-
-void failure(msg) {
- fprintf(stderr, "%s\n", msg);
- exit(1);
-}
-
-/*
- * Given a "pattern" for a temporary filename
- * (starting with the directory location and ending in XXXXXX),
- * create the file and return it.
- * This routines unlinks the file, so normally it won't appear in
- * a directory listing.
- * The pattern will be changed to show the final filename.
- */
-
-FILE *create_tempfile(char *temp_filename_pattern)
-{
- int temp_fd;
- mode_t old_mode;
- FILE *temp_file;
-
- old_mode = umask(077); /* Create file with restrictive permissions */
- temp_fd = mkstemp(temp_filename_pattern);
- (void) umask(old_mode);
- if (temp_fd == -1) {
- failure("Couldn't open temporary file");
- }
- if (!(temp_file = fdopen(temp_fd, "w+b"))) {
- failure("Couldn't create temporary file's file descriptor");
- }
- if (unlink(temp_filename_pattern) == -1) {
- failure("Couldn't unlink temporary file");
- }
- return temp_file;
-}
-
-
-/*
- * Given a "tag" (a relative filename ending in XXXXXX),
- * create a temporary file using the tag. The file will be created
- * in the directory specified in the environment variables
- * TMPDIR or TMP, if defined and we aren't setuid/setgid, otherwise
- * it will be created in /tmp. Note that root (and su'd to root)
- * _will_ use TMPDIR or TMP, if defined.
- *
- */
-FILE *smart_create_tempfile(char *tag)
-{
- char *tmpdir = NULL;
- char *pattern;
- FILE *result;
-
- if ((getuid()==geteuid()) && (getgid()==getegid())) {
- if (! ((tmpdir=getenv("TMPDIR")))) {
- tmpdir=getenv("TMP");
- }
- }
- if (!tmpdir) {tmpdir = "/tmp";}
-
- pattern = malloc(strlen(tmpdir)+strlen(tag)+2);
- if (!pattern) {
- failure("Could not malloc tempfile pattern");
- }
- strcpy(pattern, tmpdir);
- strcat(pattern, "/");
- strcat(pattern, tag);
- result = create_tempfile(pattern);
- free(pattern);
- return result;
-}
-
-
-
-main() {
- int c;
- FILE *demo_temp_file1;
- FILE *demo_temp_file2;
- char demo_temp_filename1[] = "/tmp/demoXXXXXX";
- char demo_temp_filename2[] = "second-demoXXXXXX";
-
- demo_temp_file1 = create_tempfile(demo_temp_filename1);
- demo_temp_file2 = smart_create_tempfile(demo_temp_filename2);
- fprintf(demo_temp_file2, "This is a test.\n");
- printf("Printing temporary file contents:\n");
- rewind(demo_temp_file2);
- while ( (c=fgetc(demo_temp_file2)) != EOF) {
- putchar(c);
- }
- putchar('\n');
- printf("Exiting; you'll notice that there are no temporary files on exit.\n");
-}
-
-Kennaway states that if you can't use mkstemp(3), then make yourself a
-directory using mkdtemp(3), which is protected from the outside world.
-However, as Michal Zalewski notes, this is a bad idea if there are tmp
-cleaners in use; instead, use a directory inside the user's HOME. Finally, if
-you really have to use the insecure mktemp(3), use lots of X's - he suggests
-10 (if your libc allows it) so that the filename can't easily be guessed
-(using only 6 X's means that 5 are taken up by the PID, leaving only one
-random character and allowing an attacker to mount an easy race condition).
-Note that this is fundamentally insecure, so you should normally not do this.
-I add that you should avoid tmpnam(3) as well - some of its uses aren't
-reliable when threads are present, and it doesn't guarantee that it will work
-correctly after TMP_MAX uses (yet most practical uses must be inside a loop).
-
-In general, you should avoid using the insecure functions such as mktemp(3)
-or tmpnam(3), unless you take specific measures to counter their insecurities
-or test for a secure library implementation as part of your installation
-routines. If you ever want to make a file in /tmp or a world-writable
-directory (or group-writable, if you don't trust the group) and don't want to
-use mk*temp() (e.g. you intend for the file to be predictably named), then
-always use the O_CREAT and O_EXCL flags to open() and check the return value.
-If you fail the open() call, then recover gracefully (e.g. exit).
-
-The GNOME programming guidelines recommend the following C code when creating
-filesystem objects in shared (temporary) directories to securely open
-temporary files [Quintero 2000]:
- char *filename;
- int fd;
-
- do {
- filename = tempnam (NULL, "foo");
- fd = open (filename, O_CREAT | O_EXCL | O_TRUNC | O_RDWR, 0600);
- free (filename);
- } while (fd == -1);
-Note that, although the insecure function tempnam(3) is being used, it is
-wrapped inside a loop using O_CREAT and O_EXCL to counteract its security
-weaknesses, so this use is okay. Note that you need to free() the filename.
-You should close() and unlink() the file after you are done. If you want to
-use the Standard C I/O library, you can use fdopen() with mode "w+b" to
-transform the file descriptor into a FILE *. Note that this approach won't
-work over NFS version 2 (v2) systems, because older NFS doesn't correctly
-support O_EXCL. Note that one minor disadvantage to this approach is that,
-since tempnam can be used insecurely, various compilers and security scanners
-may give you spurious warnings about its use. This isn't a problem with
-mkstemp(3).
-
-If you need a temporary file in a shell script, you're probably best off
-using pipes, using a local directory (e.g., something inside the user's home
-directory), or in some cases using the current directory. That way, there's
-no sharing unless the user permits it. If you really want/need the temporary
-file to be in a shared directory like /tmp, do not use the traditional shell
-technique of using the process id in a template and just creating the file
-using normal operations like ">". Shell scripts can use "$$" to indicate the
-PID, but the PID can be easily determined or guessed by an attacker, who can
-then pre-create files or links with the same name. Thus the following
-"typical" shell script is unsafe:
- echo "This is a test" > /tmp/test$$ # DON'T DO THIS.
-
-If you need a temporary file or directory in a shell script, and you want it
-in /tmp, a solution sometimes suggested is to use mktemp(1), which is
-intended for use in shell scripts (note that mktemp(1) and mktemp(3) are
-different things). However, as Michal Zalewski notes, this is insecure in
-many environments that run tmp cleaners; the problem is that when a
-privileged program sweeps through a temporary directory, it will probably
-expose a race condition. Even if this weren't true, I do not recommend using
-shell scripts that create temporary files in shared directories; creating
-such files in private directories or using pipes instead is generally
-preferable, even if you're sure your tmpwatch program is okay (or that you
-have no local users). If you must use mktemp(1), note that mktemp(1) takes a
-template, then creates a file or directory using O_EXCL and returns the
-resulting name; thus, mktemp(1) won't work on NFS version 2 filesystems. Here
-are some examples of correct use of mktemp(1) in Bourne shell scripts; these
-examples are straight from the mktemp(1) man page:
- # Simple use of mktemp(1), where the script should quit
- # if it can't get a safe temporary file.
- # Note that this will be INSECURE on many systems, since they use
- # tmpwatch-like programs that will erase "old" files and expose race
- # conditions.
-
- TMPFILE=`mktemp /tmp/$0.XXXXXX` || exit 1
- echo "program output" >> $TMPFILE
-
- # Simple example, if you want to catch the error:
-
- TMPFILE=`mktemp -q /tmp/$0.XXXXXX`
- if [ $? -ne 0 ]; then
- echo "$0: Can't create temp file, exiting..."
- exit 1
- fi
-
-Perl programmers should use File::Temp, which tries to provide a
-cross-platform means of securely creating temporary files. However, read the
-documentation carefully on how to use it properly first; it includes
-interfaces to unsafe functions as well. I suggest explicitly setting its
-safe_level to HIGH; this will invoke additional security checks. [http://
-search.cpan.org/author/JHI/perl-5.8.0/lib/File/Temp.pm] The Perl 5.8
-documentation of File::Temp is available on-line.
-
-Don't reuse a temporary filename (i.e. remove and recreate it), no matter how
-you obtained the ``secure'' temporary filename in the first place. An
-attacker can observe the original filename and hijack it before you recreate
-it the second time. And of course, always use appropriate file permissions.
-For example, only allow world/group access if you need the world or a group
-to access the file, otherwise keep it mode 0600 (i.e., only the owner can
-read or write it).
-
-Clean up after yourself, either by using an exit handler, or making use of
-UNIX filesystem semantics and unlink()ing the file immediately after creation
-so the directory entry goes away but the file itself remains accessible until
-the last file descriptor pointing to it is closed. You can then continue to
-access it within your program by passing around the file descriptor.
-Unlinking the file has a lot of advantages for code maintenance: the file is
-automatically deleted, no matter how your program crashes. It also decreases
-the likelihood that a maintainer will insecurely use the filename (they need
-to use the file descriptor instead). The one minor problem with immediate
-unlinking is that it makes it slightly harder for administrators to see how
-disk space is being used, since they can't simply look at the file system by
-name.
-
-You might consider ensuring that your code for Unix-like systems respects the
-environment variables TMP or TMPDIR if the provider of these variable values
-is trusted. By doing so, you make it possible for users to move their
-temporary files into an unshared directory (and eliminating the problems
-discussed here), such as a subdirectory inside their home directory. Recent
-versions of Bastille can set these variables to reduce the sharing between
-users. Unfortunately, many users set TMP or TMPDIR to a shared directory (say
-/tmp), so your secure program must still correctly create temporary files
-even if these environment variables are set. This is one advantage of the
-GNOME approach, since at least on some systems tempnam(3) automatically uses
-TMPDIR, while the mkstemp(3) approach requires more code to do this. Please
-don't create yet more environment variables for temporary directories (such
-as TEMP), and in particular don't create a different environment name for
-each application (e.g., don't use "MYAPP_TEMP"). Doing so greatly complicates
-managing systems, and users wanting a special temporary directory for a
-specific application can just set the environment variable specially when
-running that particular application. Of course, if these environment
-variables might have been set by an untrusted source, you should ignore them
-- which you'll do anyway if you follow the advice in Section 5.2.3.
-
-These techniques don't work if the temporary directory is remotely mounted
-using NFS version 2 (NFSv2), because NFSv2 doesn't properly support O_EXCL.
-See Section 7.10.2.1 for more information. NFS version 3 and later properly
-support O_EXCL; the simple solution is to ensure that temporary directories
-are either local or, if mounted using NFS, mounted using NFS version 3 or
-later. There is a technique for safely creating temporary files on NFS v2,
-involving the use of link(2) and stat(2), but it's complex; see Section
-7.10.2.1 which has more information about this.
-
-As an aside, it's worth noting that FreeBSD has recently changed the mk*temp
-() family to get rid of the PID component of the filename and replace the
-entire thing with base-62 encoded randomness. This drastically raises the
-number of possible temporary files for the "default" usage of 6 X's, meaning
-that even mktemp(3) with 6 X's is reasonably (probabilistically) secure
-against guessing, except under very frequent usage. However, if you also
-follow the guidance here, you'll eliminate the problem they're addressing.
-
-Much of this information on temporary files was derived from Kris Kennaway's
-posting to Bugtraq about temporary files on December 15, 2000.
-
-I should note that the Openwall Linux patch from [http://www.openwall.com/
-linux/] http://www.openwall.com/linux/ includes an optional ``temporary file
-directory'' policy that counters many temporary file based attacks. The Linux
-Security Module (LSM) project includes an "owlsm" module that implements some
-of the OpenWall ideas, so Linux Kernels with LSM can quickly insert these
-rules into a running system. When enabled, it has two protections:
-
- * Hard links: Processes may not make hard links to files in certain cases.
- The OpenWall documentation states that "Processes may not make hard links
- to files they do not have write access to." In the LSM version, the rules
- are as follows: if both the process' uid and fsuid (usually the same as
- the euid) is is different from the linked-to-file's uid, the process uid
- is not root, and the process lacks the FOWNER capability, then the hard
- link is forbidden. The check against the process uid may be dropped
- someday (they are work-arounds for the atd(8) program), at which point
- the rules would be: if both the process' fsuid (usually the same as the
- euid) is is different from the linked-to-file's uid and and the process
- lacks the FOWNER capability, then the hard link is forbidden. In other
- words, you can only create hard links to files you own, unless you have
- the FOWNER capability.
-
- * Symbolic links (symlinks): Certain symlinks are not followed. The
- original OpenWall documentation states that "root processes may not
- follow symlinks that are not owned by root", but the actual rules (from
- looking at the code) are more complicated. In the LSM version, if the
- directory is sticky ("+t" mode, used in shared directories like /tmp),
- symlinks are not followed if the symlink was created by anyone other than
- either the owner of the directory or the current process' fsuid (which is
- usually the effective uid).
-
-
-Many systems do not implement this openwall policy, so you can't depend on
-this in general protecting your system. However, I encourage using this
-policy on your own system, and please make sure that your application will
-work when this policy is in place.
------------------------------------------------------------------------------
-
-7.10.2. Locking
-
-There are often situations in which a program must ensure that it has
-exclusive rights to something (e.g., a file, a device, and/or existence of a
-particular server process). Any system which locks resources must deal with
-the standard problems of locks, namely, deadlocks (``deadly embraces''),
-livelocks, and releasing ``stuck'' locks if a program doesn't clean up its
-locks. A deadlock can occur if programs are stuck waiting for each other to
-release resources. For example, a deadlock would occur if process 1 locks
-resources A and waits for resource B, while process 2 locks resource B and
-waits for resource A. Many deadlocks can be prevented by simply requiring all
-processes that lock multiple resources to lock them in the same order (e.g.,
-alphabetically by lock name).
------------------------------------------------------------------------------
-
-7.10.2.1. Using Files as Locks
-
-On Unix-like systems resource locking has traditionally been done by creating
-a file to indicate a lock, because this is very portable. It also makes it
-easy to ``fix'' stuck locks, because an administrator can just look at the
-filesystem to see what locks have been set. Stuck locks can occur because the
-program failed to clean up after itself (e.g., it crashed or malfunctioned)
-or because the whole system crashed. Note that these are ``advisory'' (not
-``mandatory'') locks - all processes needed the resource must cooperate to
-use these locks.
-
-However, there are several traps to avoid. First, don't use the technique
-used by very old Unix C programs, which is calling creat() or its open()
-equivalent, the open() mode O_WRONLY | O_CREAT | O_TRUNC, with the file mode
-set to 0 (no permissions). For normal users on normal file systems, this
-works, but this approach fails to lock the file when the user has root
-privileges. Root can always perform this operation, even when the file
-already exists. In fact, old versions of Unix had this particular problem in
-the old editor ``ed'' -- the symptom was that occasionally portions of the
-password file would be placed in user's files [Rochkind 1985, 22]! Instead,
-if you're creating a lock for processes that are on the local filesystem, you
-should use open() with the flags O_WRONLY | O_CREAT | O_EXCL (and again, no
-permissions, so that other processes with the same owner won't get the lock).
-Note the use of O_EXCL, which is the official way to create ``exclusive''
-files; this even works for root on a local filesystem. [Rochkind 1985, 27].
-
-Second, if the lock file may be on an NFS-mounted filesystem, then you have
-the problem that NFS version 2 doesn't completely support normal file
-semantics. This can even be a problem for work that's supposed to be
-``local'' to a client, since some clients don't have local disks and may have
-all files remotely mounted via NFS. The manual for open(2) explains how to
-handle things in this case (which also handles the case of root programs):
-
-"... programs which rely on [the O_CREAT and O_EXCL flags of open(2) to work
-on filesystems accessed via NFS version 2] for performing locking tasks will
-contain a race condition. The solution for performing atomic file locking
-using a lockfile is to create a unique file on the same filesystem (e.g.,
-incorporating hostname and pid), use link(2) to make a link to the lockfile
-and use stat(2) on the unique file to check if its link count has increased
-to 2. Do not use the return value of the link(2) call."
-
-Obviously, this solution only works if all programs doing the locking are
-cooperating, and if all non-cooperating programs aren't allowed to interfere.
-In particular, the directories you're using for file locking must not have
-permissive file permissions for creating and removing files.
-
-NFS version 3 added support for O_EXCL mode in open(2); see IETF RFC 1813, in
-particular the "EXCLUSIVE" value to the "mode" argument of "CREATE". Sadly,
-not everyone has switched to NFS version 3 or higher at the time of this
-writing, so you can't depend on this yet in portable programs. Still, in the
-long run there's hope that this issue will go away.
-
-If you're locking a device or the existence of a process on a local machine,
-try to use standard conventions. I recommend using the Filesystem Hierarchy
-Standard (FHS); it is widely referenced by Linux systems, but it also tries
-to incorporate the ideas of other Unix-like systems. The FHS describes
-standard conventions for such locking files, including naming, placement, and
-standard contents of these files [FHS 1997]. If you just want to be sure that
-your server doesn't execute more than once on a given machine, you should
-usually create a process identifier as /var/run/NAME.pid with the pid as its
-contents. In a similar vein, you should place lock files for things like
-device lock files in /var/lock. This approach has the minor disadvantage of
-leaving files hanging around if the program suddenly halts, but it's standard
-practice and that problem is easily handled by other system tools.
-
-It's important that the programs which are cooperating using files to
-represent the locks use the same directory, not just the same directory name.
-This is an issue with networked systems: the FHS explicitly notes that /var/
-run and /var/lock are unshareable, while /var/mail is shareable. Thus, if you
-want the lock to work on a single machine, but not interfere with other
-machines, use unshareable directories like /var/run (e.g., you want to permit
-each machine to run its own server). However, if you want all machines
-sharing files in a network to obey the lock, you need to use a directory that
-they're sharing; /var/mail is one such location. See FHS section 2 for more
-information on this subject.
------------------------------------------------------------------------------
-
-7.10.2.2. Other Approaches to Locking
-
-Of course, you need not use files to represent locks. Network servers often
-need not bother; the mere act of binding to a port acts as a kind of lock,
-since if there's an existing server bound to a given port, no other server
-will be able to bind to that port.
-
-Another approach to locking is to use POSIX record locks, implemented through
-fcntl(2) as a ``discretionary lock''. These are discretionary, that is, using
-them requires the cooperation of the programs needing the locks (just as the
-approach to using files to represent locks does). There's a lot to recommend
-POSIX record locks: POSIX record locking is supported on nearly all Unix-like
-platforms (it's mandated by POSIX.1), it can lock portions of a file (not
-just a whole file), and it can handle the difference between read locks and
-write locks. Even more usefully, if a process dies, its locks are
-automatically removed, which is usually what is desired.
-
-You can also use mandatory locks, which are based on System V's mandatory
-locking scheme. These only apply to files where the locked file's setgid bit
-is set, but the group execute bit is not set. Also, you must mount the
-filesystem to permit mandatory file locks. In this case, every read(2) and
-write(2) is checked for locking; while this is more thorough than advisory
-locks, it's also slower. Also, mandatory locks don't port as widely to other
-Unix-like systems (they're available on Linux and System V-based systems, but
-not necessarily on others). Note that processes with root privileges can be
-held up by a mandatory lock, too, making it possible that this could be the
-basis of a denial-of-service attack.
------------------------------------------------------------------------------
-
-7.11. Trust Only Trustworthy Channels
-
-In general, only trust information (input or results) from trustworthy
-channels. For example, the routines getlogin(3) and ttyname(3) return
-information that can be controlled by a local user, so don't trust them for
-security purposes.
-
-In most computer networks (and certainly for the Internet at large), no
-unauthenticated transmission is trustworthy. For example, packets sent over
-the public Internet can be viewed and modified at any point along their path,
-and arbitrary new packets can be forged. These forged packets might include
-forged information about the sender (such as their machine (IP) address and
-port) or receiver. Therefore, don't use these values as your primary criteria
-for security decisions unless you can authenticate them (say using
-cryptography).
-
-This means that, except under special circumstances, two old techniques for
-authenticating users in TCP/IP should often not be used as the sole
-authentication mechanism. One technique is to limit users to ``certain
-machines'' by checking the ``from'' machine address in a data packet; the
-other is to limit access by requiring that the sender use a ``trusted'' port
-number (a number less that 1024). The problem is that in many environments an
-attacker can forge these values.
-
-In some environments, checking these values (e.g., the sending machine IP
-address and/or port) can have some value, so it's not a bad idea to support
-such checking as an option in a program. For example, if a system runs behind
-a firewall, the firewall can't be breached or circumvented, and the firewall
-stops external packets that claim to be from the inside, then you can claim
-that any packet saying it's from the inside really does. Note that you can't
-be sure the packet actually comes from the machine it claims it comes from -
-so you're only countering external threats, not internal threats. However,
-broken firewalls, alternative paths, and mobile code make even these
-assumptions suspect.
-
-The problem is supporting untrustworthy information as the only way to
-authenticate someone. If you need a trustworthy channel over an untrusted
-network, in general you need some sort of cryptologic service (at the very
-least, a cryptologically safe hash). See Section 11.5 for more information on
-cryptographic algorithms and protocols. If you're implementing a standard and
-inherently insecure protocol (e.g., ftp and rlogin), provide safe defaults
-and document the assumptions clearly.
-
-The Domain Name Server (DNS) is widely used on the Internet to maintain
-mappings between the names of computers and their IP (numeric) addresses. The
-technique called ``reverse DNS'' eliminates some simple spoofing attacks, and
-is useful for determining a host's name. However, this technique is not
-trustworthy for authentication decisions. The problem is that, in the end, a
-DNS request will be sent eventually to some remote system that may be
-controlled by an attacker. Therefore, treat DNS results as an input that
-needs validation and don't trust it for serious access control.
-
-Arbitrary email (including the ``from'' value of addresses) can be forged as
-well. Using digital signatures is a method to thwart many such attacks. A
-more easily thwarted approach is to require emailing back and forth with
-special randomly-created values, but for low-value transactions such as
-signing onto a public mailing list this is usually acceptable.
-
-Note that in any client/server model, including CGI, that the server must
-assume that the client (or someone interposing between the client and server)
-can modify any value. For example, so-called ``hidden fields'' and cookie
-values can be changed by the client before being received by CGI programs.
