I. Controlling File Permissions & Attributes
Monitoring the permissions on system files is crucial to maintain host integrity.• Regularly audit your systems for any unauthorized and unnecessary use of the setuid or setgid
permissions. “Set-user-ID root” programs run as the root user, regardless of who is executing them,
and are a frequent cause of buffer overflows. Many programs are setuid and setgid to enable a
normal user to perform operations that would otherwise require root, and can be removed if your
users do not need such permission. Find all setuid and setgid programs on your host and
descriminately remove the setuid or setgid permissions on a suspicious program with chmod:
root# find / -type f -perm +6000 -ls
59520 30 -rwsr-xr-x 1 root root 30560 Apr 15 1999 /usr/bin/chage
59560 16 -r-sr-sr-x 1 root lp 15816 Jan 6 2000 /usr/bin/lpq
root# chmod -s /usr/bin/chage /usr/bin/lpq
root# ls -l /usr/bin/lpq /usr/bin/chage
-rwxr-xr-x 1 root root 30560 Apr 15 1999 /usr/bin/chage
-r-xr-xr-x 1 root lp 15816 Jan 6 2000 /usr/bin/lpq
• World-writable files are easily altered or removed. Locate all world-writable files on your system:
root# find / -perm -2 ! -type l -ls
In the normal course of operation, several files will be world-writable, including some from /dev and
the /tmp directory itself.
• Locate and identify all files that do not have an owner or belong to a group. Unowned files may also
be an indication an intruder has accessed your system.
root# find / -nouser -o -nogroup
• Using the lsattr and chattr commands, administrators can modify characteristics of files and
directories, including the ability to control deletion and modification above what normal chmod
provides. The use of “append-only” and “immutable” attributes can be particularly effective in
preventing log files from being deleted, or Trojan Horses from being placed on top of trusted
binaries. While not a guarantee a system file or log won’t be modified, only root has the ability to
remove this protection. The chattr command is used to add or remove these properties, while the
lsattr can be used to list them.
Log files can be protected by only permitting appending to them. Once the data has been written, it
cannot be removed. While this will require modifications to your log rotation scripts, this can provide
additional protection from a cracker attempting to remove his tracks. Once rotated, they should be
changed to immutable. Files suitable for these modifications include /bin/login, /bin/rpm,
/etc/shadow, and others that should not change frequently.
# chattr +i /bin/login
# chattr +a /var/log/messages
# lsattr /bin/login /var/log/messages
----i--- /bin/login
-----a-- /var/log/messages
II. Kernel Security
• There should never be a reason for user’s to be able to run setuid programs from their home
directories. Use the nosuid option in /etc/fstab for partitions that are writable by others than
root. You may also wish to use the nodev and noexec on user’s home partitions, as well as /var,
which prohibits execution of programs, and creation of character or block devices, which should
never be necessary anyway. See the mount man page for more information.
Several kernel configuration options are available to improve security through the
/proc pseudo-filesystem. Quite a few of the files in /proc/sys are directly related to
security. Enabled if contains a 1 and disabled if it contains a 0. Many of the options
available in /proc/sys/net/ipv4 include:
• icmp_echo_ignore_all: Ignore all ICMP ECHO requests. Enabling this option will
prevent this host from responding to ping requests.
• icmp_echo_ignore_broadcasts: Ignore ICMP echo requests with a broadcast/
multicast destination address. Your network may be used as an exploder for denial of
service packet flooding attacks to other hosts.
• ip_forward: Enable or disable the forwarding of IP packets between interfaces.
Default value is dependent on whether the kernel is configured as host or router.
• ip_masq_debug: Enable or disable debugging of IP masquerading.
• tcp_syncookies: Protection from the “SYN Attack”. Send syncookies when the SYN
backlog queue of a socket overflows.
• rp_filter: Determines if source address verification is enabled. Enable this option on
all routers to prevent IP spoofing attacks against the internal network.
• secure_redirects: Accept ICMP redirect messages only for gateways listed in default
gateway list.
• log_martians: Log packets with impossible addresses to kernel log.
• accept_source_route: Determines whether source routed packets are accepted or
declined. Should be disabled unless specific reason requires it.
The file /etc/sysctl.conf on recent Red Hat contains a few default settings and is
processed at system startup. The /sbin/sysctl program can be used to control these
parameters. It is also possible to configure their values using /bin/echo. For example,
to disable IP forwarding, as root run:
#echo “0” > /proc/sys/net/ipv4/ip_forward
This must written to a system startup file or /etc/sysctl.conf on Red Hat to occur
after each reboot. More information is available in proc.txt file in the kernel
Documentation/ directory.
III. Security Glossary
1. Buffer Overflow: A condition that occurs when a user or process attempts to place
more data into a program’s storage buffer in memory and then overwrites the actual
program data with instructions that typically provide a shell owned by root on the
server. Accounted for more than 50 percent of all major security bugs leading to
security advisories published by CERT. Typically associated with set-user-ID root
binaries.
2. Cryptography: The mathematical science that deals with transforming data to render
its meaning unintelligible, prevent its undetected alteration, or prevent its unauthorized
use.
3. Denial of Service: Occurs when a resource is targeted by an intruder to prevent
legitimate users from using that resource. They are a threat to the availability of data
to all others trying to use that resource. Range from unplugging the network connection
to consuming all the available network bandwidth.
