
 
Two factor authentication with Laravel and Google Authenticator
Two factor authentication with Laravel and Google AuthenticatorTwo factor authentication with Laravel and Google Authenticator
Two factor authentication with Laravel and Google Authenticator
 
Ansible with AWS
Ansible with AWSAnsible with AWS
Ansible with AWS
 

Similar to Unix Security

Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkLecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkMohammed Farrag
 
LINUX
LINUXLINUX
LINUXARJUN
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
 
Linux Operating System
Linux Operating SystemLinux Operating System
Linux Operating SystemKunalKewat1
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?Jérôme Petazzoni
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
7 unixsecurity
7 unixsecurity7 unixsecurity
7 unixsecurityricharddxd
 
Root file system for embedded systems
Root file system for embedded systemsRoot file system for embedded systems
Root file system for embedded systemsalok pal
 

Similar to Unix Security (20)

Solaris basics
Solaris basicsSolaris basics
Solaris basics
 
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security FrameworkLecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
Lecture 4 FreeBSD Security + FreeBSD Jails + MAC Security Framework
 
Linuxppt
LinuxpptLinuxppt
Linuxppt
 
LINUX
LINUXLINUX
LINUX
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 
Linux Operating System
Linux Operating SystemLinux Operating System
Linux Operating System
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
7 unixsecurity
7 unixsecurity7 unixsecurity
7 unixsecurity
 
Linux filesystemhierarchy
Linux filesystemhierarchyLinux filesystemhierarchy
Linux filesystemhierarchy
 
Tutorial 2
Tutorial 2Tutorial 2
Tutorial 2
 
Linux introduction (eng)
Linux introduction (eng)Linux introduction (eng)
Linux introduction (eng)
 
Root file system for embedded systems
Root file system for embedded systemsRoot file system for embedded systems
Root file system for embedded systems
 
Linux
LinuxLinux
Linux
 
Host security
Host securityHost security
Host security
 
Host security
Host securityHost security
Host security
 
13.pptx
13.pptx13.pptx
13.pptx
 
Unix Administration 2
Unix Administration 2Unix Administration 2
Unix Administration 2
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
Linux basics
Linux basics Linux basics
Linux basics
 