-These cannot be trusted unless special precautions are taken. For example,
-the hidden fields could be signed in a way the client cannot forge as long as
-the server checks the signature. The hidden fields could also be encrypted
-using a key only the trusted server could decrypt (this latter approach is
-the basic idea behind the Kerberos authentication system). InfoSec labs has
-further discussion about hidden fields and applying encryption at [http://
-www.infoseclabs.com/mschff/mschff.htm] http://www.infoseclabs.com/mschff/
-mschff.htm. In general, you're better off keeping data you care about at the
-server end in a client/server model. In the same vein, don't depend on
-HTTP_REFERER for authentication in a CGI program, because this is sent by the
-user's browser (not the web server).
-
-This issue applies to data referencing other data, too. For example, HTML or
-XML allow you to include by reference other files (e.g., DTDs and style
-sheets) that may be stored remotely. However, those external references could
-be modified so that users see a very different document than intended; a
-style sheet could be modified to ``white out'' words at critical locations,
-deface its appearance, or insert new text. External DTDs could be modified to
-prevent use of the document (by adding declarations that break validation) or
-insert different text into documents [St. Laurent 2000].
------------------------------------------------------------------------------
-
-7.12. Set up a Trusted Path
-
-The counterpart to needing trustworthy channels (see Section 7.11) is
-assuring users that they really are working with the program or system they
-intended to use.
-
-The traditional example is a ``fake login'' program. If a program is written
-to look like the login screen of a system, then it can be left running. When
-users try to log in, the fake login program can then capture user passwords
-for later use.
-
-A solution to this problem is a ``trusted path.'' A trusted path is simply
-some mechanism that provides confidence that the user is communicating with
-what the user intended to communicate with, ensuring that attackers can't
-intercept or modify whatever information is being communicated.
-
-If you're asking for a password, try to set up trusted path. Unfortunately,
-stock Linux distributions and many other Unixes don't have a trusted path
-even for their normal login sequence. One approach is to require pressing an
-unforgeable key before login, e.g., Windows NT/2000 uses
-``control-alt-delete'' before logging in; since normal programs in Windows
-can't intercept this key pattern, this approach creates a trusted path.
-There's a Linux equivalent, termed the Secure Attention Key (SAK); it's
-recommended that this be mapped to ``control-alt-pause''. Unfortunately, at
-the time of this writing SAK is immature and not well-supported by Linux
-distributions. Another approach for implementing a trusted path locally is to
-control a separate display that only the login program can perform. For
-example, if only trusted programs could modify the keyboard lights (the LEDs
-showing Num Lock, Caps Lock, and Scroll Lock), then a login program could
-display a running pattern to indicate that it's the real login program.
-Unfortunately, since in current Linux normal users can change the LEDs, the
-LEDs can't currently be used to confirm a trusted path.
-
-Sadly, the problem is much worse for network applications. Although setting
-up a trusted path is desirable for network applications, completely doing so
-is quite difficult. When sending a password over a network, at the very least
-encrypt the password between trusted endpoints. This will at least prevent
-eavesdropping of passwords by those not connected to the system, and at least
-make attacks harder to perform. If you're concerned about trusted path for
-the actual communication, make sure that the communication is encrypted and
-authenticated (or at least authenticated).
-
-It turns out that this isn't enough to have a trusted path to networked
-applications, in particular for web-based applications. There are documented
-methods for fooling users of web browsers into thinking that they're at one
-place when they are really at another. For example, Felten [1997] discusses
-``web spoofing'', where users believe they're viewing one web page when in
-fact all the web pages they view go through an attacker's site (who can then
-monitor all traffic and modify any data sent in either direction). This is
-accomplished by rewriting URL. The rewritten URLs can be made nearly
-invisible by using other technology (such as Javascript) to hide any possible
-evidence in the status line, location line, and so on. See their paper for
-more details. Another technique for hiding such URLs is exploiting
-rarely-used URL syntax, for example, the URL ``http://www.ibm.com/
-stuff@mysite.com'' is actually a request to view ``mysite.com'' (a
-potentially malevolent site) using the unusual username ``www.ibm.com/stuff'.
-If the URL is long enough, the real material won't be displayed and users are
-unlikely to notice the exploit anyway. Yet another approach is to create
-sites with names deliberately similar to the ``real'' site - users may not
-know the difference. In all of these cases, simply encrypting the line
-doesn't help - the attacker can be quite content in encrypting data while
-completely controlling what's shown.
-
-Countering these problems is more difficult; at this time I have no good
-technical solution for fully preventing ``fooled'' web users. I would
-encourage web browser developers to counter such ``fooling'', making it
-easier to spot. If it's critical that your users correctly connect to the
-correct site, have them use simple procedures to counter the threat. Examples
-include having them halt and restart their browser, and making sure that the
-web address is very simple and not normally misspelled (so misspelling it is
-unlikely). You might also want to gain ownership of some ``similar'' sounding
-DNS names, and search for other such DNS names and material to find
-attackers.
------------------------------------------------------------------------------
-
-7.13. Use Internal Consistency-Checking Code
-
-The program should check to ensure that its call arguments and basic state
-assumptions are valid. In C, macros such as assert(3) may be helpful in doing
-so.
------------------------------------------------------------------------------
-
-7.14. Self-limit Resources
-
-In network daemons, shed or limit excessive loads. Set limit values (using
-setrlimit(2)) to limit the resources that will be used. At the least, use
-setrlimit(2) to disable creation of ``core'' files. For example, by default
-Linux will create a core file that saves all program memory if the program
-fails abnormally, but such a file might include passwords or other sensitive
-data.
------------------------------------------------------------------------------
-
-7.15. Prevent Cross-Site (XSS) Malicious Content
-
-Some secure programs accept data from one untrusted user (the attacker) and
-pass that data on to a different user's application (the victim). If the
-secure program doesn't protect the victim, the victim's application (e.g.,
-their web browser) may then process that data in a way harmful to the victim.
-This is a particularly common problem for web applications using HTML or XML,
-where the problem goes by several names including ``cross-site scripting'',
-``malicious HTML tags'', and ``malicious content.'' This book will call this
-problem ``cross-site malicious content,'' since the problem isn't limited to
-scripts or HTML, and its cross-site nature is fundamental. Note that this
-problem isn't limited to web applications, but since this is a particular
-problem for them, the rest of this discussion will emphasize web
-applications. As will be shown in a moment, sometimes an attacker can cause a
-victim to send data from the victim to the secure program, so the secure
-program must protect the victim from himself.
------------------------------------------------------------------------------
-
-7.15.1. Explanation of the Problem
-
-Let's begin with a simple example. Some web applications are designed to
-permit HTML tags in data input from users that will later be posted to other
-readers (e.g., in a guestbook or ``reader comment'' area). If nothing is done
-to prevent it, these tags can be used by malicious users to attack other
-users by inserting scripts, Java references (including references to hostile
-applets), DHTML tags, early document endings (via ), absurd font size
-requests, and so on. This capability can be exploited for a wide range of
-effects, such as exposing SSL-encrypted connections, accessing restricted web
-sites via the client, violating domain-based security policies, making the
-web page unreadable, making the web page unpleasant to use (e.g., via
-annoying banners and offensive material), permit privacy intrusions (e.g., by
-inserting a web bug to learn exactly who reads a certain page), creating
-denial-of-service attacks (e.g., by creating an ``infinite'' number of
-windows), and even very destructive attacks (by inserting attacks on security
-vulnerabilities such as scripting languages or buffer overflows in browsers).
-By embedding malicious FORM tags at the right place, an intruder may even be
-able to trick users into revealing sensitive information (by modifying the
-behavior of an existing form). Or, by embedding scripts, an intruder can
-cause no end of problems. This is by no means an exhaustive list of problems,
-but hopefully this is enough to convince you that this is a serious problem.
-
-Most ``discussion boards'' have already discovered this problem, and most
-already take steps to prevent it in text intended to be part of a multiperson
-discussion. Unfortunately, many web application developers don't realize that
-this is a much more general problem. Every data value that is sent from one
-user to another can potentially be a source for cross-site malicious posting,
-even if it's not an ``obvious'' case of an area where arbitrary HTML is
-expected. The malicious data can even be supplied by the user himself, since
-the user may have been fooled into supplying the data via another site.
-Here's an example (from CERT) of an HTML link that causes the user to send
-malicious data to another site:
- Click here
-
-In short, a web application cannot accept input (including any form data)
-without checking, filtering, or encoding it. You can't even pass that data
-back to the same user in many cases in web applications, since another user
-may have surreptitiously supplied the data. Even if permitting such material
-won't hurt your system, it will enable your system to be a conduit of attacks
-to your users. Even worse, those attacks will appear to be coming from your
-system.
-
-CERT describes the problem this way in their advisory:
-
-
- A web site may inadvertently include malicious HTML tags or script in a
- dynamically generated page based on unvalidated input from untrustworthy
- sources (CERT Advisory CA-2000-02, Malicious HTML Tags Embedded in Client
- Web Requests).
-
-More information from CERT about this is available at [http://www.cert.org/
-archive/pdf/cross_site_scripting.pdf] http://www.cert.org/archive/pdf/
-cross_site_scripting.pdf.
------------------------------------------------------------------------------
-
-7.15.2. Solutions to Cross-Site Malicious Content
-
-Fundamentally, this means that all web application output impacted by any
-user must be filtered (so characters that can cause this problem are
-removed), encoded (so the characters that can cause this problem are encoded
-in a way to prevent the problem), or validated (to ensure that only ``safe''
-data gets through). This includes all output derived from input such as URL
-parameters, form data, cookies, database queries, CORBA ORB results, and data
-from users stored in files. In many cases, filtering and validation should be
-done at the input, but encoding can be done during either input validation or
-output generation. If you're just passing the data through without analysis,
-it's probably better to encode the data on input (so it won't be forgotten).
-However, if your program processes the data, it can be easier to encode it on
-output instead. CERT recommends that filtering and encoding be done during
-data output; this isn't a bad idea, but there are many cases where it makes
-sense to do it at input instead. The critical issue is to make sure that you
-cover all cases for every output, which is not an easy thing to do regardless
-of approach.
-
-Warning - in many cases these techniques can be subverted unless you've also
-gained control over the character encoding of the output. Otherwise, an
-attacker could use an ``unexpected'' character encoding to subvert the
-techniques discussed here. Thankfully, this isn't hard; gaining control over
-output character encoding is discussed in Section 9.5.
-
-One minor defense, that's often worth doing, is the "HttpOnly" flag for
-cookies. Scripts that run in a web browser cannot access cookie values that
-have the HttpOnly flag set (they just get an empty value instead). This is
-currently implemented in Microsoft Internet Explorer, and I expect Mozilla/
-Netscape to implement this soon too. You should set HttpOnly on for any
-cookie you send, unless you have scripts that need the cookie, to counter
-certain kinds of cross-site scripting (XSS) attacks. However, the HttpOnly
-flag can be circumvented in a variety of ways, so using as your primary
-defense is inappropriate. Instead, it's a helpful secondary defense that may
-help save you in case your application is written incorrectly.
-
-The first subsection below discusses how to identify special characters that
-need to be filtered, encoded, or validated. This is followed by subsections
-describing how to filter or encode these characters. There's no subsection
-discussing how to validate data in general, however, for input validation in
-general see Chapter 5, and if the input is straight HTML text or a URI, see
-Section 5.11. Also note that your web application can receive malicious
-cross-postings, so non-queries should forbid the GET protocol (see Section
-5.12).
------------------------------------------------------------------------------
-
-7.15.2.1. Identifying Special Characters
-
-Here are the special characters for a variety of circumstances (my thanks to
-the CERT, who developed this list):
-
- * In the content of a block-level element (e.g., in the middle of a
- paragraph of text in HTML or a block in XML):
-
- + "<" is special because it introduces a tag.
-
- + "&" is special because it introduces a character entity.
-
- + ">" is special because some browsers treat it as special, on the
- assumption that the author of the page really meant to put in an
- opening "<", but omitted it in error.
-
-
- * In attribute values:
-
- + In attribute values enclosed with double quotes, the double quotes
- are special because they mark the end of the attribute value.
-
- + In attribute values enclosed with single quote, the single quotes are
- special because they mark the end of the attribute value. XML's
- definition allows single quotes, but I've been told that some XML
- parsers don't handle them correctly, so you might avoid using single
- quotes in XML.
-
- + Attribute values without any quotes make the white-space characters
- such as space and tab special. Note that these aren't legal in XML
- either, and they make more characters special. Thus, I recommend
- against unquoted attributes if you're using dynamically generated
- values in them.
-
- + "&" is special when used in conjunction with some attributes because
- it introduces a character entity.
-
-
- * In URLs, for example, a search engine might provide a link within the
- results page that the user can click to re-run the search. This can be
- implemented by encoding the search query inside the URL. When this is
- done, it introduces additional special characters:
-
- + Space, tab, and new line are special because they mark the end of the
- URL.
-
- + "&" is special because it introduces a character entity or separates
- CGI parameters.
-
- + Non-ASCII characters (that is, everything above 128 in the ISO-8859-1
- encoding) aren't allowed in URLs, so they are all special here.
-
- + The "%" must be filtered from input anywhere parameters encoded with
- HTTP escape sequences are decoded by server-side code. The percent
- must be filtered if input such as "%68%65%6C%6C%6F" becomes "hello"
- when it appears on the web page in question.
-
-
- * Within the body of a the semicolon, parenthesis, curly
- braces, and new line should be filtered in situations where text could be
- inserted directly into a preexisting script tag.
-
- * Server-side scripts that convert any exclamation characters (!) in input
- to double-quote characters (") on output might require additional
- filtering.
-
-
-Note that, in general, the ampersand (&) is special in HTML and XML.
------------------------------------------------------------------------------
-
-7.15.2.2. Filtering
-
-One approach to handling these special characters is simply eliminating them
-(usually during input or output).
-
-If you're already validating your input for valid characters (and you
-generally should), this is easily done by simply omitting the special
-characters from the list of valid characters. Here's an example in Perl of a
-filter that only accepts legal characters, and since the filter doesn't
-accept any special characters other than the space, it's quite acceptable for
-use in areas such as a quoted attribute:
- # Accept only legal characters:
- $summary =~ tr/A-Za-z0-9\ \.\://dc;
-
-However, if you really want to strip away only the smallest number of
-characters, then you could create a subroutine to remove just those
-characters:
- sub remove_special_chars {
- local($s) = @_;
- $s =~ s/[\<\>\"\'\%\;\(\)\&\+]//g;
- return $s;
- }
- # Sample use:
- $data = &remove_special_chars($data);
------------------------------------------------------------------------------
-
-7.15.2.3. Encoding (Quoting)
-
-An alternative to removing the special characters is to encode them so that
-they don't have any special meaning. This has several advantages over
-filtering the characters, in particular, it prevents data loss. If the data
-is "mangled" by the process from the user's point of view, at least when the
-data is encoded it's possible to reconstruct the data that was originally
-sent.
-
-HTML, XML, and SGML all use the ampersand ("&") character as a way to
-introduce encodings in the running text; this encoding is often called ``HTML
-encoding.'' To encode these characters, simply transform the special
-characters in your circumstance. Usually this means '<' becomes '<', '>'
-becomes '>', '&' becomes '&', and '"' becomes '"'. As noted
-above, although in theory '>' doesn't need to be quoted, because some
-browsers act on it (and fill in a '<') it needs to be quoted. There's a minor
-complexity with the double-quote character, because '"' only needs to be
-used inside attributes, and some extremely old browsers don't properly render
-it. If you can handle the additional complexity, you can try to encode '"'
-only when you need to, but it's easier to simply encode it and ask users to
-upgrade their browsers. Few users will use such ancient browsers, and the
-double-quote character encoding has been a standard for a long time.
-
-Scripting languages may consider implementing specialized auto-quoting types,
-the interesting approach developed in the web application framework [http://
-www.mems-exchange.org/software/quixote] Quixote. Quixote includes a
-"template" feature which allows easy mixing of HTML text and Python code;
-text generated by a template is passed back to the web browser as an HTML
-document. As of version 0.6, Quixote has two kinds of text (instead of a
-single kind as most such languages). Anything which appears in a literal,
-quoted string is of type "htmltext," and it is assumed to be exactly as the
-programmer wanted it to be (this is reasoble, since the programmer wrote it).
-Anything which takes the form of an ordinary Python string, however, is
-automatically quoted as the template is executed. As a result, text from a
-database or other external source is automatically quoted, and cannot be used
-for a cross-site scripting attack. Thus, Quixote implements a safe default -
-programmers no longer need to worry about quoting every bit of text that
-passes through the application (bugs involving too much quoting are less
-likely to be a security problem, and will be obvious in testing). Quixote
-uses an open source software license, but because of its venue identification
-it is probably GPL-incompatible, and is used by organizations such as the
-[http://lwn.net] Linux Weekly News.
-
-This approach to HTML encoding isn't quite enough encoding in some
-circumstances. As discussed in Section 9.5, you need to specify the output
-character encoding (the ``charset''). If some of your data is encoded using a
-different character encoding than the output character encoding, then you'll
-need to do something so your output uses a consistent and correct encoding.
-Also, you've selected an output encoding other than ISO-8859-1, then you need
-to make sure that any alternative encodings for special characters (such as "
-<") can't slip through to the browser. This is a problem with several
-character encodings, including popular ones like UTF-7 and UTF-8; see Section
-5.9 for more information on how to prevent ``alternative'' encodings of
-characters. One way to deal with incompatible character encodings is to first
-translate the characters internally to ISO 10646 (which has the same
-character values as Unicode), and then using either numeric character
-references or character entity references to represent them:
-
- * A numeric character reference looks like "D;", where D is a decimal
- number, or "H;" or "H;", where H is a hexadecimal number. The
- number given is the ISO 10646 character id (which has the same character
- values as Unicode). Thus И is the Cyrillic capital letter "I". The
- hexadecimal system isn't supported in the SGML standard (ISO 8879), so
- I'd suggest using the decimal system for output. Also, although SGML
- specification permits the trailing semicolon to be omitted in some
- circumstances, in practice many systems don't handle it - so always
- include the trailing semicolon.
-
- * A character entity reference does the same thing but uses mnemonic names
- instead of numbers. For example, "<" represents the < sign. If you're
- generating HTML, see the [http://www.w3.org] HTML specification which
- lists all mnemonic names.
-
-
-Either system (numeric or character entity) works; I suggest using character
-entity references for '<', '>', '&', and '"' because it makes your code (and
-output) easier for humans to understand. Other than that, it's not clear that
-one or the other system is uniformly better. If you expect humans to edit the
-output by hand later, use the character entity references where you can,
-otherwise I'd use the decimal numeric character references just because
-they're easier to program. This encoding scheme can be quite inefficient for
-some languages (especially Asian languages); if that is your primary content,
-you might choose to use a different character encoding (charset), filter on
-the critical characters (e.g., "<") and ensure that no alternative encodings
-for critical characters are allowed.
-
-URIs have their own encoding scheme, commonly called ``URL encoding.'' In
-this system, characters not permitted in URLs are represented using a percent
-sign followed by its two-digit hexadecimal value. To handle all of ISO 10646
-(Unicode), it's recommended to first translate the codes to UTF-8, and then
-encode it. See Section 5.11.4 for more about validating URIs.
------------------------------------------------------------------------------
-
-7.16. Foil Semantic Attacks
-
-A ``semantic attack'' is an attack in which the attacker uses the computing
-infrastructure/system in a way that fools the victim into thinking they are
-doing something, but are doing something different, yet the computing
-infrastructure/system is working exactly as it was designed to do. Semantic
-attacks often involve financial scams, where the attacker is trying to fool
-the victim into giving the attacker large sums of money (e.g., thinking
-they're investing in something). For example, the attacker may try to
-convince the user that they're looking at a trusted website, even if they
-aren't.
-
-Semantic attacks are difficult to counter, because they're exploiting the
-correct operation of the computer. The way to deal with semantic attacks is
-to help give the human additional information, so that when ``odd'' things
-happen the human will have more information or a warning will be presented
-that something may not be what it appears to be.
-
-One example is URIs that, while legitimate, may fool users into thinking they
-have a different meaning. For example, look at this URI:
- http://www.bloomberg.com@www.badguy.com
-If a user clicked on that URI, they might think that they're going to
-Bloomberg (who provide financial commodities news), but instead they're going
-to www.badguy.com (and providing the username www.bloomberg.com, which
-www.badguy.com will conveniently ignore). If the badguy.com website then
-imitated the bloomberg.com site, a user might be convinced that they're
-seeing the real thing (and make investment decisions based on
-attacker-controlled information). This depends on URIs being used in an
-unusual way - clickable URIs can have usernames, but usually don't. One
-solution for this case is for the web browser to detect such unusual URIs and
-create a pop-up confirmation widget, saying ``You are about to log into
-www.badguy.com as user www.bloomberg.com; do you wish to proceed?'' If the
-widget allows the user to change these entries, it provides additional
-functionality to the user as well as providing protection against that
-attack.
-
-Another example is homographs, particularly international homographs. Certain
-letters look similar to each other, and these can be exploited as well. For
-example, since 0 (zero) and O (the letter O) look similar to each other,
-users may not realize that WWW.BLOOMBERG.COM and WWW.BL00MBERG.COM are
-different web addresses. Other similar-looking letters include 1 (one) and l
-(lower-case L). If international characters are allowed, the situation is
-worse. For example, many Cyrillic letters look essentially the same as Roman
-letters, but the computer will treat them differently. Currently most systems
-don't allow international characters in host names, but for various good
-reasons it's widely agreed that support for them will be necessary in the
-future. One proposed solution has been to diplay letters from different code
-regions using different colors - that way, users get more information
-visually. If the users look at URI, they will hopefully notice the strange
-coloring. [Gabrilovich 2002] However, this does show the essence of a
-semantic attack - it's difficult to defend against, precisely because the
-computers are working correctly.
------------------------------------------------------------------------------
-
-7.17. Be Careful with Data Types
-
-Be careful with the data types used, in particular those used in interfaces.
-For example, ``signed'' and ``unsigned'' values are treated differently in
-many languages (such as C or C++).
------------------------------------------------------------------------------
-
-Chapter 8. Carefully Call Out to Other Resources
-
- Do not put your trust in princes, in
- mortal men, who cannot save.
- Psalms 146:3 (NIV)
-
-Practically no program is truly self-contained; nearly all programs call out
-to other programs for resources, such as programs provided by the operating
-system, software libraries, and so on. Sometimes this calling out to other
-resources isn't obvious or involves a great deal of ``hidden'' infrastructure
-which must be depended on, e.g., the mechanisms to implement dynamic
-libraries. Clearly, you must be careful about what other resources your
-program trusts and you must make sure that the way you send requests to them.