4. IP Spoofing: An attack in which one host masquerades as another. This can be
used to route data destined for one host to antoher, thereby allowing attackers to
intercept data not originally intended for them. It is typically a one-way attack.
5. Port Scanning: The process of determining which ports are active on a machine. By
probing as many hosts as possible, means to exploit the ones that respond can be
developed. It is typically the precursor to an attack.
6. Packet Filtering: A method of filtering network traffic as it passes between the
firewall’s interfaces at the network level. The network data is then analyzed according
to the information available in the data packet, and access is granted or denied based
on the firewall security policy. Usually requires an intimate knowledge of how network
protocols work.
7. Proxy Gateway: Also called Application Gateways, act on behalf of another
program. A host with a proxy server installed becomes both a server and a client, and
acts as a choke between the final destination and the client. Proxy servers are typically
small, carefully-written single-purpose programs that only permit specific services to
pass through it. Typically combined with packet filters.
8. Set User-ID (setuid) / Set Group-ID (setgid): Files that everyone can execute as
either it's owner or group privileges. Typically, you'll find root-owned setuid files, which
means that regardless of who executes them, they obtain root permission for the
period of time the program is running (or until that program intentionally relinquishes
these privileges). These are the types of files that are most often attacked by intruders,
because of the potential for obtaining root privileges. Commonly associated with
buffer overflows.
9. Trojan Horse: A program that masquerades itself as a benign program, when in fact
it is not. A program can be modified by a malicious programmer that purports to do
something useful, but in fact contains a malicious program containing hidden functions,
exploiting the privileges of the user executing it. A modified version of /bin/ps, for
example, may be used to hide the presence of other programs running on the system.
10. Vulnerability: A condition that has the potential for allowing security to be
compromised. Many different types of network and local vulnerabilities exist and are
widely known, and frequently occur on computers regardless of their level of network
connectivity, processing speed, or profile.
IV. General Security Tips
AutoRPM on Red Hat and apt-get on Debian can be used to download and install
any packages on your system for which there are updates. Use care when
automatically updating production servers.
• IP Masquerading enables a Linux box with multiple interfaces to act as a gateway to
remote networks for hosts connected to the Linux box on the internal network
interface. See the IP Masquerading HOWTO for implementation information.
• Install nmap to determine potential communication channels. Can determine remote
OS version, perform “stealth” scans by manipulating ICMP, TCP and UDP, and even
potentially determine the remote username running the service. Start with something
simple like:
# nmap 192.168.1.1
• Password-protect GRUB for servers in public environments to require authorization
STEP 1: Create a password for GRUB
# grub-md5-crypt
Password:
Retype password:
$1$210t/1$KLFnulPshZVoo5LvUYEp1
STEP 2: Add the newly created MD5 password in GRUB configuration file
# vim /boot/grub/grub.conf
Enter the line password --md5 <add the copied md5 string from step 1> above
below timeout line and save it and exit.
#boot=/dev/sda
default=0
timeout=5
password --md5 $1$210t/1$KLFnulPshZVoo5LvUYEp1
• The OpenWall kernel patch is a useful set of kernel security improvements that
helps to prevent buffer overflows, restrict information in /proc available to normal
users, and other changes. Requires compiling the kernel, and not for newbies.
• Ensure system clocks are accurate. The time stamps on log files must be accurate
so security events can be correlated with remote systems. Inaccurate records make it
impossible to build a timeline. For workstations, it is enough to add a crontab entry:
0-59/30 * * * * root /usr/sbin/ntpdate -su time.timehost.com
• Install and execute the Bastille Linux hardening tool. Bastille is a suite of shell
scripts that eliminates many of the vulnerabilities that are common on default Linux
installations. It enables users to make educated choices to improve security by asking
questions as it interactively steps through securing the host. Features include basic
packet filtering, deactivating unnecessary network services, auditing file permissions,
and more. Try the non-intrusive test mode first.
• Configure sudo (superuser do) to execute privileged commands as a normal user
instead of using su. The administrator supplies his own password to execute specific
commands that would otherwise require root access. The file /etc/sudoers file
controls which users may execute which programs. To permit Dave to only manipulate
the printer on magneto:
Cmnd_Alias LPCMDS = /usr/sbin/lpc, /usr/bin/lprm
dave magneto = LPCMDS
Dave executes sudo with the authorized command and enters his own password
when prompted:
dave$ sudo /usr/sbin/lpc
Password: <password>
lpc>
• Password security is the most basic means of authentication, yet the most critical
means to protect your system from compromise. It is also one of the most overlooked
means. Without an effective well-chosen password, your system is sure to be
compromised. Obtaining access to any user account on the system is the tough part.
From there, root access is only a step away. Run password-cracking programs such as
John the Ripper or Crack regularly on systems for which you’re responsible to ensure
password security is maintained. Disable unused accounts using /usr/bin/passwd -l.
Use the MD5 password during install if your distribution supports it.
• Packet filtering isn’t just for firewalls. Using ipchains, you can provide a significant
amount of protection from external threats on any Linux box. Blocking access to a
particular service from connecting outside of your local network you might try:
# ipchains -I input -p TCP -s 192.168.1.11 telnet -j DENY -l
This will prevent incoming access to the telnet port on your local machine if the
connection originates from 192.168.1.11. This is a very simple example. Be sure
to read the IP Chains HOWTO before implementing any firewalling.
+JxPx Kernel Linux +Linux +Red Hat +LinuxBBQ
No comments:
Post a Comment