Unix Security

  • 1.  
  • 2. Being a multi-user system - UNIX and Linux have a tremendous amount of security to offer; many being open source, which can be validated and modified to meet anyone’s needs. With live system patch upgrades, open source customized firewalls, encrypted disk and swamp space, one super-user account, MAC permissions, salted passwords, checksum packages, system monitoring, chroot and jail system services, limited known viruses and worms, and hundred more features; UNIX/Linux tops security on any other operating system.
  • 3. List of things to go over… Each have 1-3 slides… try not to fall asleep! =)
  • 4. Most basic level of security - giving users permission of what files they can: read, write, or execute. Access Control List Mandatory Access Control Almost modern files systems, include ACLs to give unprivileged access to only certain users. Permissions are separated by owner , group , and others . On UNIX systems permissions are displayed as rwx rwx rwx With a few more special settings, Desktop environments also provide GUI settings for easy modifying. More sophisticated form of permissions handling. This is more like application patching, it limits what permission each program is given. MAC programs include: AppArmor, SELinux, SEBSD, GrSecurity, Trusted Solaris and Trusted BSD.
  • 5. Permissions are set in Octal unmask – Sets default file permissions. You can set files to have same permissions as you create them. Special files have symbolic notations in front of the first ‘r’ in their permissions, these include… - Denote regular file d Denote a directory b Denote a block special file c Denote a character special file l Denote a symbolic link p Denote a named pipe s Denote a domain socket SUID – chmod a +s to a file to make the program run as the owner. SGID – chmod a +u to a file to make the program run as the group. Sticky – chmod a +t to files or directories prevents anyone except the owner from renaming of deleting them. Note* - Attributes and flags can also be made to certain files but this differs from file system and OS used.
  • 6. Examples… $ umask  Default Permissions 0033 $ umask –S  Human Readable u=rwx,g=r,o=r $ touch ok  Create empty file $ ls -l ok  Look permissions -rw-r--r-- 1 root wheel 0 Dec 5 05:08 ok $ chmod a+x ok  Give all execute permissions $ ls -l ok -rwxr-xr-x 1 root wheel 0 Dec 5 05:08 ok $ mkdir ok  Make a directory $ ls -ld ok  Directory permissions drw-r--r-- 2 root wheel 512 Dec 5 05:13 ok Denote ‘d’ means it’s a directory. $ ls -l /usr/bin/passwd -r-sr-xr-x The ‘passwd’ on all UNIX systems have a SUID +s because only the root account can change your password, running this program as ‘root’ even being a normal user will enable anyone to change their own password.
  • 7. UNIX/Linux all have salted hashes, which make rainbow tables completely useless especially with more powerful encrypted hashes available today. The location of the passwords differ from UNIX operating system, and weather the user has changed the default location or not. In addition to the location, the files are separated into two ‘passwd’ and ‘shadow’. Only the root can access the ‘shadow‘ file. Using a program like ‘unshadow’ one can use both files to get a list of users and their encrypted passwords. Having this is only half the challenge. A typical ‘unshadow’ file looks like this… UserName:SaltID:Saltedhash:EncrypedPassword:UserID:GroupID:Complete_Name:home_dir:shell_bin That’s assuming you have both ‘passwd’ and ‘shadow’ files which includes root privileges.
  • 8. Cracking the password - Even getting the ‘unshadow’ file with every user ‘s encrypted password and name, cracking it these days is extremely difficult, even by brute-forcing. NSA has created the sha-2 functions which have a very large encryption bit. root :$ 6 $ 9ydl1tvS/ivnSGdp $ Tr.dWu07FAQN/uPHkKAYaUm7sJ1DEH11488oUcfQLA8LAIsjT.zBrUwuTl8oQt7kOJBVi4W.1eESHagKJ2Wc71 :100:100:root:/root:/sbin/sh $1$... md5 $5$... sha256 $ 6 $... sha512 Salt ID $6$ means the password is encrypted in salted base64 sha512. The random base64 generated salt. Ends in ‘$’ Name of the user. The encrypted base64 sha512 hash. UserID:GroupID:Complete_Name:Home_Directory:Shell How to identify an ‘unshadow’ file…. Note* - There is no password cracker that handles sha384/512 salted hashes at the moment.