------------------------------------------------------------------------------
-
-8.1. Call Only Safe Library Routines
-
-Sometimes there is a conflict between security and the development principles
-of abstraction (information hiding) and reuse. The problem is that some
-high-level library routines may or may not be implemented securely, and their
-specifications won't tell you. Even if a particular implementation is secure,
-it may not be possible to ensure that other versions of the routine will be
-safe, or that the same interface will be safe on other platforms.
-
-In the end, if your application must be secure, you must sometimes
-re-implement your own versions of library routines. Basically, you have to
-re-implement routines if you can't be sure that the library routines will
-perform the necessary actions you require for security. Yes, in some cases
-the library's implementation should be fixed, but it's your users who will be
-hurt if you choose a library routine that is a security weakness. If can, try
-to use the high-level interfaces when you must re-implement something - that
-way, you can switch to the high-level interface on systems where its use is
-secure.
-
-If you can, test to see if the routine is secure or not, and use it if it's
-secure - ideally you can perform this test as part of compilation or
-installation (e.g., as part of an ``autoconf'' script). For some conditions
-this kind of run-time testing is impractical, but for other conditions, this
-can eliminate many problems. If you don't want to bother to re-implement the
-library, at least test to make sure it's safe and halt installation if it
-isn't. That way, users will not accidentally install an insecure program and
-will know what the problem is.
------------------------------------------------------------------------------
-
-8.2. Limit Call-outs to Valid Values
-
-Ensure that any call out to another program only permits valid and expected
-values for every parameter. This is more difficult than it sounds, because
-many library calls or commands call lower-level routines in potentially
-surprising ways. For example, many system calls are implemented indirectly by
-calling the shell, which means that passing characters which are shell
-metacharacters can have dangerous effects. So, let's discuss metacharacters.
------------------------------------------------------------------------------
-
-8.3. Handle Metacharacters
-
-Many systems, such as the command line shell and SQL interpreters, have
-``metacharacters'', that is, characters in their input that are not
-interpreted as data. Such characters might commands, or delimit data from
-commands or other data. If there's a language specification for that system's
-interface that you're using, then it certainly has metacharacters. If your
-program invokes those other systems and allows attackers to insert such
-metacharacters, the usual result is that an attacker can completely control
-your program.
-
-One of the most pervasive metacharacter problems are those involving shell
-metacharacters. The standard Unix-like command shell (stored in /bin/sh)
-interprets a number of characters specially. If these characters are sent to
-the shell, then their special interpretation will be used unless escaped;
-this fact can be used to break programs. According to the WWW Security FAQ
-[Stein 1999, Q37], these metacharacters are:
-+---------------------------------------------------------------------------+
-|& ; ` ' \ " | * ? ~ < > ^ ( ) [ ] { } $ \n \r |
-+---------------------------------------------------------------------------+
-
-I should note that in many situations you'll also want to escape the tab and
-space characters, since they (and the newline) are the default parameter
-separators. The separator values can be changed by setting the IFS
-environment variable, but if you can't trust the source of this variable you
-should have thrown it out or reset it anyway as part of your environment
-variable processing.
-
-Unfortunately, in real life this isn't a complete list. Here are some other
-characters that can be problematic:
-
- * '!' means ``not'' in an expression (as it does in C); if the return value
- of a program is tested, prepending ! could fool a script into thinking
- something had failed when it succeeded or vice versa. In some shells, the
- "!" also accesses the command history, which can cause real problems. In
- bash, this only occurs for interactive mode, but tcsh (a csh clone found
- in some Linux distributions) uses "!" even in scripts.
-
- * '#' is the comment character; all further text on the line is ignored.
-
- * '-' can be misinterpreted as leading an option (or, as - -, disabling all
- further options). Even if it's in the ``middle'' of a filename, if it's
- preceded by what the shell considers as whitespace you may have a
- problem.
-
- * ' ' (space), '\t' (tab), '\n' (newline), '\r' (return), '\v' (vertical
- space), '\f' (form feed), and other whitespace characters can have many
- dangerous effects. They can may turn a ``single'' filename into multiple
- arguments, for example, or turn a single parameter into multiple
- parameter when stored. Newline and return have a number of additional
- dangers, for example, they can be used to create ``spoofed'' log entries
- in some programs, or inserted just before a separate command that is then
- executed (if an underlying protocol uses newlines or returns as command
- separators).
-
- * Other control characters (in particular, NIL) may cause problems for some
- shell implementations.
-
- * Depending on your usage, it's even conceivable that ``.'' (the ``run in
- current shell'') and ``='' (for setting variables) might be worrisome
- characters. However, any example I've found so far where these are issues
- have other (much worse) security problems.
-
-
-
-
-What makes the shell metacharacters particularly pervasive is that several
-important library calls, such as popen(3) and system(3), are implemented by
-calling the command shell, meaning that they will be affected by shell
-metacharacters too. Similarly, execlp(3) and execvp(3) may cause the shell to
-be called. Many guidelines suggest avoiding popen(3), system(3), execlp(3),
-and execvp(3) entirely and use execve(3) directly in C when trying to spawn a
-process [Galvin 1998b]. At the least, avoid using system(3) when you can use
-the execve(3); since system(3) uses the shell to expand characters, there is
-more opportunity for mischief in system(3). In a similar manner the Perl and
-shell backtick (`) also call a command shell; for more information on Perl
-see Section 10.2.
-
-Since SQL also has metacharacters, a similar issue revolves around calls to
-SQL. When metacharacters are provided as input to trigger SQL metacharacters,
-it's often called "SQL injection". See [http://www.spidynamics.com/papers/
-SQLInjectionWhitePaper.pdf] SPI Dynamic's paper ``SQL Injection: Are your Web
-Applications Vulnerable?'' for further discussion on this. As discussed in
-Chapter 5, define a very limited pattern and only allow data matching that
-pattern to enter; if you limit your pattern to ^[0-9]$ or ^[0-9A-Za-z]*$ then
-you won't have a problem. If you must handle data that may include SQL
-metacharacters, a good approach is to convert it (as early as possible) to
-some other encoding before storage, e.g., HTML encoding (in which case you'll
-need to encode any ampersand characters too). Also, prepend and append a
-quote to all user input, even if the data is numeric; that way, insertions of
-white space and other kinds of data won't be as dangerous.
-
-Forgetting one of these characters can be disastrous, for example, many
-programs omit backslash as a shell metacharacter [rfp 1999]. As discussed in
-the Chapter 5, a recommended approach by some is to immediately escape at
-least all of these characters when they are input. But again, by far and away
-the best approach is to identify which characters you wish to permit, and use
-a filter to only permit those characters.
-
-A number of programs, especially those designed for human interaction, have
-``escape'' codes that perform ``extra'' activities. One of the more common
-(and dangerous) escape codes is one that brings up a command line. Make sure
-that these ``escape'' commands can't be included (unless you're sure that the
-specific command is safe). For example, many line-oriented mail programs
-(such as mail or mailx) use tilde (~) as an escape character, which can then
-be used to send a number of commands. As a result, apparently-innocent
-commands such as ``mail admin < file-from-user'' can be used to execute
-arbitrary programs. Interactive programs such as vi, emacs, and ed have
-``escape'' mechanisms that allow users to run arbitrary shell commands from
-their session. Always examine the documentation of programs you call to
-search for escape mechanisms. It's best if you call only programs intended
-for use by other programs; see Section 8.4.
-
-The issue of avoiding escape codes even goes down to low-level hardware
-components and emulators of them. Most modems implement the so-called
-``Hayes'' command set. Unless the command set is disabled, inducing a delay,
-the phrase ``+++'', and then another delay forces the modem to interpret any
-following text as commands to the modem instead. This can be used to
-implement denial-of-service attacks (by sending ``ATH0'', a hang-up command)
-or even forcing a user to connect to someone else (a sophisticated attacker
-could re-route a user's connection through a machine under the attacker's
-control). For the specific case of modems, this is easy to counter (e.g., add
-"ATS2-255" in the modem initialization string), but the general issue still
-holds: if you're controlling a lower-level component, or an emulation of one,
-make sure that you disable or otherwise handle any escape codes built into
-them.
-
-Many ``terminal'' interfaces implement the escape codes of ancient, long-gone
-physical terminals like the VT100. These codes can be useful, for example,
-for bolding characters, changing font color, or moving to a particular
-location in a terminal interface. However, do not allow arbitrary untrusted
-data to be sent directly to a terminal screen, because some of those codes
-can cause serious problems. On some systems you can remap keys (e.g., so when
-a user presses "Enter" or a function key it sends the command you want them
-to run). On some you can even send codes to clear the screen, display a set
-of commands you'd like the victim to run, and then send that set ``back'',
-forcing the victim to run the commands of the attacker's choosing without
-even waiting for a keystroke. This is typically implemented using ``page-mode
-buffering''. This security problem is why emulated tty's (represented as
-device files, usually in /dev/) should only be writeable by their owners and
-never anyone else - they should never have ``other write'' permission set,
-and unless only the user is a member of the group (i.e., the ``user-private
-group'' scheme), the ``group write'' permission should not be set either for
-the terminal [Filipski 1986]. If you're displaying data to the user at a
-(simulated) terminal, you probably need to filter out all control characters
-(characters with values less than 32) from data sent back to the user unless
-they're identified by you as safe. Worse comes to worse, you can identify tab
-and newline (and maybe carriage return) as safe, removing all the rest.
-Characters with their high bits set (i.e., values greater than 127) are in
-some ways trickier to handle; some old systems implement them as if they
-weren't set, but simply filtering them inhibits much international use. In
-this case, you need to look at the specifics of your situation.
-
-A related problem is that the NIL character (character 0) can have surprising
-effects. Most C and C++ functions assume that this character marks the end of
-a string, but string-handling routines in other languages (such as Perl and
-Ada95) can handle strings containing NIL. Since many libraries and kernel
-calls use the C convention, the result is that what is checked is not what is
-actually used [rfp 1999].
-
-When calling another program or referring to a file always specify its full
-path (e.g, /usr/bin/sort). For program calls, this will eliminate possible
-errors in calling the ``wrong'' command, even if the PATH value is
-incorrectly set. For other file referents, this reduces problems from ``bad''
-starting directories.
------------------------------------------------------------------------------
-
-8.4. Call Only Interfaces Intended for Programmers
-
-Call only application programming interfaces (APIs) that are intended for use
-by programs. Usually a program can invoke any other program, including those
-that are really designed for human interaction. However, it's usually unwise
-to invoke a program intended for human interaction in the same way a human
-would. The problem is that programs's human interfaces are intentionally rich
-in functionality and are often difficult to completely control. As discussed
-in Section 8.3, interactive programs often have ``escape'' codes, which might
-enable an attacker to perform undesirable functions. Also, interactive
-programs often try to intuit the ``most likely'' defaults; this may not be
-the default you were expecting, and an attacker may find a way to exploit
-this.
-
-Examples of programs you shouldn't normally call directly include mail,
-mailx, ed, vi, and emacs. At the very least, don't call these without
-checking their input first.
-
-Usually there are parameters to give you safer access to the program's
-functionality, or a different API or application that's intended for use by
-programs; use those instead. For example, instead of invoking a text editor
-to edit some text (such as ed, vi, or emacs), use sed where you can.
------------------------------------------------------------------------------
-
-8.5. Check All System Call Returns
-
-Every system call that can return an error condition must have that error
-condition checked. One reason is that nearly all system calls require limited
-system resources, and users can often affect resources in a variety of ways.
-Setuid/setgid programs can have limits set on them through calls such as
-setrlimit(3) and nice(2). External users of server programs and CGI scripts
-may be able to cause resource exhaustion simply by making a large number of
-simultaneous requests. If the error cannot be handled gracefully, then fail
-safe as discussed earlier.
------------------------------------------------------------------------------
-
-8.6. Avoid Using vfork(2)
-
-The portable way to create new processes in Unix-like systems is to use the
-fork(2) call. BSD introduced a variant called vfork(2) as an optimization
-technique. In vfork(2), unlike fork(2), the child borrows the parent's memory
-and thread of control until a call to execve(2V) or an exit occurs; the
-parent process is suspended while the child is using its resources. The
-rationale is that in old BSD systems, fork(2) would actually cause memory to
-be copied while vfork(2) would not. Linux never had this problem; because
-Linux used copy-on-write semantics internally, Linux only copies pages when
-they changed (actually, there are still some tables that have to be copied;
-in most circumstances their overhead is not significant). Nevertheless, since
-some programs depend on vfork(2), recently Linux implemented the BSD vfork(2)
-semantics (previously vfork(2) had been an alias for fork(2)).
-
-There are a number of problems with vfork(2). From a portability
-point-of-view, the problem with vfork(2) is that it's actually fairly tricky
-for a process to not interfere with its parent, especially in high-level
-languages. The ``not interfering'' requirement applies to the actual machine
-code generated, and many compilers generate hidden temporaries and other code
-structures that cause unintended interference. The result: programs using
-vfork(2) can easily fail when the code changes or even when compiler versions
-change.
-
-For secure programs it gets worse on Linux systems, because Linux (at least
-2.2 versions through 2.2.17) is vulnerable to a race condition in vfork()'s
-implementation. If a privileged process uses a vfork(2)/execve(2) pair in
-Linux to execute user commands, there's a race condition while the child
-process is already running as the user's UID, but hasn`t entered execve(2)
-yet. The user may be able to send signals, including SIGSTOP, to this
-process. Due to the semantics of vfork(2), the privileged parent process
-would then be blocked as well. As a result, an unprivileged process could
-cause the privileged process to halt, resulting in a denial-of-service of the
-privileged process' service. FreeBSD and OpenBSD, at least, have code to
-specifically deal with this case, so to my knowledge they are not vulnerable
-to this problem. My thanks to Solar Designer, who noted and documented this
-problem in Linux on the ``security-audit'' mailing list on October 7, 2000.
-
-The bottom line with vfork(2) is simple: don't use vfork(2) in your programs.
-This shouldn't be difficult; the primary use of vfork(2) is to support old
-programs that needed vfork's semantics.
------------------------------------------------------------------------------
-
-8.7. Counter Web Bugs When Retrieving Embedded Content
-
-Some data formats can embed references to content that is automatically
-retrieved when the data is viewed (not waiting for a user to select it). If
-it's possible to cause this data to be retrieved through the Internet (e.g.,
-through the World Wide Wide), then there is a potential to use this
-capability to obtain information about readers without the readers'
-knowledge, and in some cases to force the reader to perform activities
-without the reader's consent. This privacy concern is sometimes called a
-``web bug.''
-
-In a web bug, a reference is intentionally inserted into a document and used
-by the content author to track who, where, and how often a document is read.
-The author can also essentially watch how a ``bugged'' document is passed
-from one person to another or from one organization to another.
-
-The HTML format has had this issue for some time. According to the [http://
-www.privacyfoundation.org] Privacy Foundation:
-
-
- Web bugs are used extensively today by Internet advertising companies on
- Web pages and in HTML-based email messages for tracking. They are
- typically 1-by-1 pixel in size to make them invisible on the screen to
- disguise the fact that they are used for tracking. However, they could be
- any image (using the img tag); other HTML tags that can implement web
- bugs, e.g., frames, form invocations, and scripts. By itself, invoking
- the web bug will provide the ``bugging'' site the reader IP address, the
- page that the reader visited, and various information about the browser;
- by also using cookies it's often possible to determine the specific
- identify of the reader. A survey about web bugs is available at [http://
- www.securityspace.com/s_survey/data/man.200102/webbug.html] http://
- www.securityspace.com/s_survey/data/man.200102/webbug.html.
-
-What is more concerning is that other document formats seem to have such a
-capability, too. When viewing HTML from a web site with a web browser, there
-are other ways of getting information on who is browsing the data, but when
-viewing a document in another format from an email few users expect that the
-mere act of reading the document can be monitored. However, for many formats,
-reading a document can be monitored. For example, it has been recently
-determined that Microsoft Word can support web bugs; see [http://
-www.privacyfoundation.org/advisories/advWordBugs.html] the Privacy Foundation
-advisory for more information . As noted in their advisory, recent versions
-of Microsoft Excel and Microsoft Power Point can also be bugged. In some
-cases, cookies can be used to obtain even more information.
-
-Web bugs are primarily an issue with the design of the file format. If your
-users value their privacy, you probably will want to limit the automatic
-downloading of included files. One exception might be when the file itself is
-being downloaded (say, via a web browser); downloading other files from the
-same location at the same time is much less likely to concern users.
------------------------------------------------------------------------------
-
-8.8. Hide Sensitive Information
-
-Sensitive information should be hidden from prying eyes, both while being
-input and output, and when stored in the system. Sensitive information
-certainly includes credit card numbers, account balances, and home addresses,
-and in many applications also includes names, email addressees, and other
-private information.
-
-Web-based applications should encrypt all communication with a user that
-includes sensitive information; the usual way is to use the "https:" protocol
-(HTTP on top of SSL or TLS). According to the HTTP 1.1 specification (IETF
-RFC 2616 section 15.1.3), authors of services which use the HTTP protocol
-should not use GET based forms for the submission of sensitive data, because
-this will cause this data to be encoded in the Request-URI. Many existing
-servers, proxies, and user agents will log the request URI in some place
-where it might be visible to third parties. Instead, use POST-based
-submissions, which are intended for this purpose.
-
-Databases of such sensitive data should also be encrypted on any storage
-device (such as files on a disk). Such encryption doesn't protect against an
-attacker breaking the secure application, of course, since obviously the
-application has to have a way to access the encrypted data too. However, it
-does provide some defense against attackers who manage to get backup disks of
-the data but not of the keys used to decrypt them. It also provides some
-defense if an attacker doesn't manage to break into an application, but does
-manage to partially break into a related system just enough to view the
-stored data - again, they now have to break the encryption algorithm to get
-the data. There are many circumstances where data can be transferred
-unintentionally (e.g., core files), which this also prevents. It's worth
-noting, however, that this is not as strong a defense as you'd think, because
-often the server itself can be subverted or broken.
------------------------------------------------------------------------------
-
-Chapter 9. Send Information Back Judiciously
-
- Do not answer a fool according to his
- folly, or you will be like him
- yourself.
- Proverbs 26:4 (NIV)
------------------------------------------------------------------------------
-
-9.1. Minimize Feedback
-
-Avoid giving much information to untrusted users; simply succeed or fail, and
-if it fails just say it failed and minimize information on why it failed.
-Save the detailed information for audit trail logs. For example:
-
- * If your program requires some sort of user authentication (e.g., you're
- writing a network service or login program), give the user as little
- information as possible before they authenticate. In particular, avoid
- giving away the version number of your program before authentication.
- Otherwise, if a particular version of your program is found to have a
- vulnerability, then users who don't upgrade from that version advertise
- to attackers that they are vulnerable.
-
- * If your program accepts a password, don't echo it back; this creates
- another way passwords can be seen.
-
-
-
------------------------------------------------------------------------------
-
-9.2. Don't Include Comments
-
-When returning information, don't include any ``comments'' unless you're sure
-you want the receiving user to be able to view them. This is a particular
-problem for web applications that generate files (such as HTML). Often web
-application programmers wish to comment their work (which is fine), but
-instead of simply leaving the comment in their code, the comment is included
-as part of the generated file (usually HTML or XML) that is returned to the
-user. The trouble is that these comments sometimes provide insight into how
-the system works in a way that aids attackers.
------------------------------------------------------------------------------
-
-9.3. Handle Full/Unresponsive Output
-
-It may be possible for a user to clog or make unresponsive a secure program's
-output channel back to that user. For example, a web browser could be
-intentionally halted or have its TCP/IP channel response slowed. The secure
-program should handle such cases, in particular it should release locks
-quickly (preferably before replying) so that this will not create an
-opportunity for a Denial-of-Service attack. Always place time-outs on
-outgoing network-oriented write requests.
------------------------------------------------------------------------------
-
-9.4. Control Data Formatting (Format Strings/Formatation)
-
-A number of output routines in computer languages have a parameter that
-controls the generated format. In C, the most obvious example is the printf()
-family of routines (including printf(), sprintf(), snprintf(), fprintf(), and
-so on). Other examples in C include syslog() (which writes system log
-information) and setproctitle() (which sets the string used to display
-process identifier information). Many functions with names beginning with
-``err'' or ``warn'', containing ``log'' , or ending in ``printf'' are worth
-considering. Python includes the "%" operation, which on strings controls
-formatting in a similar manner. Many programs and libraries define formatting
-functions, often by calling built-in routines and doing additional processing
-(e.g., glib's g_snprintf() routine).
-
-Format languages are essentially little programming languages - so developers
-who let attackers control the format string are essentially running programs
-written by attackers! Surprisingly, many people seem to forget the power of
-these formatting capabilities, and use data from untrusted users as the
-formatting parameter. The guideline here is clear - never use unfiltered data
-from an untrusted user as the format parameter. Failing to follow this
-guideline usually results in a format string vulnerability (also called a
-formatation vulnerability). Perhaps this is best shown by example:
- /* Wrong way: */
- printf(string_from_untrusted_user);
- /* Right ways: */
- printf("%s", string_from_untrusted_user); /* safe */
- fputs(string_from_untrusted_user); /* better for simple strings */
-
-If an attacker controls the formatting information, an attacker can cause all
-sorts of mischief by carefully selecting the format. The case of C's printf()
-is a good example - there are lots of ways to possibly exploit
-user-controlled format strings in printf(). These include buffer overruns by
-creating a long formatting string (this can result in the attacker having
-complete control over the program), conversion specifications that use
-unpassed parameters (causing unexpected data to be inserted), and creating
-formats which produce totally unanticipated result values (say by prepending
-or appending awkward data, causing problems in later use). A particularly
-nasty case is printf's %n conversion specification, which writes the number
-of characters written so far into the pointer argument; using this, an
-attacker can overwrite a value that was intended for printing! An attacker
-can even overwrite almost arbitrary locations, since the attacker can specify
-a ``parameter'' that wasn't actually passed. The %n conversion specification
-has been standard part of C since its beginning, is required by all C
-standards, and is used by real programs. In 2000, Greg KH did a quick search
-of source code and identified the programs BitchX (an irc client), Nedit (a
-program editor), and SourceNavigator (a program editor / IDE / Debugger) as
-using %n, and there are doubtless many more. Deprecating %n would probably be
-a good idea, but even without %n there can be significant problems. Many
-papers discuss these attacks in more detail, for example, you can see
-Avoiding security holes when developing an application - Part 4: format
-strings.
-
-Since in many cases the results are sent back to the user, this attack can
-also be used to expose internal information about the stack. This information
-can then be used to circumvent stack protection systems such as StackGuard
-and ProPolice; StackGuard uses constant ``canary'' values to detect attacks,
-but if the stack's contents can be displayed, the current value of the canary
-will be exposed, suddenly making the software vulnerable again to stack
-smashing attacks.
-
-A formatting string should almost always be a constant string, possibly
-involving a function call to implement a lookup for internationalization
-(e.g., via gettext's _()). Note that this lookup must be limited to values
-that the program controls, i.e., the user must be allowed to only select from
-the message files controlled by the program. It's possible to filter user
-data before using it (e.g., by designing a filter listing legal characters
-for the format string such as [A-Za-z0-9]), but it's usually better to simply
-prevent the problem by using a constant format string or fputs() instead.
-Note that although I've listed this as an ``output'' problem, this can cause
-problems internally to a program before output (since the output routines may
-be saving to a file, or even just generating internal state such as via
-snprintf()).
-
-The problem of input formatting causing security problems is not an idle
-possibility; see CERT Advisory CA-2000-13 for an example of an exploit using
-this weakness. For more information on how these problems can be exploited,
-see Pascal Bouchareine's email article titled ``[Paper] Format bugs'',
-published in the July 18, 2000 edition of [http://www.securityfocus.com]
-Bugtraq. As of December 2000, developmental versions of the gcc compiler
-support warning messages for insecure format string usages, in an attempt to
-help developers avoid these problems.
-
-Of course, this all begs the question as to whether or not the
-internationalization lookup is, in fact, secure. If you're creating your own
-internationalization lookup routines, make sure that an untrusted user can
-only specify a legal locale and not something else like an arbitrary path.
-
-Clearly, you want to limit the strings created through internationalization
-to ones you can trust. Otherwise, an attacker could use this ability to
-exploit the weaknesses in format strings, particularly in C/C++ programs.
-This has been an item of discussion in Bugtraq (e.g., see John Levon's
-Bugtraq post on July 26, 2000). For more information, see the discussion on
-permitting users to only select legal language values in Section 5.8.3.
-
-Although it's really a programming bug, it's worth mentioning that different
-countries notate numbers in different ways, in particular, both the period
-(.) and comma (,) are used to separate an integer from its fractional part.
-If you save or load data, you need to make sure that the active locale does
-not interfere with data handling. Otherwise, a French user may not be able to
-exchange data with an English user, because the data stored and retrieved
-will use different separators. I'm unaware of this being used as a security
-problem, but it's conceivable.
------------------------------------------------------------------------------
-
-9.5. Control Character Encoding in Output
-
-In general, a secure program must ensure that it synchronizes its clients to
-any assumptions made by the secure program. One issue often impacting web
-applications is that they forget to specify the character encoding of their
-output. This isn't a problem if all data is from trusted sources, but if some
-of the data is from untrusted sources, the untrusted source may sneak in data
-that uses a different encoding than the one expected by the secure program.
-This opens the door for a cross-site malicious content attack; see Section
-5.10 for more information.
-
-[http://www.cert.org/tech_tips/malicious_code_mitigation.html] CERT's tech
-tip on malicious code mitigation explains the problem of unspecified
-character encoding fairly well, so I quote it here:
-
-
- Many web pages leave the character encoding ("charset" parameter in HTTP)
- undefined. In earlier versions of HTML and HTTP, the character encoding
- was supposed to default to ISO-8859-1 if it wasn't defined. In fact, many
- browsers had a different default, so it was not possible to rely on the
- default being ISO-8859-1. HTML version 4 legitimizes this - if the
- character encoding isn't specified, any character encoding can be used.
-
- If the web server doesn't specify which character encoding is in use, it
- can't tell which characters are special. Web pages with unspecified
- character encoding work most of the time because most character sets
- assign the same characters to byte values below 128. But which of the
- values above 128 are special? Some 16-bit character-encoding schemes have
- additional multi-byte representations for special characters such as "<".
- Some browsers recognize this alternative encoding and act on it. This is
- "correct" behavior, but it makes attacks using malicious scripts much
- harder to prevent. The server simply doesn't know which byte sequences
- represent the special characters.
-
- For example, UTF-7 provides alternative encoding for "<" and ">", and
- several popular browsers recognize these as the start and end of a tag.
- This is not a bug in those browsers. If the character encoding really is
- UTF-7, then this is correct behavior. The problem is that it is possible
- to get into a situation in which the browser and the server disagree on
- the encoding.
-
-Thankfully, though explaining the issue is tricky, its resolution in HTML is
-easy. In the HTML header, simply specify the charset, like this example from
-CERT:
-
-
-
-HTML SAMPLE
-
-
-This is a sample HTML page
-
-
-
-
-From a technical standpoint, an even better approach is to set the character
-encoding as part of the HTTP protocol output, though some libraries make this
-more difficult. This is technically better because it doesn't force the
-client to examine the header to determine a character encoding that would
-enable it to read the META information in the header. Of course, in practice
-a browser that couldn't read the META information given above and use it
-correctly would not succeed in the marketplace, but that's a different issue.
-In any case, this just means that the server would need to send as part of
-the HTTP protocol, a ``charset'' with the desired value. Unfortunately, it's
-hard to heartily recommend this (technically better) approach, because some
-older HTTP/1.0 clients did not deal properly with an explicit charset
-parameter. Although the HTTP/1.1 specification requires clients to obey the
-parameter, it's suspicious enough that you probably ought to use it as an
-adjunct to forcing the use of the correct character encoding, and not your
-sole mechanism.
------------------------------------------------------------------------------
-
-9.6. Prevent Include/Configuration File Access
-
-When developing web based applications, do not allow users to access (read)
-files such as the program include and configuration files. This data may
-provide enough information (e.g., passwords) to break into the system. Note
-that this guideline sometimes also applies to other kinds of applications.
-There are several actions you can take to do this, including:
-
- * Place the include/configuration files outside of the web documentation
- root (so that the web server will never serve the files). Really, this is
- the best approach unless there's some reason the files have to be inside
- the document root.
-
- * Configure the web server so it will not serve include files as text. For
- example, if you're using Apache, you can add a handler or an action for
- .inc files like so:
-
- Order allow,deny
- Deny from all
-
-
- * Place the include files in a protected directory (using .htaccess), and
- designate them as files that won't be served.
-
- * Use a filter to deny access to the files. For Apache, this can be done
- using:
-
- Order allow,deny
- Deny from all
-
- If you need full regular expressions to match filenames, in Apache you
- could use the FilesMatch directive.
-
- * If your include file is a valid script file, which your server will
- parse, make sure that it doesn't act on user-supplied parameters and that
- it's designed to be secure.
-
-
-These approaches won't protect you from users who have access to the
-directories your files are in if they are world-readable. You could change
-the permissions of the files so that only the uid/gid of the webserver can
-read these files. However, this approach won't work if the user can get the
-web server to run his own scripts (the user can just write scripts to access
-your files). Fundamentally, if your site is being hosted on a server shared
-with untrusted people, it's harder to secure the system. One approach is to
-run multiple web serving programs, each with different permissions; this
-provides more security but is painful in practice. Another approach is to set
-these files to be read only by your uid/gid, and have the server run scripts
-at ``your'' permission. This latter approach has its own problems: it means
-that certain parts of the server must have root privileges, and that the
-script may have more permissions than necessary.
------------------------------------------------------------------------------
-
-Chapter 10. Language-Specific Issues
-
- Undoubtedly there are all sorts of
- languages in the world, yet none of
- them is without meaning.
- 1 Corinthians 14:10 (NIV)
-
-There are many language-specific security issues. Many of them can be
-summarized as follows:
-
- * Turn on all relevant warnings and protection mechanisms available to you
- where practical. For compiled languages, this includes both compile-time
- mechanisms and run-time mechanisms. In general, security-relevant
- programs should compile cleanly with all warnings turned on.
-
- * If you can use a ``safe mode'' (e.g., a mode that limits the activities
- of the executable), do so. Many interpreted languages include such a
- mode. In general, don't depend on the safe mode to provide absolute
- protection; most language's safe modes have not been sufficiently
- analyzed for their security, and when they are, people usually discover
- many ways to exploit it. However, by writing your code so that it's
- secure out of safe mode, and then adding the safe mode, you end up with
- defense-in-depth (since in many cases, an attacker has to break both your
- application code and the safe mode).
-
- * Avoid dangerous and deprecated operations in the language. By
- ``dangerous'', I mean operations which are difficult to use correctly.
- For example, many languages include some mechanisms or functions that are
- ``magical'', that is, they try to infer the ``right'' thing to do using a
- heuristic - generally you should avoid them, because an attacker may be
- able to exploit the heuristic and do something dangerous instead of what
- was intended. A common error is an ``off-by-one'' error, in which the
- bound is off by one, and sometimes these result in exploitable errors. In
- general, write code in a way that minimizes the likelihood of off-by-one
- errors. If there are standard conventions in the language (e.g., for
- writing loops), use them.
-
- * Ensure that the languages' infrastructure (e.g., run-time library) is
- available and secured.
-
- * Languages that automatically garbage-collect strings should be especially
- careful to immediately erase secret data (in particular secret keys and
- passwords).
-
- * Know precisely the semantics of the operations that you are using. Look
- up each operation's semantics in its documentation. Do not ignore return
- values unless you're sure they cannot be relevant. Don't ignore the
- difference between ``signed'' and ``unsigned'' values. This is
- particularly difficult in languages which don't support exceptions, like
- C, but that's the way it goes.
-
-
------------------------------------------------------------------------------
-10.1. C/C++
-
-It is possible to develop secure code using C or C++, but both languages
-include fundamental design decisions that make it more difficult to write
-secure code. C and C++ easily permit buffer overflows, force programmers to
-do their own memory management, and are fairly lax in their typing systems.
-For systems programs (such as an operating system kernel), C and C++ are fine
-choices. For applications, C and C++ are often over-used. Strongly consider
-using an even higher-level language, at least for the majority of the
-application. But clearly, there are many existing programs in C and C++ which
-won't get completely rewritten, and many developers may choose to develop in
-C and C++.
-
-One of the biggest security problems with C and C++ programs is buffer
-overflow; see Chapter 6 for more information. C has the additional weakness
-of not supporting exceptions, which makes it easy to write programs that
-ignore critical error situations.
-
-Another problem with C and C++ is that developers have to do their own memory
-management (e.g., using malloc(), alloc(), free(), new, and delete), and
-failing to do it correctly may result in a security flaw. The more serious
-problem is that programs may erroneously free memory that should not be freed
-(e.g., because it's already been freed). This can result in an immediate
-crash or be exploitable, allowing an attacker to cause arbitrary code to be
-executed; see [Anonymous Phrack 2001]. Some systems (such as many GNU/Linux
-systems) don't protect against double-freeing at all by default, and it is
-not clear that those systems which attempt to protect themselves are truly
-unsubvertable. Although I haven't seen anything written on the subject, I
-suspect that using the incorrect call in C++ (e.g., mixing new and malloc())
-could have similar effects. For example, on March 11, 2002, it was announced
-that the zlib library had this problem, affecting the many programs that use
-it. Thus, when testing programs on GNU/Linux, you should set the environment
-variable MALLOC_CHECK_ to 1 or 2, and you might consider executing your
-program with that environment variable set with 0, 1, 2. The reason for this
-variable is explained in GNU/Linux malloc(3) man page:
-
-
- Recent versions of Linux libc (later than 5.4.23) and GNU libc (2.x)
- include a malloc implementation which is tunable via environment
- variables. When MALLOC_CHECK_ is set, a special (less efficient)
- implementation is used which is designed to be tolerant against simple
- errors, such as double calls of free() with the same argument, or
- overruns of a single byte (off-by-one bugs). Not all such errors can be
- protected against, however, and memory leaks can result. If MALLOC_CHECK_
- is set to 0, any detected heap corruption is silently ignored; if set to
- 1, a diagnostic is printed on stderr; if set to 2, abort() is called
- immediately. This can be useful because otherwise a crash may happen much
- later, and the true cause for the problem is then very hard to track
- down.
-
-There are various tools to deal with this, such as Electric Fence and
-Valgrind; see Section 11.7 for more information. If unused memory is not
-free'd, (e.g., using free()), that unused memory may accumulate - and if
-enough unused memory can accumulate, the program may stop working. As a
-result, the unused memory may be exploitable by attackers to create a denial
-of service. It's theoretically possible for attackers to cause memory to be
-fragmented and cause a denial of service, but usually this is a fairly
-impractical and low-risk attack.
-
-Be as strict as you reasonably can when you declare types. Where you can, use
-``enum'' to define enumerated values (and not just a ``char'' or ``int'' with
-special values). This is particularly useful for values in switch statements,
-where the compiler can be used to determine if all legal values have been
-covered. Where it's appropriate, use ``unsigned'' types if the value can't be
-negative.
-
-One complication in C and C++ is that the character type ``char'' can be
-signed or unsigned (depending on the compiler and machine). When a signed
-char with its high bit set is saved in an integer, the result will be a
-negative number; in some cases this can be exploitable. In general, use
-``unsigned char'' instead of char or signed char for buffers, pointers, and
-casts when dealing with character data that may have values greater than 127
-(0x7f).
-
-C and C++ are by definition rather lax in their type-checking support, but
-you can at least increase their level of checking so that some mistakes can
-be detected automatically. Turn on as many compiler warnings as you can and
-change the code to cleanly compile with them, and strictly use ANSI
-prototypes in separate header (.h) files to ensure that all function calls
-use the correct types. For C or C++ compilations using gcc, use at least the
-following as compilation flags (which turn on a host of warning messages) and
-try to eliminate all warnings (note that -O2 is used since some warnings can
-only be detected by the data flow analysis performed at higher optimization
-levels):
-+---------------------------------------------------------------------------+
-|gcc -Wall -Wpointer-arith -Wstrict-prototypes -O2 |
-+---------------------------------------------------------------------------+
-You might want ``-W -pedantic'' too.
-
-Many C/C++ compilers can detect inaccurate format strings. For example, gcc
-can warn about inaccurate format strings for functions you create if you use
-its __attribute__() facility (a C extension) to mark such functions, and you
-can use that facility without making your code non-portable. Here is an
-example of what you'd put in your header (.h) file:
- /* in header.h */
- #ifndef __GNUC__
- # define __attribute__(x) /*nothing*/
- #endif
-
- extern void logprintf(const char *format, ...)
- __attribute__((format(printf,1,2)));
- extern void logprintva(const char *format, va_list args)
- __attribute__((format(printf,1,0)));
-The "format" attribute takes either "printf" or "scanf", and the numbers that
-follow are the parameter number of the format string and the first variadic
-parameter (respectively). The GNU docs talk about this well. Note that there
-are other __attribute__ facilities as well, such as "noreturn" and "const".
-
-Avoid common errors made by C/C++ developers. For example, be careful about
-not using ``='' when you mean ``==''.
------------------------------------------------------------------------------
-
-10.2. Perl
-
-Perl programmers should first read the man page perlsec(1), which describes a
-number of issues involved with writing secure programs in Perl. In
-particular, perlsec(1) describes the ``taint'' mode, which most secure Perl
-programs should use. Taint mode is automatically enabled if the real and
-effective user or group IDs differ, or you can use the -T command line flag
-(use the latter if you're running on behalf of someone else, e.g., a CGI
-script). Taint mode turns on various checks, such as checking path
-directories to make sure they aren't writable by others.
-
-The most obvious affect of taint mode, however, is that you may not use data
-derived from outside your program to affect something else outside your
-program by accident. In taint mode, all externally-obtained input is marked
-as ``tainted'', including command line arguments, environment variables,
-locale information (see perllocale(1)), results of certain system calls
-(readdir, readlink, the gecos field of getpw* calls), and all file input.
-Tainted data may not be used directly or indirectly in any command that
-invokes a sub-shell, nor in any command that modifies files, directories, or
-processes. There is one important exception: If you pass a list of arguments
-to either system or exec, the elements of that list are NOT checked for
-taintedness, so be especially careful with system or exec while in taint
-mode.
-
-Any data value derived from tainted data becomes tainted also. There is one
-exception to this; the way to untaint data is to extract a substring of the
-tainted data. Don't just use ``.*'' blindly as your substring, though, since
-this would defeat the tainting mechanism's protections. Instead, identify
-patterns that identify the ``safe'' pattern allowed by your program, and use
-them to extract ``good'' values. After extracting the value, you may still
-need to check it (in particular for its length).
-
-The open, glob, and backtick functions call the shell to expand filename wild
-card characters; this can be used to open security holes. You can try to
-avoid these functions entirely, or use them in a less-privileged ``sandbox''
-as described in perlsec(1). In particular, backticks should be rewritten
-using the system() call (or even better, changed entirely to something
-safer).
-
-The perl open() function comes with, frankly, ``way too much magic'' for most
-secure programs; it interprets text that, if not carefully filtered, can
-create lots of security problems. Before writing code to open or lock a file,
-consult the perlopentut(1) man page. In most cases, sysopen() provides a
-safer (though more convoluted) approach to opening a file. The new Perl 5.6
-adds an open() call with 3 parameters to turn off the magic behavior without
-requiring the convolutions of sysopen().
-
-Perl programs should turn on the warning flag (-w), which warns of
-potentially dangerous or obsolete statements.
-
-You can also run Perl programs in a restricted environment. For more
-information see the ``Safe'' module in the standard Perl distribution. I'm
-uncertain of the amount of auditing that this has undergone, so beware of
-depending on this for security. You might also investigate the ``Penguin
-Model for Secure Distributed Internet Scripting'', though at the time of this
-writing the code and documentation seems to be unavailable.
-
-Many installations include a setuid root version of perl named ``suidperl''.
-However, the perldelta man page version 5.6.1 recommends using sudo instead,
-stating the following:
-
-
- "Note that suidperl is neither built nor installed by default in any
- recent version of perl. Use of suidperl is highly discouraged. If you
- think you need it, try alternatives such as sudo first. See http://
- www.courtesan.com/sudo/".
-
------------------------------------------------------------------------------
-10.3. Python
-
-As with any language, beware of any functions which allow data to be executed
-as parts of a program, to make sure an untrusted user can't affect their
-input. This includes exec(), eval(), and execfile() (and frankly, you should
-check carefully any call to compile()). The input() statement is also
-surprisingly dangerous. [Watters 1996, 150].
-
-Python programs with privileges that can be invoked by unprivileged users
-(e.g., setuid/setgid programs) must not import the ``user'' module. The user
-module causes the pythonrc.py file to be read and executed. Since this file
-would be under the control of an untrusted user, importing the user module
-allows an attacker to force the trusted program to run arbitrary code.
-
-Python does very little compile-time checking -- it has essentially no
-compile-time type information, and it doesn't even check that the number of
-parameters passed are legal for a given function or method. This is
-unfortunate, resulting in a lot of latent bugs (both John Viega and I have
-experienced this problem). Hopefully someday Python will implement optional
-static typing and type-checking, an idea that's been discussed for some time.
-A partial solution for now is PyChecker, a lint-like program that checks for
-common bugs in Python source code. You can get PyChecker from [http://
-pychecker.sourceforge.net] http://pychecker.sourceforge.net
-
-Python includes support for ``Restricted Execution'' through its RExec class.
-This is primarily intended for executing applets and mobile code, but it can
-also be used to limit privilege in a program even when the code has not been
-provided externally. By default, a restricted execution environment permits
-reading (but not writing) of files, and does not include operations for
-network access or GUI interaction. These defaults can be changed, but beware
-of creating loopholes in the restricted environment. In particular, allowing
-a user to unrestrictedly add attributes to a class permits all sorts of ways
-to subvert the environment because Python's implementation calls many
-``hidden'' methods. Note that, by default, most Python objects are passed by
-reference; if you insert a reference to a mutable value into a restricted
-program's environment, the restricted program can change the object in a way
-that's visible outside the restricted environment! Thus, if you want to give
-access to a mutable value, in many cases you should copy the mutable value or
-use the Bastion module (which supports restricted access to another object).
-For more information, see Kuchling [2000]. I'm uncertain of the amount of
-auditing that the restricted execution capability has undergone, so
-programmer beware.
------------------------------------------------------------------------------
-
-10.4. Shell Scripting Languages (sh and csh Derivatives)
-
-I strongly recommend against using standard command shell scripting languages
-(such as csh, sh, and bash) for setuid/setgid secure code. Some systems (such
-as Linux) completely disable setuid/setgid shell scripts, so creating setuid/
-setgid shell scripts creates an unnecessary portability problem. On some old
-systems they are fundamentally insecure due to a race condition (as discussed
-in Section 3.1.3). Even for other systems, they're not really a good idea.
-
-In fact, there are a vast number of circumstances where shell scripting
-languages shouldn't be used at all for secure programs. Standard command
-shells are notorious for being affected by nonobvious inputs - generally
-because command shells were designed to try to do things ``automatically''
-for an interactive user, not to defend against a determined attacker. Shell
-programs are fine for programs that don't need to be secure (e.g., they run
-at the same privilege as the unprivileged user and don't accept ``untrusted''
-data). They can also be useful when they're running with privilege, as long
-as all the input (e.g., files, directories, command line, environment, etc.)
-are all from trusted users - which is why they're often used quite
-successfully in startup/shutdown scripts.
-
-Writing secure shell programs in the presence of malicious input is harder
-than in many other languages because of all the things that shells are
-affected by. For example, ``hidden'' environment variables (e.g., the ENV,
-BASH_ENV, and IFS values) can affect how they operate or even execute
-arbitrary user-defined code before the script can even execute. Even things
-like filenames of the executable or directory contents can affect execution.
-If an attacker can create filenames containing some control characters (e.g.,
-newline), or whitespace, or shell metacharacters, or begin with a dash (the
-option flag syntax), there are often ways to exploit them. For example, on
-many Bourne shell implementations, doing the following will grant root access
-(thanks to NCSA for describing this exploit):
- % ln -s /usr/bin/setuid-shell /tmp/-x
- % cd /tmp
- % -x
-Some systems may have closed this hole, but the point still stands: most
-command shells aren't intended for writing secure setuid/setgid programs. For
-programming purposes, avoid creating setuid shell scripts, even on those
-systems that permit them. Instead, write a small program in another language
-to clean up the environment, then have it call other executables (some of
-which might be shell scripts).