  • 9. Maximum Security - Every UNIX OS has a security level in its kernel, the higher it is, the more secure your system is. Be aware having the level higher than ‘1’ will probably produce problems in the future. Situation… Lets say you went in the logs /var/log and changed the attribute of ‘auth.log’ to append only so an attacker getting root privileges can’t delete his trace. You type.. $ chattr +a auth.log In Linux and $ chflags sappnd auth.log In BSD. An attacker gaining root can easily just type $ chattr -a auth.log or $ chflags nosappnd auth.log After removing the attribute/flags the attacker can remove his trace, so what's the use? That’s where the secure level comes in. BSD has securelevel and Linux has ‘capabilities model’ to prevent this.
  • 10. Linux To prevent even the ‘root’ account from doing this, Linux needs to remove the CAP_LINUX_IMMUTABLE capability. You will need a program called ‘lcap’ from http://packetstormsecurity.org After unzipping and compiling… ./lcap CAP_LINUX_IMMUTABLE ./lcap CAP_SYS_RAWIO First command removes the ability to change the append-only flag, second command removes the raw I/O to prevent anyone from modifying the block device the file resides on. Adding the script above to /etc/rc.local To issue the command at every startup. BSD BSD ‘s securelevel its incredibly more secure! Unlike Linux where it’s set at every start up, once you raise the securelevel in BSD, it can never be changed back, careful! In /etc/sysctl.conf You can see kern.securelevel=1 That is the current system level, FreeBSD by defauly is -1 NetBSD is -1 OpenBSD has it to 1 Once the system has been restarted with the new level, your stuck with it! Having the level higher than 0 X11 won’t work. The max level is 2 which is well.. Lets just say you can’t change ANYTHING! You can’t even change the clock at level 2! Nor can you mount new disks. Go to http://wiki.netbsd.se/Kernel_secure_levels for more information on securelevels .
  • 11. Security Threats - Most major Linux distribution have their own package manager from: dpkg, rpm, source packages, and yum. BSD has either has a port collection or pkgsrc. With a simple system update, an entire system can be patches with the latest security threats, some distribution require you to restart like ‘Ubuntu’ and others like.. BSD! Can perform “live” updates. Every UNIX OS project has security threats that need patching, and most display them on their web site. Others let you know in a nice friendly popup. Patching a system is a simple task, most Linux distributions have “user-friendly” ways, while BSD users need to use ‘portmanager’ or recompile the program from source. All packages are checksum (I’ll talk more on the next slide) to make sure none of the installing packages has been modified from an intruder and tricking you in installing their own packages.
  • 12. Checking Packages - Making sure your installing the right packages can be crucial. All UNIX systems have a sha256 and MD5 checksum which check every binary bit for any alteration. A program called ‘visprint’ can also be used. It creates a visual representation of an image using a any checksum. Since every file has a completely different hash, the image is always different. Linux md5sum [file] $ md5sum “ok” Md5sum (“ok”) = 444bcb3a3fcf8389296c49467f27e1d6 For BSD use ‘md5’ $ visprint | md5 “ok”  See Image
  • 13. SandBoxing a user or daemon - The mistake most administrators do is run daemons and services as the ‘root’ account. That’s incredibly insecure and any security threat can get anyone root privileges to an entire system. Almost all UNIX/Linux OS’s include a mechanism to sandbox environments. What is a Sandbox? A sandbox offers various levels of isolation between a host and the sandbox. In other words… Running a daemon like a web server as root is dangerous, chroot() only lets the daemon run the files “it needs” and restrict everything else. If an attacker is able to buffer overflow a POP3 server for instance and gain root privileges. While He/She will be confined in the sandbox, and cannot run any other process. Although there are many ways to get out of the sandbox, they rely on how well you construct it. FreeBSD is the only OS that includes the jail() command. It’s a more sophisticated than chroot() and more secure.
  • 14. Examples… $ mkdir -p /chroot_test/bin  Create a sandbox $ cp /bin/sh /chroot/bin/  Copy a shell $ chroot /chroot_test /bin/sh  Enter the Sanbox $ echo /*  ls won’t work only ‘echo’ /bin As you can see, your confined in a small box, the only commands you can use are the default shell commands, if you want to use ‘ls’ or anything else, You need to copy the entire program in the sandbox. Jail() is much more secure, and it creates more like a virtual server with its very own IP address! $ mkdir -p /jail_test/bin $ cp /bin/sh /jail_test/sh $ jail /jail_test jail_test 192.168.0.40 /bin/sh $ echo /* /bin