-
-If you still insist on using shell scripting languages, at least put the
-script in a directory where it cannot be moved or changed. Set PATH and IFS
-to known values very early in your script; indeed, the environment should be
-cleaned before the script is called. Also, very early on, ``cd'' to a safe
-directory. Use data only from directories that is controlled by trusted
-users, e.g., /etc, so that attackers can't insert maliciously-named files
-into those directories. Be sure to quote every filename passed on a command
-line, e.g., use "$1" not $1, because filenames with whitespace will be split.
-Call commands using "--" to disable additional options where you can, because
-attackers may create or pass filenames beginning with dash in the hope of
-tricking the program into processing it as an option. Be especially careful
-of filenames embedding other characters (e.g., newlines and other control
-characters). Examine input filenames especially carefully and be very
-restrictive on what filenames are permitted.
-
-If you don't mind limiting your program to only work with GNU tools (or if
-you detect and optionally use the GNU tools instead when they are available),
-you might want to use NIL characters as the filename terminator instead of
-newlines. By using NIL characters, rather than whitespace or newlines,
-handling nasty filenames (e.g., those with embedded newlines) is much
-simpler. Several GNU tools that output or input filenames can use this format
-instead of the more common ``one filename per line'' format. Unfortunately,
-the name of this option isn't consistent between tools; for many tools the
-name of this option is ``--null'' or ``-0''. GNU programs xargs and cpio
-allow using either --null or -0, tar uses --null, find uses -print0, grep
-uses either --null or -Z, and sort uses either -z or --zero-terminated. Those
-who find this inconsistency particularly disturbing are invited to supply
-patches to the GNU authors; I would suggest making sure every program
-supported ``--null'' since that seems to be the most common option name. For
-example, here's one way to move files to a target directory, even if there
-may be a vast number of files and some may have awkward names with embedded
-newlines (thanks to Jim Dennis for reminding me of this):
- find . -print0 | xargs --null mv --target-dir=$TARG
-
-In a similar vein, I recommend not trusting ``restricted shells'' to
-implement secure policies. Restricted shells are shells that intentionally
-prevent users from performing a large set of activities - their goal is to
-force users to only run a small set of programs. A restricted shell can be
-useful as a defense-in-depth measure, but restricted shells are notoriously
-hard to configure correctly and as configured are often subvertable. For
-example, some restricted shells will start by running some file in an
-unrestricted mode (e.g., ``.profile'') - if a user can change this file, they
-can force execution of that code. A restricted shell should be set up to only
-run a few programs, but if any of those programs have ``shell escapes'' to
-let users run more programs, attackers can use those shell escapes to escape
-the restricted shell. Even if the programs don't have shell escapes, it's
-quite likely that the various programs can be used together (along with the
-shell's capabilities) to escape the restrictions. Of course, if you don't set
-the PATH of a restricted shell (and allow any program to run), then an
-attacker can use the shell escapes of many programs (including text editors,
-mailers, etc.). The problem is that the purpose of a shell is to run other
-programs, but those other programs may allow unintended operations -- and the
-shell doesn't interpose itself to prevent these operations.
------------------------------------------------------------------------------
-
-10.5. Ada
-
-In Ada95, the Unbounded_String type is often more flexible than the String
-type because it is automatically resized as necessary. However, don't store
-especially sensitive secret values such as passwords or secret keys in an
-Unbounded_String, since core dumps and page areas might still hold them
-later. Instead, use the String type for this data, lock it into memory while
-it's used, and overwrite the data as soon as possible with some constant
-value such as (others => ' '). Use the Ada pragma Inspection_Point on the
-object holding the secret after erasing the memory. That way, you can be
-certain that the object containing the secret will really be erased (and that
-the the overwriting won't be optimized away).
-
-It's common for beginning Ada programmers to believe that the String type's
-first index value is always 1, but this isn't true if the string is sliced.
-Avoid this error.
-
-It's worth noting that SPARK is a ``high-integrity subset of the Ada
-programming language''; SPARK users use a tool called the ``SPARK Examiner''
-to check conformance to SPARK rules, including flow analysis, and there are
-various supports for full formal proof of the code if desired. See the SPARK
-website for more information. To my knowledge, there are no OSS/FS SPARK
-tools. If you're storing passwords and private keys you should still lock
-them into memory if appropriate and overwrite them as soon as possible. Note
-that SPARK is often used in environments where paging does not occur.
------------------------------------------------------------------------------
-
-10.6. Java
-
-If you're developing secure programs using Java, frankly your first step
-(after learning Java) is to read the two primary texts for Java security,
-namely Gong [1999] and McGraw [1999] (for the latter, look particularly at
-section 7.1). You should also look at Sun's posted security code guidelines
-at [http://java.sun.com/security/seccodeguide.html] http://java.sun.com/
-security/seccodeguide.html, and there's a nice [http://www-106.ibm.com/
-developerworks/java/library/j-staticsec.html?loc=dwmain] article by Sahu et
-al [2002] A set of slides describing Java's security model are freely
-available at [http://www.dwheeler.com/javasec] http://www.dwheeler.com/
-javasec. You can also see McGraw [1998].
-
-Obviously, a great deal depends on the kind of application you're developing.
-Java code intended for use on the client side has a completely different
-environment (and trust model) than code on a server side. The general
-principles apply, of course; for example, you must check and filter any input
-from an untrusted source. However, in Java there are some ``hidden'' inputs
-or potential inputs that you need to be wary of, as discussed below.
-Johnathan Nightingale [2000] made an interesting statement summarizing many
-of the issues in Java programming:
-
-
- ... the big thing with Java programming is minding your inheritances. If
- you inherit methods from parents, interfaces, or parents' interfaces, you
- risk opening doors to your code.
-
-The following are a few key guidelines, based on Gong [1999], McGraw [1999],
-Sun's guidance, and my own experience:
-
- 1. Do not use public fields or variables; declare them as private and
- provide accessors to them so you can limit their accessibility.
-
- 2. Make methods private unless there is a good reason to do otherwise (and
- if you do otherwise, document why). These non-private methods must
- protect themselves, because they may receive tainted data (unless you've
- somehow arranged to protect them).
-
- 3. The JVM may not actually enforce the accessibility modifiers (e.g.,
- ``private'') at run-time in an application (as opposed to an applet). My
- thanks to John Steven (Cigital Inc.), who pointed this out on the
- ``Secure Programming'' mailing list on November 7, 2000. The issue is
- that it all depends on what class loader the class requesting the access
- was loaded with. If the class was loaded with a trusted class loader
- (including the null/ primordial class loader), the access check returns
- "TRUE" (allowing access). For example, this works (at least with Sun's
- 1.2.2 VM ; it might not work with other implementations):
-
- a. write a victim class (V) with a public field, compile it.
-
- b. write an 'attack' class (A) that accesses that field, compile it
-
- c. change V's public field to private, recompile
-
- d. run A - it'll access V's (now private) field.
-
-
- However, the situation is different with applets. If you convert A to an
- applet and run it as an applet (e.g., with appletviewer or browser), its
- class loader is no longer a trusted (or null) class loader. Thus, the
- code will throw java.lang.IllegalAccessError, with the message that
- you're trying to access a field V.secret from class A.
-
- 4. Avoid using static field variables. Such variables are attached to the
- class (not class instances), and classes can be located by any other
- class. As a result, static field variables can be found by any other
- class, making them much more difficult to secure.
-
- 5. Never return a mutable object to potentially malicious code (since the
- code may decide to change it). Note that arrays are mutable (even if the
- array contents aren't), so don't return a reference to an internal array
- with sensitive data.
-
- 6. Never store user given mutable objects (including arrays of objects)
- directly. Otherwise, the user could hand the object to the secure code,
- let the secure code ``check'' the object, and change the data while the
- secure code was trying to use the data. Clone arrays before saving them
- internally, and be careful here (e.g., beware of user-written cloning
- routines).
-
- 7. Don't depend on initialization. There are several ways to allocate
- uninitialized objects.
-
- 8. Make everything final, unless there's a good reason not to. If a class or
- method is non-final, an attacker could try to extend it in a dangerous
- and unforeseen way. Note that this causes a loss of extensibility, in
- exchange for security.
-
- 9. Don't depend on package scope for security. A few classes, such as
- java.lang, are closed by default, and some Java Virtual Machines (JVMs)
- let you close off other packages. Otherwise, Java classes are not closed.
- Thus, an attacker could introduce a new class inside your package, and
- use this new class to access the things you thought you were protecting.
-
-10. Don't use inner classes. When inner classes are translated into byte
- codes, the inner class is translated into a class accesible to any class
- in the package. Even worse, the enclosing class's private fields silently
- become non-private to permit access by the inner class!
-
-11. Minimize privileges. Where possible, don't require any special
- permissions at all. McGraw goes further and recommends not signing any
- code; I say go ahead and sign the code (so users can decide to ``run only
- signed code by this list of senders''), but try to write the program so
- that it needs nothing more than the sandbox set of privileges. If you
- must have more privileges, audit that code especially hard.
-
-12. If you must sign your code, put it all in one archive file. Here it's
- best to quote McGraw [1999]:
-
- The goal of this rule is to prevent an attacker from carrying out a
- mix-and-match attack in which the attacker constructs a new applet or
- library that links some of your signed classes together with
- malicious classes, or links together signed classes that you never
- meant to be used together. By signing a group of classes together,
- you make this attack more difficult. Existing code-signing systems do
- an inadequate job of preventing mix-and-match attacks, so this rule
- cannot prevent such attacks completely. But using a single archive
- can't hurt.
-
-
-13. Make your classes uncloneable. Java's object-cloning mechanism allows an
- attacker to instantiate a class without running any of its constructors.
- To make your class uncloneable, just define the following method in each
- of your classes:
- public final Object clone() throws java.lang.CloneNotSupportedException {
- throw new java.lang.CloneNotSupportedException();
- }
-
- If you really need to make your class cloneable, then there are some
- protective measures you can take to prevent attackers from redefining
- your clone method. If you're defining your own clone method, just make it
- final. If you're not, you can at least prevent the clone method from
- being maliciously overridden by adding the following:
- public final void clone() throws java.lang.CloneNotSupportedException {
- super.clone();
- }
-
-14. Make your classes unserializeable. Serialization allows attackers to view
- the internal state of your objects, even private portions. To prevent
- this, add this method to your classes:
- private final void writeObject(ObjectOutputStream out)
- throws java.io.IOException {
- throw new java.io.IOException("Object cannot be serialized");
- }
-
- Even in cases where serialization is okay, be sure to use the transient
- keyword for the fields that contain direct handles to system resources
- and that contain information relative to an address space. Otherwise,
- deserializing the class may permit improper access. You may also want to
- identify sensitive information as transient.
-
- If you define your own serializing method for a class, it should not pass
- an internal array to any DataInput/DataOuput method that takes an array.
- The rationale: All DataInput/DataOutput methods can be overridden. If a
- Serializable class passes a private array directly to a DataOutput(write
- (byte [] b)) method, then an attacker could subclass ObjectOutputStream
- and override the write(byte [] b) method to enable him to access and
- modify the private array. Note that the default serialization does not
- expose private byte array fields to DataInput/DataOutput byte array
- methods.
-
-15. Make your classes undeserializeable. Even if your class is not
- serializeable, it may still be deserializeable. An attacker can create a
- sequence of bytes that happens to deserialize to an instance of your
- class with values of the attacker's choosing. In other words,
- deserialization is a kind of public constructor, allowing an attacker to
- choose the object's state - clearly a dangerous operation! To prevent
- this, add this method to your classes:
- private final void readObject(ObjectInputStream in)
- throws java.io.IOException {
- throw new java.io.IOException("Class cannot be deserialized");
- }
-
-16. Don't compare classes by name. After all, attackers can define classes
- with identical names, and if you're not careful you can cause confusion
- by granting these classes undesirable privileges. Thus, here's an example
- of the wrong way to determine if an object has a given class:
- if (obj.getClass().getName().equals("Foo")) {
-
- If you need to determine if two objects have exactly the same class,
- instead use getClass() on both sides and compare using the == operator,
- Thus, you should use this form:
- if (a.getClass() == b.getClass()) {
- If you truly need to determine if an object has a given classname, you
- need to be pedantic and be sure to use the current namespace (of the
- current class's ClassLoader). Thus, you'll need to use this format:
- if (obj.getClass() == this.getClassLoader().loadClass("Foo")) {
-
- This guideline is from McGraw and Felten, and it's a good guideline. I'll
- add that, where possible, it's often a good idea to avoid comparing class
- values anyway. It's often better to try to design class methods and
- interfaces so you don't need to do this at all. However, this isn't
- always practical, so it's important to know these tricks.
-
-17. Don't store secrets (cryptographic keys, passwords, or algorithm) in the
- code or data. Hostile JVMs can quickly view this data. Code obfuscation
- doesn't really hide the code from serious attackers.
-
-
-
------------------------------------------------------------------------------
-
-10.7. Tcl
-
-Tcl stands for ``tool command language'' and is pronounced ``tickle.'' Tcl is
-divided into two parts: a language and a library. The language is a simple
-language, originally intended for issuing commands to interactive programs
-and including basic programming capabilities. The library can be embedded in
-application programs. You can find more information about Tcl at sites such
-as the [http://www.tcl.tk/] Tcl.tk and the [http://www.sco.com/Technology/tcl
-/Tcl.html] Tcl WWW Info web page and the comp.lang.tcl FAQ launch page at
-[http://www.tclfaq.wservice.com/tcl-faq] http://www.tclfaq.wservice.com/
-tcl-faq. My thanks go to Wojciech Kocjan for providing some of this detailed
-information on using Tcl in secure applications.
-
-For some security applications, especially interesting components of Tcl are
-Safe-Tcl (which creates a sandbox in Tcl) and Safe-TK (which implements a
-sandboxed portable GUI for Safe Tcl), as well as the WebWiseTclTk Toolkit
-which permits Tcl packages to be automatically located and loaded from
-anywhere on the World Wide Web. You can find more about the latter from
-[http://www.cbl.ncsu.edu/software/WebWiseTclTk] http://www.cbl.ncsu.edu/
-software/WebWiseTclTk. It's not clear to me how much code review this has
-received.
-
-Tcl's original design goal to be a small, simple language resulted in a
-language that was originally somewhat limiting and slow. For an example of
-the limiting weaknesses in the original language, see [http://sdg.lcs.mit.edu
-/~jchapin/6853-FT97/Papers/stallman-tcl.html] Richard Stallman's ``Why You
-Should Not Use Tcl''. For example, Tcl was originally designed to really
-support only one data type (string). Thankfully, these issues have been
-addressed over time. In particular, version 8.0 added support for more data
-types (integers are stored internally as integers, lists as lists and so on).
-This improves its capabilities, and in particular improves its speed.
-
-As with essentially all scripting languages, Tcl has an "eval" command that
-parses and executes arbitrary Tcl commands. And like all such scripting
-languages, this eval command needs to be used especially carefully, or an
-attacker could insert characters in the input to cause malicious things to
-occur. For example, an attackers may be able insert characters with special
-meaning to Tcl such as embedded whitespace (including space and newline),
-double-quote, curly braces, square brackets, dollar signs, backslash,
-semicolon, or pound sign (or create input to cause these characters to be
-created during processing). This also applies to any function that passes
-data to eval as well (depending on how eval is called).
-
-Here is a small example that may make this concept clearer; first, let's
-define a small function and then interactively invoke it directly - note that
-these uses are fine:
- proc something {a b c d e} {
- puts "A='$a'"
- puts "B='$b'"
- puts "C='$c'"
- puts "D='$d'"
- puts "E='$e'"
- }
-
- % # This works normally:
- % something "test 1" "test2" "t3" "t4" "t5"
- A='test 1'
- B='test2'
- C='t3'
- D='t4'
- E='t5'
-
- % # Imagine that str1 is set by an attacker:
- % set str1 {test 1 [puts HELLOWORLD]}
-
- % # This works as well
- % something $str1 t2 t3 t4 t5
- A='test 1 [puts HELLOWORLD]'
- B='t2'
- C='t3'
- D='t4'
- E='t5'
-However, continuing the example, let's see how "eval" can be incorrectly and
-correctly called. If you call eval in an incorrect (dangerous) way, it allows
-attackers to misuse it. However, by using commands like list or lrange to
-correctly group the input, you can avoid this problem:
- % # This is the WRONG way - str1 is interpreted.
- % eval something $str1 t2 t3
- HELLOWORLD
- A='test'
- B='1'
- C=''
- D='t2'
- E='t3'
-
- % # Here's one solution, using "list".
- % eval something [list $str1 t2 t3 t4 t5]
- A='test 1 [puts HELLOWORLD]'
- B='t2'
- C='t3'
- D='t4'
- E='t5'
-
- % # Here's another solution, using lrange:
- % eval something [lrange $str1 0 end] t2
- A='test'
- B='1'
- C='[puts'
- D='HELLOWORLD]'
- E='t2'
-Using lrange is useful when concatenating arguments to a called function,
-e.g., with more complex libraries using callbacks. In Tcl, eval is often used
-to create a one-argument version of a function that takes a variable number
-of arguments, and you need to be careful when using it this way. Here's
-another example (presuming that you've defined a "printf" function):
- proc vprintf {str arglist} {
- eval printf [list $str] [lrange $arglist 0 end]
- }
-
- % printf "1+1=%d 2+2=%d" 2 4
- % vprintf "1+1=%d 2+2=%d" {2 4}
-
-Fundamentally, when passing a command that will be eventually evaluated, you
-must pass Tcl commands as a properly built list, and not as a (possibly
-concatentated) string. For example, the "after" command runs a Tcl command
-after a given number of milliseconds; if the data in $param1 can be
-controlled by an attacker, this Tcl code is dangerously wrong:
- # DON'T DO THIS if param1 can be controlled by an attacker
- after 1000 "someCommand someparam $param1"
-This is wrong, because if an attacker can control the value of $param1, the
-attacker can control the program. For example, if the attacker can cause
-$param1 to have '[exit]', then the program will exit. Also, if $param1 would
-be '; exit', it would also exit.
-
-Thus, the proper alternative would be:
- after 1000 [list someCommand someparam $param1]
-Even better would be something like the following:
- set cmd [list someCommand someparam]
- after 1000 [concat $cmd $param1]
-
-Here's another example showing what you shouldn't do, pretending that $params
-is data controlled by possibly malicious user:
- set params "%-20s TESTSTRING"
- puts "'[eval format $params]'"
-will result in:
- 'TESTSTRING '
-But, when if the untrusted user sends data with an embedded newline, like
-this:
- set params "%-20s TESTSTRING\nputs HELLOWORLD"
- puts "'[eval format $params]'"
-The result will be this (notice that the attacker's code was executed!):
- HELLOWORLD
- 'TESTINGSTRING '
-Wojciech Kocjan suggests that the simplest solution in this case is to
-convert this to a list using lrange, doing this:
- set params "%-20s TESTINGSTRING\nputs HELLOWORLD"
- puts "'[eval format [lrange $params 0 end]]'"
-The result would be:
- 'TESTINGSTRING '
-Note that this solution presumes that the potentially malicious text is
-concatenated to the end of the text; as with all languages, make sure the
-attacker cannot control the format text.
-
-As a matter of style always use curly braces when using if, while, for, expr,
-and any other command which parses an argument using expr/eval/subst. Doing
-this will avoid a common error when using Tcl called unintended double
-substitution (aka double substitution). This is best explained by example;
-the following code is incorrect:
- while ![eof $file] {
- set line [gets $file]
- }
-The code is incorrect because the "![eof $file]" text will be evaluated by
-the Tcl parser when the while command is executed the first time, and not
-re-evaluated in every iteration as it should be. Instead, do this:
- while {![eof $file]} {
- set line [gets $file]
- }
-Note that both the condition, and the action to be performed, are surrounded
-by curly braces. Although there are cases where the braces are redundant,
-they never hurt, and when you fail to include the curly braces where they're
-needed (say, when making a minor change) subtle and hard-to-find errors often
-result.
-
-More information on good Tcl style can be found in documents such as [http://
-www.tcl.tk/doc/styleGuide.pdf] Ray Johnson's Tcl Style Guide.
-
-In the past, I have stated that I don't recommend Tcl for writing programs
-which must mediate a security boundary. Tcl seems to have improved since that
-time, so while I cannot guarantee Tcl will work for your needs, I can't
-guarantee that any other language will work for you either. Again, my thanks
-to Wojciech Kocjan who provided some of these suggestions on how to write Tcl
-code for secure applications.
------------------------------------------------------------------------------
-
-10.8. PHP
-
-SecureReality has put out a very interesting paper titled ``A Study In
-Scarlet - Exploiting Common Vulnerabilities in PHP'' [Clowes 2001], which
-discusses some of the problems in writing secure programs in PHP,
-particularly in versions before PHP 4.1.0. Clowes concludes that ``it is very
-hard to write a secure PHP application (in the default configuration of PHP),
-even if you try''.
-
-Granted, there are security issues in any language, but one particular issue
-stands out in older versions of PHP that arguably makes older PHP versions
-less secure than most languages: the way it loads data into its namespace. By
-default, in PHP (versions 4.1.0 and lower) all environment variables and
-values sent to PHP over the web are automatically loaded into the same
-namespace (global variables) that normal variables are loaded into - so
-attackers can set arbitrary variables to arbitrary values, which keep their
-values unless explicitly reset by a PHP program. In addition, PHP
-automatically creates variables with a default value when they're first
-requested, so it's common for PHP programs to not initialize variables. If
-you forget to set a variable, PHP can report it, but by default PHP won't -
-and note that this simply an error report, it won't stop an attacker who
-finds an unusual way to cause it. Thus, by default PHP allows an attacker to
-completely control the values of all variables in a program unless the
-program takes special care to override the attacker. Once the program takes
-over, it can reset these variables, but failing to reset any variable (even
-one not obvious) might open a vulnerability in the PHP program.
-
-For example, the following PHP program (an example from Clowes) intends to
-only let those who know the password to get some important information, but
-an attacker can set ``auth'' in their web browser and subvert the
-authorization check:
-
-
-I and many others have complained about this particularly dangerous problem;
-it's particularly a problem because PHP is widely used. A language that's
-supposed to be easy to use better make it easy to write secure programs in,
-after all. It's possible to disable this misfeature in PHP by turning the
-setting ``register_globals'' to ``off'', but by default PHP versions up
-through 4.1.0 default set this to ``on'' and PHP before 4.1.0 is harder to
-use with register_globals off. The PHP developers warned in their PHP 4.1.0
-announcenment that ``as of the next semi-major version of PHP, new
-installations of PHP will default to having register_globals set to off.''