  • 15. Linux and SELinux working together? - Linux on its own already includes many open source security features, the biggest one is SELinux was created by the NSA to enhance security on Linux by creating more system patches. SELinux is complex and somewhat hard to understand to new Linux users, as a result, most disable it because it interferes with their programs to often. Other than that, its basically NSA’s implementation of MAC into the Linux kernel. It’s a list of policies every user is force to follow, although this prevents users from malicious intent, its just patches; once a user gains ‘root’ privileges, this is relatively useless.
  • 16. BSD’s version of SELinux - FreeBSD having a Linux compatibility, implemented SELinux modules into its kernel as well. Although this is optional and unless you’re an administrator for many security sensitive servers, this is an overkill. FreeBSD has the TrustedBSD project, which is a collection of advance security programs and features available for other BSD’s and Linux as well. Some of these projects include… file system extended attributes and UFS2, Access Control List, OpenPAM, security even auditing with OpenBSM, mandatory access control and the TrustedBSD MAC Framework, and the GEOM storage framework
  • 17.
  • 18. We need to secure Linux? - Unfortunately although Linux can be relatively secure, it can do a lot better. BSD’s can also be harden although OpenBSD is the only one, you might want to skip. Their secure by default philosophy doesn’t lie. IBM has a well documents how to on Hardening Linux http://www.ibm.com/developerworks/linux Get ready to read a lot! Hardening Linux to make it secure, it’s a long and painful process, so I won’t discuss how to here. Many distributions today: fedora, redhat, SUSE, and Ubuntu are relatively secure by default, but if your not lazy you can make it better! FreeBSD and NetBSD can be harden a little, for example its master.shadow file is still in FreeBSD md5 salted algorithm which almost any password cracker like john-the-ripper can easily crack. FreeBSD’s handbook describes all the security you can add… http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security.html
  • 19. UNIX/Linux has cyber text friends - Almost anything can be encrypted: files, RAM, hard drive, swamp, network transmission, passwords, emails, web sites, everything ‘should’ be encrypted. Symmetric-key encryption involves only one key, this can be a password of some sort. Great for compress file encryption, hard drive encryption, or local encryption, hashes include… Asymmetric-key encryption is used most often to transfer data across a network. This requires a different key for encryption and decryption known as a public and private key. Examples include….
  • 20. One-way hash (checksum) - are mathematically irreversible algorithms to create a random string corresponding to the plain text. These are useful like the checksum slide to check for any alterations. Its most commonly used for password hashing. Password crackers try to use every possible combination either brute-force or dictionary attack, which the string is hashed and checked for comparison against the original hash. One way hashes include…
  • 21. RAM needs protection? Wah?.. - Protecting RAM from processes using more than its intended allocated space is embedded on all modern OS’s including UNIX, but protecting their data is something else. Normally RAM can be access by any program looking at the /dev/mem OpenBSD has many new features that prevent this. strlcpy() and strlcat() in C/C++ guardPages, randomzied malloc() randomized mmap() atexit() and stdioprotection All UNIX/Linux system have their own way to secure RAM, maybe not as much as OpenBSD but without this anyone can read passwords you entered in your RAM without randomizing.
  • 22. Swamp should always be encrypted if its used - During installation of any UNIX/Linux system it should also set apart a Swap partition incase the RAM ever runs out. It’s a good way not to freeze a system, but just like RAM, it should be protected and always encrypted. Searching ‘encrypted swap’ on Google, will show some tutorial on how to do this on Ubuntu and Fedora and a few others. For the BSD systems, OpenBSD should already have it by default, FreeBSD has a tutorial on their site http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/swap-encrypting.html NetBSD should have one too. Having the swap partition encrypted prevents others from reading it just like RAM.
  • 23. Why do I need to encrypt my hard drive? - This is always an optional choice for any user. Depending of critical your files are, you might or might not need it at all. Full disk encryption Encrypt an entire partition, except for the MBR (Master Boot Record) unencrypted. Uses symmetric key encryption, you it encrypts/decrypts with a single password. Filesystem-level encryption Encrypts individual files and folders within a running file system. I can use symmetric or asymmetric encryption depending on the software. Hardware-based full disk encryption Full hard drive encryption, including the MBR all encrypted. The symmetric key are only stored in the BIOS using Pre-Boot Authentication. There are over 40 encryption software available. http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software
  • 24. Pluggable Authentication Modules - Added authentication rules used for application. Example, What if you wanted to limit the users that can log in from a specific hosts. Firewall Rules? What if you wanted to allow only ‘some’ users at specific from a specific host, at different times and dates for maintenance purposes? PAM! PAM is usually set up only on services like: SSH, ftp, telnet, that can be dangerous for potential attacks.
  • 25.
  • 26. I thought UNIX doesn’t get a virus? - Although UNIX are rarely a prime target for viruses, due to the low market share. Doesn’t mean you can’t be prepared. The problem most viruses have is lack of ‘root’ privileges. Worst case scenario, all your personal files get deleted, leaving the system still running. Due to the popularity of UNIX increasing, the amount of UNIX viruses doubled since last year. Most of them being for Linux. UNIX systems tend to have regular up to date upgrades removing new vulnerabilities and most require no restart from the user. Some commercial and free UNIX virus scanner are available.
  • 27.
  • 28.
  • 29. Iptables Syntax iptables <option> <chain> <matching criteria> <target> iptables.sh #!/bin/sh IPT=“/sbin/iptables” # Location of iptables INTERNET=“eth0” # Internet-connected Interface LOOPBACK_INTERFACES=“lo” # Loopback Interface LOOPBACK=“127.0.0.0/8” # Reserved loopback address range CLASS_A=“10.0.0.0/8” # Class A private networks CLASS_B=“172.16.0.0/12” # Class B private networks CLASS_C=“192.168.0.0/16” # Class C private networks CLASS_D=“224.0.0.0/4” # Class D private networks CLASS_E=“240.0.0.0/5” # Class E private networks BROADCAST_SRC=“0.0.0.0” # Broadcast source address BROADCAST_DEST=“255.255.255.255” #broadcast destination PRIVPORTS=“0:1023” # well-known, privileged ports UNPRIVPORTS=“1024:65535” # unprivileged ports $IPT --policy INPUT DROP $IPT --policy OUTPUT ALLOW Firestarter is a GUI firewall. Much easier to use, no script making involve, except you put all your confidence on a program, you have no idea what its actually doing…
  • 30. BSD only firewall - Fast, sophisticated, easier, PF is the ideal firewall for any BSD based operating system. Unlike iptables where every single thing is entered manually, PF can be all be configured with just three lines to /etc/pf.conf… set skip on lo0 block in all pass out all That’s it! Then just $ pfctl -f /etc/pf.conf To enable it, and you have a desktop firewall. * First line skips checks on lo0 If your planning in running services like “SSH” you must add rules, the last rule always wins! block in all pass in quick proto tcp to any port ssh pass out all The second line allows TCP connections to the local SSH. The `quick` stops from other rules from being seen, so this is the last rule. services = {telnet, ssh, rlogin, http, finger} Pass in quick proto tcp to any port $services Macros Macros can be used to pair up ports or daemons. Of course these are SMALL samples, PF is very powerful and can be a large topic to cover.
  • 31. OpenBSD is full of projects - With emphasis on security, OpenBSD’s projects have made its replacements almost now obsolete. OpenSSH OpenSSH embedded cryptography on all these protocols for same communication. OpenBGPD BGPD is a Border Gateway Protocol (BGP) daemon which manages the network routing tables. OpenNTPD NTP is a daemon that synchronizes your local clock to remote NTP servers. OpenCVS Concurrent Versions System not yet released, its intended to replace the current CVS which many have found vulnerabilities.
  • 32. What is it exactly? - When a process tries to store data beyond the boundaries of a fixed-length buffer. Trying to run a C program like this: vul.c Int main (argc, char** argv[]) { char buffer[500]; strcpy(buffer, argv[1]); return 0; } Compiling it, and adding the +s as root will make it vulnerable. Using the NOP sled typing something like this on a i386 machine, you will gain ‘root’ privileges.. $ ./vul `perl -e ‘print “90”x202;’``cat shellcode``perl -e ‘print “78f9ffbf”x88;’` root# who am I root The vulnerability lies when trying to store more bytes than it can handle. Most of the time it’s a segment fault, others you might be able to execute a command, if done correctly.