-This has now happened; as of PHP version 4.2.0, External variables (from the
-environment, the HTTP request, cookies or the web server) are no longer
-registered in the global scope by default. The preferred method of accessing
-these external variables is by using the new Superglobal arrays, introduced
-in PHP 4.1.0.
-
-PHP with ``register_globals'' set to ``on'' is a dangerous choice for
-nontrivial programs - it's just too easy to write insecure programs. However,
-once ``register_globals'' is set to ``off'', PHP is quite a reasonable
-language for development.
-
-The secure default should include setting ``register_globals'' to ``off'',
-and also including several functions to make it much easier for users to
-specify and limit the input they'll accept from external sources. Then web
-servers (such as Apache) could separately configure this secure PHP
-installation. Routines could be placed in the PHP library to make it easy for
-users to list the input variables they want to accept; some functions could
-check the patterns these variables must have and/or the type that the
-variable must be coerced to. In my opinion, PHP is a bad choice for secure
-web development if you set register_globals on.
-
-As I suggested in earlier versions of this book, PHP has been trivially
-modified to become a reasonable choice for secure web development. However,
-note that PHP doesn't have a particularly good security vulnerability track
-record (e.g., register_globals, a file upload problem, and a format string
-problem in the error reporting library); I believe that security issues were
-not considered sufficiently in early editions of PHP; I also think that the
-PHP developers are now emphasizing security and that these security issues
-are finally getting worked out. One evidence is the major change that the PHP
-developers have made to get turn off register_globals; this had a significant
-impact on PHP users, and their willingness to make this change is a good
-sign. Unfortunately, it's not yet clear how secure PHP really is; PHP just
-hasn't had much of a track record now that the developers of PHP are
-examining it seriously for security issues. Hopefully this will become clear
-quickly.
-
-If you've decided to use PHP, here are some of my recommendations (many of
-these recommendations are based on ways to counter the issues that Clowes
-raises):
-
- * Set the PHP configuration option ``register_globals'' off, and use PHP
- 4.2.0 or greater. PHP 4.1.0 adds several special arrays, particularly
- $_REQUEST, which makes it far simpler to develop software in PHP when
- ``register_globals'' is off. Setting register_globals off, which is the
- default in PHP 4.2.0, completely eliminates the most common PHP attacks.
- If you're assuming that register_globals is off, you should check for
- this first (and halt if it's not true) - that way, people who install
- your program will quickly know there's a problem. Note that many
- third-party PHP applications cannot work with this setting, so it can be
- difficult to keep it off for an entire website. It's possible to set
- register_globals off for only some programs. For example, for Apache, you
- could insert these lines into the file .htaccess in the PHP directory (or
- use Directory directives to control it further):
- php_flag register_globals Off
- php_flag track_vars On
- However, the .htaccess file itself is ignored unless the Apache web
- server is configured to permit overrides; often the Apache global
- configuration is set so that AllowOverride is set to None. So, for Apache
- users, if you can convince your web hosting service to set
- ``AllowOverride Options'' in their configuration file (often /etc/http/
- conf/http.conf) for your host, do that. Then write helper functions to
- simplify loading the data you need (and only that data).
-
- * If you must develop software where register_globals might be on while
- running (e.g., a widely-deployed PHP application), always set values not
- provided by the user. Don't depend on PHP default values, and don't trust
- any variable you haven't explicitly set. Note that you have to do this
- for every entry point (e.g., every PHP program or HTML file using PHP).
- The best approach is to begin each PHP program by setting all variables
- you'll be using, even if you're simply resetting them to the usual
- default values (like "" or 0). This includes global variables referenced
- in included files, even all libraries, transitively. Unfortunately, this
- makes this recommendation hard to do, because few developers truly know
- and understand all global variables that may be used by all functions
- they call. One lesser alternative is to search through HTTP_GET_VARS,
- HTTP_POST_VARS, HTTP_COOKIE_VARS, and HTTP_POST_FILES to see if the user
- provided the data - but programmers often forget to check all sources,
- and what happens if PHP adds a new data source (e.g., HTTP_POST_FILES
- wasn't in old versions of PHP). Of course, this simply tells you how to
- make the best of a bad situation; in case you haven't noticed yet, turn
- off register_globals!
-
- * Set the error reporting level to E_ALL, and resolve all errors reported
- by it during testing. Among other things, this will complain about
- un-initialized variables, which are a key issues in PHP. This is a good
- idea anyway whenever you start using PHP, because this helps debug
- programs, too. There are many ways to set the error reporting level,
- including in the ``php.ini'' file (global), the ``.htttpd.conf'' file
- (single-host), the ``.htaccess'' file (multi-host), or at the top of the
- script through the error_reporting function. I recommend setting the
- error reporting level in both the php.ini file and also at the top of the
- script; that way, you're protected if (1) you forget to insert the
- command at the top of the script, or (2) move the program to another
- machine and forget to change the php.ini file. Thus, every PHP program
- should begin like this:
-
- It could be argued that this error reporting should be turned on during
- development, but turned off when actually run on a real site (since such
- error message could give useful information to an attacker). The problem
- is that if they're disabled during ``actual use'' it's all too easy to
- leave them disabled during development. So for the moment, I suggest the
- simple approach of simply including it in every entrance. A much better
- approach is to record all errors, but direct the error reports so they're
- only included in a log file (instead of having them reported to the
- attacker).
-
- * Filter any user information used to create filenames carefully, in
- particular to prevent remote file access. PHP by default comes with
- ``remote files'' functionality -- that means that file-opening commands
- like fopen(), that in other languages can only open local files, can
- actually be used to invoke web or ftp requests from another site.
-
- * Do not use old-style PHP file uploads; use the HTTP_POST_FILES array and
- related functions. PHP supports file uploads by uploading the file to
- some temporary directory with a special filename. PHP originally set a
- collection of variables to indicate where that filename was, but since an
- attacker can control variable names and their values, attackers could use
- that ability to cause great mischief. Instead, always use HTTP_POST_FILES
- and related functions to access uploaded files. Note that even in this
- case, PHP's approach permits attackers to temporarily upload files to you
- with arbitrary content, which is risky by itself.
-
- * Only place protected entry points in the document tree; place all other
- code (which should be most of it) outside the document tree. PHP has a
- history of unfortunate advice on this topic. Originally, PHP users were
- supposed to use the ``.inc'' (include) extension for ``included'' files,
- but these included files often had passwords and other information, and
- Apache would just give requesters the contents of the ``.inc'' files when
- asked to do so when they were in the document tree. Then developers gave
- all files a ``.php'' extension - which meant that the contents weren't
- seen, but now files never meant to be entry points became entry points
- and were sometimes exploitable. As mentioned earlier, the usual security
- advice is the best: place only the proected entry points (files) in the
- document tree, and place other code (e.g., libraries) outside the
- document tree. There shouldn't be any ``.inc'' files in the document tree
- at all.
-
- * Avoid the session mechanism. The ``session'' mechanism is handy for
- storing persistent data, but its current implementation has many
- problems. First, by default sessions store information in temporary files
- - so if you're on a multi-hosted system, you open yourself up to many
- attacks and revelations. Even those who aren't currently multi-hosted may
- find themselves multi-hosted later! You can "tie" this information into a
- database instead of the filesystem, but if others on a multi-hosted
- database can access that database with the same permissions, the problem
- is the same. There are also ambiguities if you're not careful (``is this
- the session value or an attacker's value''?) and this is another case
- where an attacker can force a file or key to reside on the server with
- content of their choosing - a dangerous situation - and the attacker can
- even control to some extent the name of the file or key where this data
- will be placed.
-
- * For all inputs, check that they match a pattern for acceptability (as
- with any language), and then use type casting to coerce non-string data
- into the type it should have. Develop ``helper'' functions to easily
- check and import a selected list of (expected) inputs. PHP is loosely
- typed, and this can cause trouble. For example, if an input datum has the
- value "000", it won't be equal to "0" nor is it empty(). This is
- particularly important for associative arrays, because their indexes are
- strings; this means that $data["000"] is different than $data["0"]. For
- example, to make sure $bar has type double (after making sure it only has
- the format legal for a double):
- $bar = (double) $bar;
-
- * Be especially careful of risky functions. This includes those that
- perform PHP code execution (e.g., require(), include(), eval(),
- preg_replace()), command execution (e.g., exec(), passthru(), the
- backtick operator, system(), and popen()), and open files (e.g., fopen(),
- readfile(), and file()). This is not an exhaustive list!
-
- * Use magic_quotes_gpc() where appropriate - this eliminates many kinds of
- attacks.
-
- * Avoid file uploads, and consider modifying the php.ini file to disable
- them (file_uploads = Off). File uploads have had security holes in the
- past, so on older PHP's this is a necessity, and until more experience
- shows that they're safe this isn't a bad thing to remove. Remember, in
- general, to secure a system you should disable or remove anything you
- don't need.
-
-
------------------------------------------------------------------------------
-Chapter 11. Special Topics
-
- Understanding is a fountain of life to
- those who have it, but folly brings
- punishment to fools.
- Proverbs 16:22 (NIV)
------------------------------------------------------------------------------
-
-11.1. Passwords
-
-Where possible, don't write code to handle passwords. In particular, if the
-application is local, try to depend on the normal login authentication by a
-user. If the application is a CGI script, try to depend on the web server to
-provide the protection as much as possible - but see below about handling
-authentication in a web server. If the application is over a network, avoid
-sending the password as cleartext (where possible) since it can be easily
-captured by network sniffers and reused later. ``Encrypting'' a password
-using some key fixed in the algorithm or using some sort of shrouding
-algorithm is essentially the same as sending the password as cleartext.
-
-For networks, consider at least using digest passwords. Digest passwords are
-passwords developed from hashes; typically the server will send the client
-some data (e.g., date, time, name of server), the client combines this data
-with the user password, the client hashes this value (termed the ``digest
-pasword'') and replies just the hashed result to the server; the server
-verifies this hash value. This works, because the password is never actually
-sent in any form; the password is just used to derive the hash value. Digest
-passwords aren't considered ``encryption'' in the usual sense and are usually
-accepted even in countries with laws constraining encryption for
-confidentiality. Digest passwords are vulnerable to active attack threats but
-protect against passive network sniffers. One weakness is that, for digest
-passwords to work, the server must have all the unhashed passwords, making
-the server a very tempting target for attack.
-
-If your application permits users to set their passwords, check the passwords
-and permit only ``good'' passwords (e.g., not in a dictionary, having certain
-minimal length, etc.). You may want to look at information such as [http://
-consult.cern.ch/writeup/security/security_3.html] http://consult.cern.ch/
-writeup/security/security_3.html on how to choose a good password. You should
-use PAM if you can, because it supports pluggable password checkers.
------------------------------------------------------------------------------
-
-11.2. Authenticating on the Web
-
-On the web, a web server is usually authenticated to users by using SSL or
-TLS and a server certificate - but it's not as easy to authenticate who the
-users are. SSL and TLS do support client-side certificates, but there are
-many practical problems with actually using them (e.g., web browsers don't
-support a single user certificate format and users find it difficult to
-install them). You can learn about how to set up digital certificates from
-many places, e.g., [http://www.petbrain.com/modules.php?op=modload&name=pki&
-file=index] Petbrain. Using Java or Javascript has its own problems, since
-many users disable them, some firewalls filter them out, and they tend to be
-slow. In most cases, requiring every user to install a plug-in is impractical
-too, though if the system is only for an intranet for a relatively small
-number of users this may be appropriate.
-
-If you're building an intranet application, you should generally use whatever
-authentication system is used by your users. Unix-like systems tend to use
-Kerberos, NIS+, or LDAP. You may also need to deal with a Windows-based
-authentication schemes (which can be viewed as proprietary variants of
-Kerberos and LDAP). Thus, if your organization depend on Kerberos, design
-your system to use Kerberos. Try to separate the authentication system from
-the rest of your application, since the organization may (will!) change their
-authentication system over time.
-
-Many techniques don't work or don't work very well. One approach that works
-in some cases is to use ``basic authentication'', which is built into
-essentially all browsers and servers. Unfortunately, basic authentication
-sends passwords unencrypted, so it makes passwords easy to steal; basic
-authentication by itself is really useful only for worthless information. You
-could store authentication information in the URLs selected by the users, but
-for most circumstances you should never do this - not only are the URLs sent
-unprotected over the wire (as with basic authentication), but there are too
-many other ways that this information can leak to others (e.g., through the
-browser history logs stored by many browsers, logs of proxies, and to other
-web sites through the Referer: field). You could wrap all communication with
-a web server using an SSL/TLS connection (which would encrypt it); this is
-secure (depending on how you do it), and it's necessary if you have important
-data, but note that this is costly in terms of performance. You could also
-use ``digest authentication'', which exposes the communication but at least
-authenticates the user without exposing the underlying password used to
-authenticate the user. Digest authentication is intended to be a simple
-partial solution for low-value communications, but digest authentication is
-not widely supported in an interoperable way by web browsers and servers. In
-fact, as noted in a March 18, 2002 eWeek article, Microsoft's web client
-(Internet Explorer) and web server (IIS) incorrectly implement the standard
-(RFC 2617), and thus won't work with other servers or browsers. Since
-Microsoft don't view this incorrect implementation as a serious problem, it
-will be a very long time before most of their customers have a
-correctly-working program.
-
-Thus, the most common technique for authenticating on the web today is
-through cookies. Cookies weren't really designed for this purpose, but they
-can be used for authentication - but there are many wrong ways to use them
-that create security vulnerabilities, so be careful. For more information
-about cookies, see IETF RFC 2965, along with the older specifications about
-them. Note that to use cookies, some browsers (e.g., Microsoft Internet
-Explorer 6) may insist that you have a privacy profile (named p3p.xml on the
-root directory of the server).
-
-Note that some users don't accept cookies, so this solution still has some
-problems. If you want to support these users, you should send this
-authentication information back and forth via HTML form hidden fields (since
-nearly all browsers support them without concern). You'd use the same
-approach as with cookies - you'd just use a different technology to have the
-data sent from the user to the server. Naturally, if you implement this
-approach, you need to include settings to ensure that these pages aren't
-cached for use by others. However, while I think avoiding cookies is
-preferable, in practice these other approaches often require much more
-development effort. Since it's so hard to implement this on a large scale for
-many application developers, I'm not currently stressing these approaches. I
-would rather describe an approach that is reasonably secure and reasonably
-easy to implement, than emphasize approaches that are too hard to implement
-correctly (by either developers or users). However, if you can do so without
-much effort, by all means support sending the authentication information
-using form hidden fields and an encrypted link (e.g., SSL/TLS). As with all
-cookies, for these cookies you should turn on the HttpOnly flag unless you
-have a web browser script that must be able to read the cookie.
-
-Fu [2001] discusses client authentication on the web, along with a suggested
-approach, and this is the approach I suggest for most sites. The basic idea
-is that client authentication is split into two parts, a ``login procedure''
-and ``subsequent requests.'' In the login procedure, the server asks for the
-user's username and password, the user provides them, and the server replies
-with an ``authentication token''. In the subsequent requests, the client (web
-browser) sends the authentication token to the server (along with its
-request); the server verifies that the token is valid, and if it is, services
-the request. Another good source of information about web authentication is
-Seifried [2001].
-
-One serious problem with some web authentication techniques is that they are
-vulnerable to a problem called "session fixation". In a session fixation
-attack, the attacker fixes the user's session ID before the user even logs
-into the target server, thus eliminating the need to obtain the user's
-session ID afterwards. Basically, the attacker obtains an account, and then
-tricks another user into using the attacker's account - often by creating a
-special hypertext link and tricking the user into clicking on it. A good
-paper describing session fixation is the paper by [http://www.acros.si/papers
-/session_fixation.pdf] Mitja Kolsek [2002]. A web authentication system you
-use should be resistant to session fixation.
------------------------------------------------------------------------------
-
-11.2.1. Authenticating on the Web: Logging In
-
-The login procedure is typically implemented as an HTML form; I suggest using
-the field names ``username'' and ``password'' so that web browsers can
-automatically perform some useful actions. Make sure that the password is
-sent over an encrypted connection (using SSL or TLS, through an https:
-connection) - otherwise, eavesdroppers could collect the password. Make sure
-all password text fields are marked as passwords in the HTML, so that the
-password text is not visible to anyone who can see the user's screen.
-
-If both the username and password fields are filled in, do not try to
-automatically log in as that user. Instead, display the login form with the
-user and password fields; this lets the user verify that they really want to
-log in as that user. If you fail to do this, attackers will be able to
-exploit this weakness to perform a session fixation attack. Paranoid systems
-might want simply ignore the password field and make the user fill it in, but
-this interferes with browsers which can store passwords for users.
-
-When the user sends username and password, it must be checked against the
-user account database. This database shouldn't store the passwords ``in the
-clear'', since if someone got a copy of the this database they'd suddenly get
-everyone's password (and users often reuse passwords). Some use crypt() to
-handle this, but crypt can only handle a small input, so I recommend using a
-different approach (this is my approach - Fu [2001] doesn't discuss this).
-Instead, the user database should store a username, salt, and the password
-hash for that user. The ``salt'' is just a random sequence of characters,
-used to make it harder for attackers to determine a password even if they get
-the password database - I suggest an 8-character random sequence. It doesn't
-need to be cryptographically random, just different from other users. The
-password hash should be computed by concatenating ``server key1'', the user's
-password, and the salt, and then running a cryptographically secure hash
-algorithm. Server key1 is a secret key unique to this server - keep it
-separate from the password database. Someone who has server key1 could then
-run programs to crack user passwords if they also had the password database;
-since it doesn't need to be memorized, it can be a long and complex password.
-Most secure would be HMAC-SHA-1 or HMAC-MD5; you could use SHA-1 (most web
-sites aren't really worried about the attacks it allows) or MD5 (but MD5
-would be poorer choice; see the discussion about MD5).
-
-Thus, when users create their accounts, the password is hashed and placed in
-the password database. When users try to log in, the purported password is
-hashed and compared against the hash in the database (they must be equal).
-When users change their password, they should type in both the old and new
-password, and the new password twice (to make sure they didn't mistype it);
-and again, make sure none of these password's characters are visible on the
-screen.
-
-By default, don't save the passwords themselves on the client's web browser
-using cookies - users may sometimes use shared clients (say at some coffee
-shop). If you want, you can give users the option of ``saving the password''
-on their browser, but if you do, make sure that the password is set to only
-be transmitted on ``secure'' connections, and make sure the user has to
-specifically request it (don't do this by default).
-
-Make sure that the page is marked to not be cached, or a proxy server might
-re-serve that page to other users.
-
-Once a user successfully logs in, the server needs to send the client an
-``authentication token'' in a cookie, which is described next.
------------------------------------------------------------------------------
-
-11.2.2. Authenticating on the Web: Subsequent Actions
-
-Once a user logs in, the server sends back to the client a cookie with an
-authentication token that will be used from then on. A separate
-authentication token is used, so that users don't need to keep logging in, so
-that passwords aren't continually sent back and forth, and so that
-unencrypted communication can be used if desired. A suggested token (ignoring
-session fixation attacks) would look like this:
- exp=t&data=s&digest=m
-Where t is the expiration time of the token (say, in several hours), and data
-s identifies the user (say, the user name or session id). The digest is a
-keyed digest of the other fields. Feel free to change the field name of
-``data'' to be more descriptive (e.g., username and/or sessionid). If you
-have more than one field of data (e.g., both a username and a sessionid),
-make sure the digest uses both the field names and data values of all fields
-you're authenticating; concatenate them with a pattern (say ``%%'', ``+'', or
-``&'') that can't occur in any of the field data values. As described in a
-moment, it would be a good idea to include a username. The keyed digest
-should be a cryptographic hash of the other information in the token, keyed
-using a different server key2. The keyed digest should use HMAC-MD5 or
-HMAC-SHA1, using a different server key (key2), though simply using SHA1
-might be okay for some purposes (or even MD5, if the risks are low). Key2 is
-subject to brute force guessing attacks, so it should be long (say 12+
-characters) and unguessable; it does NOT need to be easily remembered. If
-this key2 is compromised, anyone can authenticate to the server, but it's
-easy to change key2 - when you do, it'll simply force currently ``logged in''
-users to re-authenticate. See Fu [2001] for more details.
-
-There is a potential weakness in this approach. I have concerns that Fu's
-approach, as originally described, is weak against session fixation attacks
-(from several different directions, which I don't want to get into here).
-Thus, I now suggest modifying Fu's approach and using this token format
-instead:
- exp=t&data=s&client=c&digest=m
-This is the same as the original Fu aproach, and older versions of this book
-(before December 2002) didn't suggest it. This modification adds a new
-"client" field to uniquely identify the client's current location/identity.
-The data in the client field should be something that should change if
-someone else tries to use the account; ideally, its new value should be
-unguessable, though that's hard to accomplish in practice. Ideally the client
-field would be the client's SSL client certificate, but currently that's a
-suggest that is hard to meet. At the least, it should be the user's IP
-address (as perceived from the server, and remember to plan for IPv6's longer
-addresses). This modification doesn't completely counter session fixation
-attacks, unfortunately (since if an attacker can determine what the user
-would send, the attacker may be able to make a request to a server and
-convince the client to accept those values). However, it does add resistance
-to the attack. Again, the digest must now include all the other data.
-
-Here's an example. If a user logs into foobar.com sucessfully, you might
-establish the expiration date as 2002-12-30T1800 (let's assume we'll transmit
-as ASCII text in this format for the moment), the username as "fred", the
-client session as "1234", and you might determine that the client's IP
-address was 5.6.7.8. If you use a simple SHA-1 keyed digest (and use a key
-prefixing the rest of the data), with the server key2 value of "rM!V^m~v*
-Dzx", the digest could be computed over:
- exp=2002-12-30T1800&user=fred&session=1234&client=5.6.7.8
-A keyed digest can be computed by running a cryptographic hash code over,
-say, the server key2, then the data; in this case, the digest would be:
-101cebfcc6ff86bc483e0538f616e9f5e9894d94
-
-From then on, the server must check the expiration time and recompute the
-digest of this authentication token, and only accept client requests if the
-digest is correct. If there's no token, the server should reply with the user
-login page (with a hidden form field to show where the successful login
-should go afterwards).