  • 33. Spy on others - This is actually pretty easy to do, although most transmission is encrypted now, back in the dinosaur age all transmission was unencrypted: telnet, ftp, rlogin. Using an interface device only receives information by its unique identity, setting your interface device to ‘ promiscuous ’ mode meant, your interface device will be able to receive all packets, most not even meant for your computer. They way of doing this varies from OS but some packet sniffers like Wireshark do all this for you. Many people don’t know is setting your device to ‘ promiscuous’ mode won’t give you a lot of information. To really spy on someone, make your MAC address the same as theirs, (some routers allow you do to that, some don’t) you can do this by scanning your local network and getting a list of all IPs. The only catch is they must be running an unencrypted daemon like telnetd or ftpd. If it’s a switch, you won’t be able to see them logging in, unless do you a Man-In-Middle attack.
  • 34. GNU Privacy Guard and Pretty Good Encryption - Although this can be used to transmit data across a network, its mostly use is for email. To see a Signature you will do this… $ gpg -import KEYS $ gpg -verify [packages] This is almost like checksum but instead of checking the file itself, you can download a package with the right checkup but how do you know it’s the real thing? Anyone can change the checksum. This will very if the package its from the owner itself. OpenGPG has been ported in many email clients for safe email transmission. Using asymmetric encryption, the sender uses the private key to encrypt the message, the receiver owns the private key to see them message.
  • 35. The reason why we don’t need Windows anymore - Samba comes from Server Message Block (SMB) used my Microsoft Windows to share files. Samba makes it so UNIX users can share files and printers with window users. This is important because almost all UNIX and UNIX-like system have this: Mac OSX, Linux, BSD, Solaris, AIX, and others Samba has dozens of implementations: WINS, NETBIOS, SMB, CIFS, DCE/RPC, and MSRPC and including Active Directory log on. Samba allows you to share files for window clients to read. It also allowed you to view windows server shares through the use of ‘smbclient’ or mounting with the file system ‘smbfs’
  • 36. The users are using up all the resources! - With the all powerful multi-user system UNIX can set limits using PAM to certain users or groups, so they won’t be able to hog the entire 100% CPU. The configuration file for setting the limits is called /etc/security/limits.conf domain type resource value Soft limit - the default value of how much resource the user can use. They may want more and raise the level, but only to the hard limit. Hard limit - the maxim limit the user can achieve, they can’t go any higher than this. Adding to the /etc/security/limits.conf guest soft nofile 1000 guest hard nofile 2000 The ‘nofile’ can be cpu, memlock, nproc, maxlogins, or fsize, they all limit them on certain things, right now it says guest can only have open 1000-2000 open files. $ Su - guest $ ulimit -a  will list the limits $ ulimit -n 2000  Have the hard limit $ ulimit -n 2001  will receive an error
  • 37. Sometimes a sandbox is an overkill - Restricting users in a shell, isn’t so effective. They can break out of it if they were savvy users. Nonetheless it’s a great way if your to lazy to use chroot(). The command to restrict users, varies on what shell. For bash, typing $ bash -r Will bring up a restricted shell. These shells, you can’t use ‘cd’ nor can you change your PATH and some other restrictions. You can do this permanent by adding ‘+r’ to the .profile page. Note* - make sure they can’t edit their own .profile page, and use PATH=. with symbolic links to specify what commands they may use. $ bash -r bash: SHELL: readonly variable bash: PATH: readonly variable bash-2.05b$ ls bash: ls: No such file or directory bash-2.05b$ /bin/ls bash: /sbin/ls: restricted: cannot specify ‘/’ in command names bash-2.05b$ exit $ ln -s /bin/ls . $ bash -r $ bash-2.05b$ ls -la  list your stuff
  • 38. Restrict bandwidth usage - Allowing people to hog all the internet can be restricted so only you can have the entire bandwidth all to yourself! A program called AltQ, which is now ported into OpenBSD PF, can restrict bandwidth usage as well. Although it can be a bit complicated. altq on $ext_if cbq bandwidth 2MB queue {main, ftp, udp, web, ssh, icmp} queue main bandwidth 18% cbq(default borrow red) queue ftp bandwidth 10% cbq(borrow red) queue udp bandwidth 30% cbq(borrow red) queue web bandwidth 20% cbq(borrow red) queue ssh bandwidth 20% cbq(borrow red) {ssh_interactive, ssh_bulk} queue ssh_interactive priority 7 bandwidth 20% queue ssh_bulk priority 0 bandwidth 80% queue icmp bandwidth 2% cbq Here’s a script, that sets the limit to 2MB of transfer data. The %% means how much of that limit can the daemons have.
  • 39. You must know everything! - Every OS has its own logging thing. They help the administrator see what’s going on. The only problem is, most of them are to busy or lazy to actually read it. In the system level slide, I discussed how the log files can be safe from tampering. Checking the /var/log/auth.log File daily, you might be surprised, if your running a SSH server, a lot of people try to brute-force it and it ends up in there! Everything is in the /var/log directory, from Samba errors, system errors, print errors, and X11 errors.
  • 40. Intrusion Detection System - A firewall might prevent a packet from entering, but most don’t detect attempted break ins. A popular open source software called Snort can keep track of any attempts in a desktop or server system. Snort can be places behind or in front of the firewall, to detect possible break ins. It can also be used as a separate server, using ‘ promiscuous ’ mode to log and scan traffic for any suspicious activity.
  • 41. Network Files System - Who needs Windows Shares when UNIX has its very own file sharing system. In order to run NFS successfully, a client must have these daemons running… nfsd NFS clients daemon mountd Mounts the remote nfs share rpcbind daemon to discover what port nfs is using. After reading the how-to on setting up a NFS client or server http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-nfs.html There are some security issues. Due to the design of NFS, a user can easily spoof an IP address and gain access to an unprivileged resource in the NFS server, since they rely on the identify of the host. Also NFS does not encrypt network traffic, so your basically just using telnet (so to speak). SFS was created to solve this and many other security issues. Its basically the same as SSH is to telnet, it uses public-key encryption to share files securely with passwords.
  • 42. See what your users are up to - Logging is a good way to track users, but what if your online and curious to see what their up to? There are many monitoring software that allow you to see real-time data. OpenBSD has ‘ftop’ which lets you see virtually anything of the firewall itself. All UNIX system have ‘top’ simple monitoring of the CPU and programs. Nagios is network-monitoring application, which lets you monitor virtually anything, even a 3D representation of your own network.
  • 43. An administrators easy-to-use tool - Scripts can be made for simple programs. Their basically a list of commands with a little logic programming. Shell Scripting is basically a very simple programming language, useful for doing a lot of nifty things. echo &quot;Hello, $LOGNAME“ echo &quot;Current date is `date`“ echo &quot;User is `who i am`&quot; echo &quot;Current direcotry `pwd`&quot; Little scripts like this. MAX_NO=0 echo -n &quot;Enter Number between (5 to 9) : &quot; read MAX_NO if ! [ $MAX_NO -ge 5 -a $MAX_NO -le 9 ] then echo &quot;I ask to enter number between 5 and 9, Okay&quot; exit 1 fi clear for (( i=1; i<=MAX_NO; i++ )) do for (( s=MAX_NO; s>=i; s-- )) do echo -n &quot; &quot; done for (( j=1; j<=i; j++ )) do echo -n &quot; $i&quot; done echo &quot;&quot; done for (( i=1; i<=MAX_NO; i++ )) do for (( s=MAX_NO; s>=i; s-- )) do echo -n &quot; &quot; done for (( j=1; j<=i; j++ )) do echo -n &quot; .&quot; done echo &quot;&quot; done
  • 44. Making sure you have something after a crash - Backing up important files to tapes, drives, disks daily is a good idea to make sure you still ‘have’ them after a system crash. ‘ cpio’ command creates tar files, which makes files compress so they you don’t end up waiting a lot of space. ‘ cpio’ can restore backup files, tar them, backup to floppy disk or any drive. Copies files to a remote location automatically. There are many other open source tools, used for backups. Backing databases like MySQL is also a good idea.
  • 45. Beat forensics - Even deleting and overwriting a file 10x it can still be recovered even on a UNIX system, there are several software to prevent this. One of many useful ways to securely delete a file made by THC called ‘secure_delete’ This is secure delete the entire contents of a file system, file, folder, swamp space, memory and many other drives from forensic activity. After installation, the easiest way to delete a file is type ‘srm’ instead of ‘rm’ and that’s it, file security deleted. http://freeworld.thc.org/releases.php?s=12&q=&o=
  • 46.  
  • 47.