-
-It would be prudent to display the username, especially on important screens,
-to help counter session fixation attacks. If users are given feedback on
-their username, they may notice if they don't have their expected username.
-This is helpful anyway if it's possible to have an unexpected username (e.g.,
-a family that shares the same machine). Examples of important screens include
-those when a file is uploaded that should be kept private.
-
-One odd implementation issue: although the specifications for the "Expires:"
-(expiration time) field for cookies permit time zones, it turns out that some
-versions of Microsoft's Internet Explorer don't implement time zones
-correctly for cookie expiration. Thus, you need to always use UTC time (also
-called Zulu time) in cookie expiration times for maximum portability. It's a
-good idea in general to use UTC time for time values, and convert when
-necessary for human display, since this eliminates other time zone and
-daylight savings time issues.
-
-If you include a sessionid in the authentication token, you can limit access
-further. Your server could ``track'' what pages a user has seen in a given
-session, and only permit access to other appropriate pages from that point
-(e.g., only those directly linked from those page(s)). For example, if a user
-is granted access to page foo.html, and page foo.html has pointers to
-resources bar1.jpg and bar2.png, then accesses to bar4.cgi can be rejected.
-You could even kill the session, though only do this if the authentication
-information is valid (otherwise, this would make it possible for attackers to
-cause denial-of-service attacks on other users). This would somewhat limit
-the access an attacker has, even if they successfully hijack a session,
-though clearly an attacker with time and an authentication token could
-``walk'' the links just as a normal user would.
-
-One decision is whether or not to require the authentication token and/or
-data to be sent over a secure connection (e.g., SSL). If you send an
-authentication token in the clear (non-secure), someone who intercepts the
-token could do whatever the user could do until the expiration time. Also,
-when you send data over an unencrypted link, there's the risk of unnoticed
-change by an attacker; if you're worried that someone might change the data
-on the way, then you need to authenticate the data being transmitted.
-Encryption by itself doesn't guarantee authentication, but it does make
-corruption more likely to be detected, and typical libraries can support both
-encryption and authentication in a TLS/SSL connection. In general, if you're
-encrypting a message, you should also authenticate it. If your needs vary,
-one alternative is to create two authentication tokens - one is used only in
-a ``secure'' connection for important operations, while the other used for
-less-critical operations. Make sure the token used for ``secure'' connections
-is marked so that only secure connections (typically encrypted SSL/TLS
-connections) are used. If users aren't really different, the authentication
-token could omit the ``data'' entirely.
-
-Again, make sure that the pages with this authentication token aren't cached.
-There are other reasonable schemes also; the goal of this text is to provide
-at least one secure solution. Many variations are possible.
------------------------------------------------------------------------------
-
-11.2.3. Authenticating on the Web: Logging Out
-
-You should always provide users with a mechanism to ``log out'' - this is
-especially helpful for customers using shared browsers (say at a library).
-Your ``logout'' routine's task is simple - just unset the client's
-authentication token.
------------------------------------------------------------------------------
-
-11.3. Random Numbers
-
-In many cases secure programs must generate ``random'' numbers that cannot be
-guessed by an adversary. Examples include session keys, public or private
-keys, symmetric keys, nonces and IVs used in many protocols, salts, and so
-on. Ideally, you should use a truly random source of data for random numbers,
-such as values based on radioactive decay (through precise timing of Geiger
-counter clicks), atmospheric noise, or thermal noise in electrical circuits.
-Some computers have a hardware component that functions as a real random
-value generator, and if it's available you should use it.
-
-However, most computers don't have hardware that generates truly random
-values, so in most cases you need a way to generate random numbers that is
-sufficiently random that an adversary can't predict it. In general, this
-means that you'll need three things:
-
- * An ``unguessable'' state; typically this is done by measuring variances
- in timing of low-level devices (keystrokes, disk drive arm jitter, etc.)
- in a way that an adversary cannot control.
-
- * A cryptographically strong pseudo-random number generator (PRNG), which
- uses the state to generate ``random'' numbers.
-
- * A large number of bits (in both the seed and the resulting value used).
- There's no point in having a strong PRNG if you only have a few possible
- values, because this makes it easy for an attacker to use brute force
- attacks. The number of bits necessary varies depending on the
- circumstance, however, since these are often used as cryptographic keys,
- the normal rules of thumb for keys apply. For a symmetric key (result),
- I'd use at least 112 bits (3DES), 128 bits is a little better, and 160
- bits or more is even safer.
-
-
-Typically the PRNG uses the state to generate some values, and then some of
-its values and other unguessable inputs are used to update the state. There
-are lots of ways to attack these systems. For example, if an attacker can
-control or view inputs to the state (or parts of it), the attacker may be
-able to determine your supposedly ``random'' number.
-
-A real danger with PRNGs is that most computer language libraries include a
-large set of pseudo-random number generators (PRNGs) which are inappropriate
-for security purposes. Let me say it again: do not use typical random number
-generators for security purposes. Typical library PRNGs are intended for use
-in simulations, games, and so on; they are not sufficiently random for use in
-security functions such as key generation. Most non-cryptographic library
-PRNGs are some variation of ``linear congruential generators'', where the
-``next'' random value is computed as "(aX+b) mod m" (where X is the previous
-value). Good linear congruential generators are fast and have useful
-statistical properties, making them appropriate for their intended uses. The
-problem with such PRNGs is that future values can be easily deduced by an
-attacker (though they may appear random). Other algorithms for generating
-random numbers quickly, such as quadratic generators and cubic generators,
-have also been broken [Schneier 1996]. In short, you have to use
-cryptographically strong PRNGs to generate random numbers in secure
-applications - ordinary random number libraries are not sufficient.
-
-Failing to correctly generate truly random values for keys has caused a
-number of problems, including holes in Kerberos, the X window system, and NFS
-[Venema 1996].
-
-If possible, you should use system services (typically provided by the
-operating system) that are expressly designed to create cryptographically
-secure random values. For example, the Linux kernel (since 1.3.30) includes a
-random number generator, which is sufficient for many security purposes. This
-random number generator gathers environmental noise from device drivers and
-other sources into an entropy pool. When accessed as /dev/random, random
-bytes are only returned within the estimated number of bits of noise in the
-entropy pool (when the entropy pool is empty, the call blocks until
-additional environmental noise is gathered). When accessed as /dev/urandom,
-as many bytes as are requested are returned even when the entropy pool is
-exhausted. If you are using the random values for cryptographic purposes
-(e.g., to generate a key) on Linux, use /dev/random. *BSD systems also
-include /dev/random. Solaris users with the SUNWski package also have /dev/
-random. Note that if a hardware random number generator is available and its
-driver is installed, it will be used instead. More information is available
-in the system documentation random(4).
-
-On other systems, you'll need to find another way to get truly random
-results. One possibility for other Unix-like systems is the Entropy Gathering
-Daemon (EGD), which monitors system activity and hashes it into random
-values; you can get it at [http://www.lothar.com/tech/crypto] http://
-www.lothar.com/tech/crypto. You might consider using a cryptographic hash
-functions (e.g., SHA-1) on PRNG outputs. By using a hash algorithm, even if
-the PRNG turns out to be guessable, this means that the attacker must now
-also break the hash function.
-
-If you have to implement a strong PRNG yourself, a good choice for a
-cryptographically strong (and patent-unencumbered) PRNG is the Yarrow
-algorithm; you can learn more about Yarrow from [http://www.counterpane.com/
-yarrow.html] http://www.counterpane.com/yarrow.html. Some other PRNGs can be
-useful, but many widely-used ones have known weaknesses that may or may not
-matter depending on your application. Before implementing a PRNG yourself,
-consult the literature, such as [Kelsey 1998] and [McGraw 2000a]. You should
-also examine [http://www.ietf.org/rfc/rfc1750.txt] IETF RFC 1750. NIST has
-some useful information; see the [http://csrc.nist.gov/publications/nistpubs/
-800-22/sp-800-22-051501.pdf] NIST publication 800-22 and [http://
-csrc.nist.gov/publications/nistpubs/800-22/errata-sheet.pdf] NIST errata. You
-should know about the [http://stat.fsu.edu/~geo/diehard.html] diehard tests
-too. You might want to examine the paper titled "how Intel checked its PRNG",
-but unfortunately that paper appears to be unavailable now.
------------------------------------------------------------------------------
-
-11.4. Specially Protect Secrets (Passwords and Keys) in User Memory
-
-If your application must handle passwords or non-public keys (such as session
-keys, private keys, or secret keys), try to hide them and overwrite them
-immediately after using them so they have minimal exposure.
-
-Systems such as Linux support the mlock() and mlockall() calls to keep memory
-from being paged to disk (since someone might acquire the kep later from the
-swap file). Note that on Linux this is a privileged system call, which causes
-its own issues (do I grant the program superuser privileges so it can call
-mlock, if it doesn't need them otherwise?).
-
-Also, if your program handles such secret values, be sure to disable creating
-core dumps (via ulimit). Otherwise, an attacker may be able to halt the
-program and find the secret value in the data dump.
-
-Beware - normally processes can monitor other processes through the calls for
-debuggers (e.g., via ptrace(2) and the /proc pseudo-filesystem) [Venema 1996]
-Kernels usually protect against these monitoring routines if the process is
-setuid or setgid (on the few ancient ones that don't, there really isn't a
-good way to defend yourself other than upgrading). Thus, if your process
-manages secret values, you probably should make it setgid or setuid (to a
-different unprivileged group or user) to forceably inhibit this kind of
-monitoring. Unless you need it to be setuid, use setgid (since this grants
-fewer privileges).
-
-Then there's the problem of being able to actually overwrite the value, which
-often becomes language and compiler specific. In many languages, you need to
-make sure that you store such information in mutable locations, and then
-overwrite those locations. For example, in Java, don't use the type String to
-store a password because Strings are immutable (they will not be overwritten
-until garbage-collected and then reused, possibly a far time in the future).
-Instead, in Java use char[] to store a password, so it can be immediately
-overwritten. In Ada, use type String (an array of characters), and not type
-Unbounded_String, to make sure that you have control over the contents.
-
-In many languages (including C and C++), be careful that the compiler doesn't
-optimize away the "dead code" for overwriting the value - since in this case
-it's not dead code. Many compilers, including many C/C++ compilers, remove
-writes to stores that are no longer used - this is often referred to as "dead
-store removal." Unfortunately, if the write is really to overwrite the value
-of a secret, this means that code that appears to be correct will be silently
-discareded. Ada provides the pragma Inspection_Point; place this after the
-code erasing the memory, and that way you can be certain that the object
-containing the secret will really be erased (and that the the overwriting
-won't be optimized away).
-
-A Bugtraq post by Andy Polyakov (November 7, 2002) reported that the C/C++
-compilers gcc version 3 or higher, SGI MIPSpro, and the Microsoft compilers
-eliminated simple inlined calls to memset intended to overwrite secrets. This
-is allowed by the C and C++ standards. Other C/C++ compilers (such as gcc
-less than version 3) preserved the inlined call to memset at all optimization
-levels, showing that the issue is compiler-specific. Simply declaring that
-the destination data is volatile doesn't help on all compilers; both the
-MIPSpro and Microsoft compilers ignored simple "volatilization". Simply
-"touching" the first byte of the secret data doesn't help either; he found
-that the MIPSpro and GCC>=3 cleverly nullify only the first byte and leave
-the rest intact (which is actually quite clever - the problem is that the
-compiler's cleverness is interfering with our goals). One approach that seems
-to work on all platforms is to write your own implementation of memset with
-internal "volatilization" of the first argument (this code is based on a
-[http://online.securityfocus.com/archive/82/298061/2002-10-27/2002-11-02/0]
-workaround proposed by Michael Howard):
- void *guaranteed_memset(void *v,int c,size_t n)
- { volatile char *p=v; while (n--) *p++=c; return v; }
-Then place this definition into an external file to force the function to be
-external (define the function in a corresponding .h file, and #include the
-file in the callers, as is usual). This approach appears to be safe at any
-optimization level (even if the function gets inlined).
------------------------------------------------------------------------------
-
-11.5. Cryptographic Algorithms and Protocols
-
-Often cryptographic algorithms and protocols are necessary to keep a system
-secure, particularly when communicating through an untrusted network such as
-the Internet. Where possible, use cryptographic techniques to authenticate
-information and keep the information private (but don't assume that simple
-encryption automatically authenticates as well). Generally you'll need to use
-a suite of available tools to secure your application.
-
-For background information and code, you should probably look at the classic
-text ``Applied Cryptography'' [Schneier 1996]. The newsgroup ``sci.crypt''
-has a series of FAQ's; you can find them at many locations, including [http:/
-/www.landfield.com/faqs/cryptography-faq] http://www.landfield.com/faqs/
-cryptography-faq. Linux-specific resources include the Linux Encryption HOWTO
-at [http://marc.mutz.com/Encryption-HOWTO/] http://marc.mutz.com/
-Encryption-HOWTO/. A discussion on how protocols use the basic algorithms can
-be found in [Opplinger 1998]. A useful collection of papers on how to apply
-cryptography in protocols can be found in [Stallings 1996]. What follows here
-is just a few comments; these areas are rather specialized and covered more
-thoroughly elsewhere.
-
-Cryptographic protocols and algorithms are difficult to get right, so do not
-create your own. Instead, where you can, use protocols and algorithms that
-are widely-used, heavily analyzed, and accepted as secure. When you must
-create anything, give the approach wide public review and make sure that
-professional security analysts examine it for problems. In particular, do not
-create your own encryption algorithms unless you are an expert in cryptology,
-know what you're doing, and plan to spend years in professional review of the
-algorithm. Creating encryption algorithms (that are any good) is a task for
-experts only.
-
-A number of algorithms are patented; even if the owners permit ``free use''
-at the moment, without a signed contract they can always change their minds
-later, putting you at extreme risk later. In general, avoid all patented
-algorithms - in most cases there's an unpatented approach that is at least as
-good or better technically, and by doing so you avoid a large number of legal
-problems.
-
-Another complication is that many counties regulate or restrict cryptography
-in some way. A survey of legal issues is available at the ``Crypto Law
-Survey'' site, [http://rechten.kub.nl/koops/cryptolaw/] http://rechten.kub.nl
-/koops/cryptolaw/.
-
-Often, your software should provide a way to reject ``too small'' keys, and
-let the user set what ``too small'' is. For RSA keys, 512 bits is too small
-for use. There is increasing evidence that 1024 bits for RSA keys is not
-enough either; Bernstein has suggested techniques that simplify brute-forcing
-RSA, and other work based on it (such as Shamir and Tromer's "Factoring Large
-Numbers with the TWIRL device") now suggests that 1024 bit keys can be broken
-in a year by a $10 Million device. You may want to make 2048 bits the minimum
-for RSA if you really want a secure system, and you should certainly do so if
-you plan to use those keys after 2015. For more about RSA specifically, see
-RSA's commentary on Bernstein's work. For a more general discussion of key
-length and other general cryptographic algorithm issues, see [http://
-csrc.nist.gov/encryption/kms/key-management-guideline-(workshop).pdf] NIST's
-key management workshop in November 2001.
------------------------------------------------------------------------------
-
-11.5.1. Cryptographic Protocols
-
-When you need a security protocol, try to use standard-conforming protocols
-such as IPSec, SSL (soon to be TLS), SSH, S/MIME, OpenPGP/GnuPG/PGP, and
-Kerberos. Each has advantages and disadvantages; many of them overlap
-somewhat in functionality, but each tends to be used in different areas:
-
- * Internet Protocol Security (IPSec). IPSec provides encryption and/or
- authentication at the IP packet level. However, IPSec is often used in a
- way that only guarantees authenticity of two communicating hosts, not of
- the users. As a practical matter, IPSec usually requires low-level
- support from the operating system (which not all implement) and an
- additional keyring server that must be configured. Since IPSec can be
- used as a "tunnel" to secure packets belonging to multiple users and
- multiple hosts, it is especially useful for building a Virtual Private
- Network (VPN) and connecting a remote machine. As of this time, it is
- much less often used to secure communication from individual clients to
- servers. The new version of the Internet Protocol, IPv6, comes with IPSec
- ``built in,'' but IPSec also works with the more common IPv4 protocol.
- Note that if you use IPSec, don't use the encryption mode without the
- authentication, because the authentication also acts as integrity
- protection.
-
- * Secure Socket Layer (SSL) / TLS. SSL/TLS works over TCP and tunnels other
- protocols using TCP, adding encryption, authentication of the server, and
- optional authentication of the client (but authenticating clients using
- SSL/TLS requires that clients have configured X.509 client certificates,
- something rarely done). SSL version 3 is widely used; TLS is a later
- adjustment to SSL that strengthens its security and improves its
- flexibility. Currently there is a slow transition going on from SSLv3 to
- TLS, aided because implementations can easily try to use TLS and then
- back off to SSLv3 without user intervention. Unfortunately, a few bad
- SSLv3 implementations cause problems with the backoff, so you may need a
- preferences setting to allow users to skip using TLS if necessary. Don't
- use SSL version 2, it has some serious security weaknesses.
-
- SSL/TLS is the primary method for protecting http (web) transactions. Any
- time you use an "https://" URL, you're using SSL/TLS. Other protocols
- that often use SSL/TLS include POP3 and IMAP. SSL/TLS usually use a
- separate TCP/IP port number from the unsecured port, which the IETF is a
- little unhappy about (because it consumes twice as many ports; there are
- solutions to this). SSL is relatively easy to use in programs, because
- most library implementations allow programmers to use operations similar
- to the operations on standard sockets like SSL_connect(), SSL_write(),
- SSL_read(), etc. A widely used OSS/FS implementation of SSL (as well as
- other capabilities) is OpenSSL, available at [http://www.openssl.org]
- http://www.openssl.org.
-
- * OpenPGP and S/MIME. There are two competing, essentially incompatible
- standards for securing email: OpenPGP and S/MIME. OpenPHP is based on the
- PGP application; an OSS/FS implementation is GNU Privacy Guard from
- [http://www.gnupg.org] http://www.gnupg.org. Currently, their
- certificates are often not interchangeable; work is ongoing to repair
- this.
-
- * SSH. SSH is the primary method of securing ``remote terminals'' over an
- internet, and it also includes methods for tunelling X Windows sessions.
- However, it's been extended to support single sign-on and general secure
- tunelling for TCP streams, so it's often used for securing other data
- streams too (such as CVS accesses). The most popular implementation of
- SSH is OpenSSH [http://www.openssh.com] http://www.openssh.com, which is
- OSS/FS. Typical uses of SSH allows the client to authenticate that the
- server is truly the server, and then the user enters a password to
- authenticate the user (the password is encrypted and sent to the other
- system for verification). Current versions of SSH can store private keys,
- allowing users to not enter the password each time. To prevent
- man-in-the-middle attacks, SSH records keying information about servers
- it talks to; that means that typical use of SSH is vulnerable to a
- man-in-the-middle attack during the very first connection, but it can
- detect problems afterwards. In contrast, SSL generally uses a certificate
- authority, which eliminates the first connection problem but requires
- special setup (and payment!) to the certificate authority.
-
- * Kerberos. Kerberos is a protocol for single sign-on and authenticating
- users against a central authentication and key distribution server.
- Kerberos works by giving authenticated users "tickets", granting them
- access to various services on the network. When clients then contact
- servers, the servers can verify the tickets. Kerberos is a primary method
- for securing and supporting authentication on a LAN, and for establishing
- shared secrets (thus, it needs to be used with other algorithms for the
- actual protection of communication). Note that to use Kerberos, both the
- client and server have to include code to use it, and since not everyone
- has a Kerberos setup, this has to be optional - complicating the use of
- Kerberos in some programs. However, Kerberos is widely used.
-
-
-Many of these protocols allow you to select a number of different algorithms,
-so you'll still need to pick reasonable defaults for algorithms (e.g., for
-encryption).
------------------------------------------------------------------------------
-
-11.5.2. Symmetric Key Encryption Algorithms
-
-The use, export, and/or import of implementations of encryption algorithms
-are restricted in many countries, and the laws can change quite rapidly. Find
-out what the rules are before trying to build applications using
-cryptography.
-
-For secret key (bulk data) encryption algorithms, use only encryption
-algorithms that have been openly published and withstood years of attack, and
-check on their patent status. I would recommend using the new Advanced
-Encryption Standard (AES), also known as Rijndahl -- a number of
-cryptographers have analyzed it and not found any serious weakness in it, and
-I believe it has been through enough analysis to be trustworthy now. However,
-in August 2002 researchers Fuller and Millar discovered a mathematical
-property of the cipher that, while not an attack, might be exploitable into
-an attack (the approach may actually has serious consequences for some other
-algorithms, too). Thus, it's worth staying tuned to future work. A good
-alternative to AES is the Serpent algorithm, which is slightly slower but is
-very resistant to attack. For many applications triple-DES is a very good
-encryption algorithm; it has a reasonably lengthy key (112 bits), no patent
-issues, and a very long history of withstanding attacks (it's withstood
-attacks far longer than any other encryption algorithm with reasonable key
-length in the public literature, so it's probably the safest
-publicly-available symmetric encryption algorithm when properly implemented).
-However, triple-DES is very slow when implemented in software, so triple-DES
-can be considered ``safest but slowest.'' Twofish appears to be a good
-encryption algorithm, but there are some lingering questions - Sean Murphy
-and Fauzan Mirza showed that Twofish has properties that cause many academics
-to be concerned (though as of yet no one has managed to exploit these
-properties). MARS is highly resistent to ``new and novel'' attacks, but it's
-more complex and is impractical on small-ability smartcards. For the moment I
-would avoid Twofish - it's quite likely that this will never be exploitable,
-but it's hard to be sure and there are alternative algorithms which don't
-have these concerns. Don't use IDEA - it's subject to U.S. and European
-patents. Don't use stupid algorithms such as XOR with a constant or constant
-string, the ROT (rotation) scheme, a Vinegere ciphers, and so on - these can
-be trivially broken with today's computers. Don't use ``double DES'' (using
-DES twice) - that's subject to a ``man in the middle'' attack that triple-DES
-avoids. Your protocol should support multiple encryption algorithms, anyway;
-that way, when an encryption algorithm is broken, users can switch to another
-one.
-
-For symmetric-key encryption (e.g., for bulk encryption), don't use a key
-length less than 90 bits if you want the information to stay secret through
-2016 (add another bit for every additional 18 months of security) [Blaze
-1996]. For encrypting worthless data, the old DES algorithm has some value,
-but with modern hardware it's too easy to break DES's 56-bit key using brute
-force. If you're using DES, don't just use the ASCII text key as the key -
-parity is in the least (not most) significant bit, so most DES algorithms
-will encrypt using a key value well-known to adversaries; instead, create a
-hash of the key and set the parity bits correctly (and pay attention to error
-reports from your encryption routine). So-called ``exportable'' encryption
-algorithms only have effective key lengths of 40 bits, and are essentially
-worthless; in 1996 an attacker could spend $10,000 to break such keys in
-twelve minutes or use idle computer time to break them in a few days, with
-the time-to-break halving every 18 months in either case.
-
-Block encryption algorithms can be used in a number of different modes, such
-as ``electronic code book'' (ECB) and ``cipher block chaining'' (CBC). In
-nearly all cases, use CBC, and do not use ECB mode - in ECB mode, the same
-block of data always returns the same result inside a stream, and this is
-often enough to reveal what's encrypted. Many modes, including CBC mode,
-require an ``initialization vector'' (IV). The IV doesn't need to be secret,
-but it does need to be unpredictable by an attacker. Don't reuse IV's across
-sessions - use a new IV each time you start a session.
-
-There are a number of different streaming encryption algorithms, but many of
-them have patent restrictions. I know of no patent or technical issues with
-WAKE. RC4 was a trade secret of RSA Data Security Inc; it's been leaked
-since, and I know of no real legal impediment to its use, but RSA Data
-Security has often threatened court action against users of it (it's not at
-all clear what RSA Data Security could do, but no doubt they could tie up
-users in worthless court cases). If you use RC4, use it as intended - in
-particular, always discard the first 256 bytes it generates, or you'll be
-vulnerable to attack. SEAL is patented by IBM - so don't use it. SOBER is
-patented; the patent owner has claimed that it will allow many uses for free
-if permission is requested, but this creates an impediment for later use.
-Even more interestingly, block encryption algorithms can be used in modes
-that turn them into stream ciphers, and users who want stream ciphers should
-consider this approach (you'll be able to choose between far more
-publicly-available algorithms).
------------------------------------------------------------------------------
-
-11.5.3. Public Key Algorithms
-
-For public key cryptography (used, among other things, for signing and
-sending secret keys), there are only a few widely-deployed algorithms. One of
-the most widely-used algorithms is RSA; RSA's algorithm was patented, but
-only in the U.S., and that patent expired in September 2000, so RSA can be
-freely used. Never decrypt or sign a raw value that an attacker gives you
-directly using RSA and expose the result, because that could expose the
-private key (this isn't a problem in practice, because most protocols involve
-signing a hash computed by the user - not the raw value - or don't expose the
-result). Never decrypt or sign the exact same raw value multiple times (the
-original can be exposed). Both of these can be solved by always adding random
-padding (PGP does this) - the usual approach is called Optimal Asymmetric
-Encryption Padding (OAEP).
-
-The Diffie-Hellman key exchange algorithm is widely used to permit two
-parties to agree on a session key. By itself it doesn't guarantee that the
-parties are who they say they are, or that there is no middleman, but it does
-strongly help defend against passive listeners; its patent expired in 1997.
-If you use Diffie-Hellman to create a shared secret, be sure to hash it first
-(there's an attack if you use its shared value directly).
-
-NIST developed the digital signature standard (DSS) (it's a modification of
-the ElGamal cryptosystem) for digital signature generation and verification;
-one of the conditions for its development was for it to be patent-free.
-
-RSA, Diffie-Hellman, and El Gamal's techniques require more bits for the keys
-for equivalent security compared to typical symmetric keys; a 1024-bit key in
-these systems is supposed to be roughly equivalent to an 80-bit symmetric
-key. A 512-bit RSA key is considered completely unsafe; Nicko van Someren has
-demonstrated that such small RSA keys can be factored in 6 weeks using only
-already-available office hardware (never mind equipment designed for the
-job). In the past, a 1024-bit RSA key was considered reasonably secure, but
-recent advancements in factorization algorithms (e.g., by D. J. Bernstein)
-have raised concerns that perhaps even 1024 bits is not enough for an RSA
-key. Certainly, if your application needs to be highly secure or last beyond
-2015, you should use a 2048 bit keys.
-
-If you need a public key that requires far fewer bits (e.g., for a
-smartcard), then you might use elliptic curve cryptography (IEEE P1363 has
-some suggested curves; finding curves is hard). However, be careful -
-elliptic curve cryptography isn't patented, but certain speedup techniques
-are patented. Elliptic curve cryptography is fast enough that it really
-doesn't need these speedups anyway for its usual use of encrypting session /
-bulk encryption keys. In general, you shouldn't try to do bulk encryption
-with elliptic keys; symmetric algorithms are much faster and are
-better-tested for the job.
------------------------------------------------------------------------------
-
-11.5.4. Cryptographic Hash Algorithms
-
-Some programs need a one-way cryptographic hash algorithm, that is, a
-function that takes an ``arbitrary'' amount of data and generates a
-fixed-length number that hard for an attacker to invert (e.g., it's difficult
-for an attacker to create a different set of data to generate that same
-value). For a number of years MD5 has been a favorite, but recent efforts
-have shown that its 128-bit length may not be enough [van Oorschot 1994] and
-that certain attacks weaken MD5's protection [Dobbertin 1996]. Indeed, there
-are rumors that a top industry cryptographer has broken MD5, but is bound by
-employee agreement to keep silent (see the Bugtraq 22 August 2000 posting by
-John Viega). Anyone can create a rumor, but enough weaknesses have been found
-that the idea of completing the break is plausible. If you're writing new
-code, use SHA-1 instead of MD5. Don't use the original SHA (now called
-``SHA-0''); SHA-0 had the same weakness that MD5 does. If you need more bits
-in your hash algorithm, use SHA-256, SHA-384, or SHA-512; you can get the
-specifications in NIST FIPS PUB 180-2.
------------------------------------------------------------------------------
-
-11.5.5. Integrity Checking
-
-When communicating, you need some sort of integrity check (don't depend just
-on encryption, since an attacker can then induce changes of information to
-``random'' values). This can be done with hash algorithms, but don't just use
-a hash function directly (this exposes users to an ``extension'' attack - the
-attacker can use the hash value, add data of their choosing, and compute the
-new hash). The usual approach is ``HMAC'', which computes the integrity check
-as
- H(k xor opad, H(k xor ipad, data)).
-where H is the hash function (typically MD5 or SHA-1) and k is the key. Thus,
-integrity checks are often HMAC-MD5 or HMAC-SHA-1. Note that although MD5 has
-some weaknesses, as far as I know MD5 isn't vulnerable when used in this
-construct, so HMAC-MD5 is (to my knowledge) okay. This is defined in detail
-in IETF RFC 2104.
-
-Note that in the HMAC approach, a receiver can forge the same data as a
-sender. This isn't usually a problem, but if this must be avoided, then use
-public key methods and have the sender ``sign'' the data with the sender
-private key - this avoids this forging attack, but it's more expensive and
-for most environments isn't necessary.
------------------------------------------------------------------------------
-
-11.5.6. Randomized Message Authentication Mode (RMAC)
-
-NIST has developed and proposed a new mode for using cryptographic algorithms
-called [http://www.counterpane.com/crypto-gram-0301.html] Randomized Message
-Authentication Code (RMAC). RMAC is intended for use as a message
-authentication code technique.
-
-Although there's a formal proof showing that RMAC is secure, the proof
-depends on the highly questionable assumption that the underlying
-cryptographic algorithm meets the "ideal cipher model" - in particular, that
-the algorithm is secure against a variety of specialized attacks, including
-related-key attacks. Unfortunately, related-key attacks are poorly studied
-for many algorithms; this is not the kind of property or attack that most
-people worry about when analyzing with cryptographic algorithms. It's known
-triple-DES doesn't have this properly, and it's unclear if other
-widely-accepted algorithms like AES have this property (it appears that AES
-is at least weaker against related key attacks than usual attacks).
-
-The best advice right now is "don't use RMAC". There are other ways to do
-message authentication, such as HMAC combined with a cryptographic hash
-algorithm (e.g., HMAC-SHA1). HMAC isn't the same thing (e.g., technically it
-doesn't include a nonce, so you should rekey sooner), but the theoretical
-weaknesses of HMAC are merely theoretical, while the problems in RMAC seem
-far more important in the real world.
------------------------------------------------------------------------------
-
-11.5.7. Other Cryptographic Issues
-
-You should both encrypt and include integrity checks of data that's
-important. Don't depend on the encryption also providing integrity - an
-attacker may be able to change the bits into a different value, and although
-the attacker may not be able to change it to a specific value, merely
-changing the value may be enough. In general, you should use different keys
-for integrity and secrecy, to avoid certain subtle attacks.
-
-One issue not discussed often enough is the problem of ``traffic analysis.''
-That is, even if messages are encrypted and the encryption is not broken, an
-adversary may learn a great deal just from the encrypted messages. For
-example, if the presidents of two companies start exchanging many encrypted
-email messages, it may suggest that the two comparies are considering a
-merger. For another example, many SSH implementations have been found to have
-a weakness in exchanging passwords: observers could look at packets and
-determine the length (or length range) of the password, even if they couldn't
-determine the password itself. They could also also determine other
-information about the password that significantly aided in breaking it.
-
-Be sure to not make it possible to solve a problem in parts, and use
-different keys when the trust environment (who is trusted) changes. Don't use
-the same key for too long - after a while, change the session key or password
-so an adversary will have to start over.
-
-Generally you should compress something you'll encrypt - this does add a
-fixed header, which isn't so good, but it eliminates many patterns in the
-rest of the message as well as making the result smaller, so it's usually
-viewed as a ``win'' if compression is likely to make the result smaller.
-
-In a related note, if you must create your own communication protocol,
-examine the problems of what's gone on before. Classics such as Bellovin
-[1989]'s review of security problems in the TCP/IP protocol suite might help
-you, as well as Bruce Schneier [1998] and Mudge's breaking of Microsoft's
-PPTP implementation and their follow-on work. Again, be sure to give any new
-protocol widespread public review, and reuse what you can.
------------------------------------------------------------------------------
-
-11.6. Using PAM
-
-Pluggable Authentication Modules (PAM) is a flexible mechanism for
-authenticating users. Many Unix-like systems support PAM, including Solaris,
-nearly all Linux distributions (e.g., Red Hat Linux, Caldera, and Debian as
-of version 2.2), and FreeBSD as of version 3.1. By using PAM, your program
-can be independent of the authentication scheme (passwords, SmartCards,
-etc.). Basically, your program calls PAM, which at run-time determines which
-``authentication modules'' are required by checking the configuration set by
-the local system administrator. If you're writing a program that requires
-authentication (e.g., entering a password), you should include support for
-PAM. You can find out more about the Linux-PAM project at [http://
-www.kernel.org/pub/linux/libs/pam/index.html] http://www.kernel.org/pub/linux
-/libs/pam/index.html.
------------------------------------------------------------------------------
-
-11.7. Tools
-
-Some tools may help you detect security problems before you field the result.
-They can't find all such problems, of course, but they can help catch
-problems that would overwise slip by. Here are a few tools, emphasizing open
-source / free software tools.
-
-One obvious type of tool is a program to examine the source code to search
-for patterns of known potential security problems (e.g., calls to library
-functions in ways are often the source of security vulnerabilities). These
-kinds of programs are called ``source code scanners''. Here are a few such
-tools:
-
- * Flawfinder, which I've developed; it's available at [http://
- www.dwheeler.com/flawfinder] http://www.dwheeler.com/flawfinder. This is
- also a program that scans C/C++ source code for common problems, and is
- also licensed under the GPL. Unlike RATS, flawfinder is implemented in
- Python. The developers of RATS and Flawfinder have agreed to find a way
- to work together to create a single ``best of breed'' open source
- program.
-
- * RATS (Rough Auditing Tool for Security) from Secure Software Solutions is
- available at [http://www.securesw.com/rats] http://www.securesw.com/rats.
- This program scans C/C++ source code for common problems, and is licensed
- under the GPL.
-
- * ITS4 from Cigital (formerly Reliable Software Technologies, RST) also
- statically checks C/C++ code. It is available free for non-commercial
- use, including its source code and with certain modification and
- redistribution rights. Note that this isn't released as ``open source''
- as defined by the Open Source Definition (OSD) - In particular, OSD point
- 6 forbids ``non-commercial use only'' clauses in open source licenses.
- ITS4 is available at [http://www.rstcorp.com/its4] http://www.rstcorp.com
- /its4.
-
- * Splint (formerly named LCLint) is a tool for statically checking C
- programs. With minimal effort, splint can be used as a better lint. If
- additional effort is invested adding annotations to programs, splint can
- perform stronger checking than can be done by any standard lint. For
- example, it can be used to statically detect likely buffer overflows. The
- software is licensed under the GPL and is available at [http://
- www.splint.org] http://www.splint.org.
-
- * cqual is a type-based analysis tool for finding bugs in C programs. cqual
- extends the type system of C with extra user-defined type qualifiers,
- e.g., it can note that values are ``tainted'' or ``untainted'' (similar
- to Perl's taint checking). The programmer annotates their program in a
- few places, and cqual performs qualifier inference to check whether the
- annotations are correct. cqual presents the analysis results using
- Program Analysis Mode, an emacs-based interface. The current version of
- cqual can detect potential format-string vulnerabilities in C programs. A
- previous incarnation of cqual, Carillon, has been used to find Y2K bugs
- in C programs. The software is licensed under the GPL and is available
- from [http://www.cs.berkeley.edu/Research/Aiken/cqual] http://
- www.cs.berkeley.edu/Research/Aiken/cqual.
-
- * Cyclone is a C-like language intended to remove C's security weaknesses.
- In theory, you can always switch to a language that is ``more secure,''
- but this doesn't always help (a language can help you avoid common
- mistakes but it can't read your mind). John Viega has reviewed Cyclone,
- and in December 2001 he said: ``Cyclone is definitely a neat language.
- It's a C dialect that doesn't feel like it's taking away any power, yet
- adds strong safety guarantees, along with numerous features that can be a
- real boon to programmers. Unfortunately, Cyclone isn't yet ready for
- prime time. Even with crippling limitations aside, it doesn't yet offer
- enough advantages over Java (or even C with a good set of tools) to make
- it worth the risk of using what is still a very young technology. Perhaps
- in a few years, Cyclone will mature into a robust, widely supported
- language that comes dangerously close to C in terms of efficiency. If
- that day comes, you'll certainly see me abandoning C for good.'' The
- Cyclone compiler has been released under the GPL and LGPL. You can get
- more information from the [http://www.research.att.com/projects/cyclone]
- Cyclone web site.
-
-
-Some tools try to detect potential security flaws at run-time, either to
-counter them or at least to warn the developer about them. Much of Crispen
-Cowan's work, such as StackGuard, fits here.
-
-There are several tools that try to detect various C/C++ memory-management
-problems; these are really general-purpose software quality improvement
-tools, and not specific to security, but memory management problems can
-definitely cause security problems. An especially capable tool is [http://
-developer.kde.org/~sewardj] Valgrind, which detects various memory-management
-problems (such as use of uninitialized memory, reading/writing memory after
-it's been free'd, reading/writing off the end of malloc'ed blocks, and memory
-leaks). Another such tool is Electric Fence (efence) by Bruce Perens, which
-can detect certain memory management errors. [http://www.linkdata.se/
-sourcecode.html] Memwatch (public domain) and [http://odin.ac.hmc.edu/
-~neldredge/yamd/] YAMD (GPL) can detect memory allocation problems for C and
-C++. You can even use the built-in capabilities of the GNU C library's malloc
-library, which has the MALLOC_CHECK_ environment variable (see its manual
-page for more information). There are many others.
-
-Another approach is to create test patterns and run the program, in attempt
-to find weaknesses in the program. Here are a few such tools:
-
- * BFBTester, the Brute Force Binary Tester, is licensed under the GPL. This
- program does quick security checks of binary programs. BFBTester performs
- checks of single and multiple argument command line overflows and
- environment variable overflows. Version 2.0 and higher can also watch for
- tempfile creation activity (to check for using unsafe tempfile names). At
- one time BFBTester didn't run on Linux (due to a technical issue in
- Linux's POSIX threads implementation), but this has been fixed as of
- version 2.0.1. More information is available at [http://
- bfbtester.sourceforge.net/] http://bfbtester.sourceforge.net/
-
- * The [http://fuzz.sourceforge.net] fuzz program is a tool for testing
- other software. It tests programs by bombarding the program being
- evaluated with random data. This tool isn't really specific to security.
-
- * [http://www.immunitysec.com/spike.html] SPIKE is a "fuzzer creation kit",
- i.e., it's a toolkit designed to create "random" tests to find security
- problems. The SPIKE toolkit is particularly designed for protocol
- analysis by simulating network protocol clients, and SPIKE proXy is a
- tool built on SPIKE to test web applications. SPIKE includes a few
- pre-canned tests. SPIKE is licensed under the GPL.
-
-
-There are a number tools that try to give you insight into running programs
-that can also be useful when trying to find security problems in your code.
-This includes symbolic debuggers (such as gdb) and trace programs (such as
-strace and ltrace). One interesting program to support analysis of running
-code is [http://razor.bindview.com/tools/fenris] Fenris (GPL license). Its
-documentation describes Fenris as a ``multipurpose tracer, stateful analyzer
-and partial decompiler intended to simplify bug tracking, security audits,
-code, algorithm or protocol analysis - providing a structural program trace,
-general information about internal constructions, execution path, memory
-operations, I/O, conditional expressions and much more.'' Fenris actually
-supplies a whole suite of tools, including extensive forensics capabilities
-and a nice debugging GUI for Linux. A list of other promising open source
-tools that can be suitable for debugging or code analysis is available at
-[http://lcamtuf.coredump.cx/fenris/debug-tools.html] http://
-lcamtuf.coredump.cx/fenris/debug-tools.html. Another interesting program
-along these lines is Subterfugue, which allows you to control what happens in
-every system call made by a program.
-
-If you're building a common kind of product where many standard potential
-flaws exist (like an ftp server or firewall), you might find standard
-security scanning tools useful. One good one is [http://www.nessus.org]
-Nessus; there are many others. These kinds of tools are very useful for doing
-regression testing, but since they essentially use a list of past specific
-vulnerabilities and common configuration errors, they may not be very helpful
-in finding problems in new programs.
-
-Often, you'll need to call on other tools to implement your secure
-infrastructure. The [http://ospkibook.sourceforge.net] Open-Source PKI Book
-describes a number of open source programs for implmenting a public key
-infrastructure (PKI).
-
-Of course, running a ``secure'' program on an insecure platform configuration
-makes little sense. You may want to examine hardening systems, which attempt
-to configure or modify systems to be more resistant to attacks. For Linux,
-one hardening system is Bastille Linux, available at [http://
-www.bastille-linux.org] http://www.bastille-linux.org.
------------------------------------------------------------------------------
-
-11.8. Windows CE
-
-If you're securing a Windows CE Device, you should read Maricia Alforque's
-"Creating a Secure Windows CE Device" at [http://msdn.microsoft.com/library/
-techart/winsecurity.htm] http://msdn.microsoft.com/library/techart/
-winsecurity.htm.
------------------------------------------------------------------------------
-
-11.9. Write Audit Records
-
-Write audit logs for program startup, session startup, and for suspicious
-activity. Possible information of value includes date, time, uid, euid, gid,
-egid, terminal information, process id, and command line values. You may find
-the function syslog(3) helpful for implementing audit logs. One awkward
-problem is that any logging system should be able to record a lot of
-information (since this information could be very helpful), yet if the
-information isn't handled carefully the information itself could be used to
-create an attack. After all, the attacker controls some of the input being
-sent to the program. When recording data sent by a possible attacker,
-identify a list of ``expected'' characters and escape any ``unexpected''
-characters so that the log isn't corrupted. Not doing this can be a real
-problem; users may include characters such as control characters (especially
-NIL or end-of-line) that can cause real problems. For example, if an attacker
-embeds a newline, they can then forge log entries by following the newline
-with the desired log entry. Sadly, there doesn't seem to be a standard
-convention for escaping these characters. I'm partial to the URL escaping
-mechanism (%hh where hh is the hexadecimal value of the escaped byte) but
-there are others including the C convention (\ooo for the octal value and \X
-where X is a special symbol, e.g., \n for newline). There's also the
-caret-system (^I is control-I), though that doesn't handle byte values over
-127 gracefully.
-
-There is the danger that a user could create a denial-of-service attack (or
-at least stop auditing) by performing a very large number of events that cut
-an audit record until the system runs out of resources to store the records.
-One approach to counter to this threat is to rate-limit audit record
-recording; intentionally slow down the response rate if ``too many'' audit
-records are being cut. You could try to slow the response rate only to the
-suspected attacker, but in many situations a single attacker can masquerade
-as potentially many users.
-
-Selecting what is ``suspicious activity'' is, of course, dependent on what
-the program does and its anticipated use. Any input that fails the filtering
-checks discussed earlier is certainly a candidate (e.g., containing NIL).
-Inputs that could not result from normal use should probably be logged, e.g.,
-a CGI program where certain required fields are missing in suspicious ways.
-Any input with phrases like /etc/passwd or /etc/shadow or the like is very
-suspicious in many cases. Similarly, trying to access Windows ``registry''
-files or .pwl files is very suspicious.
-
-Do not record passwords in an audit record. Often people accidentally enter
-passwords for a different system, so recording a password may allow a system
-administrator to break into a different computer outside the administrator's
-domain.
------------------------------------------------------------------------------
-
-11.10. Physical Emissions
-
-Although it's really outside the scope of this book, it's important to
-remember that computing and communications equipment leaks a lot information
-that makes them hard to really secure. Many people are aware of TEMPEST
-requirements which deal with radio frequency emissions of computers,
-displays, keyboards, and other components which can be eavesdropped. The
-light from displays can also be eavesdropped, even if it's bounced off an
-office wall at great distance [Kuhn 2002]. Modem lights are also enough to
-determine the underlying communication.
------------------------------------------------------------------------------
-
-11.11. Miscellaneous
-
-The following are miscellaneous security guidelines that I couldn't seem to
-fit anywhere else:
-
-Have your program check at least some of its assumptions before it uses them
-(e.g., at the beginning of the program). For example, if you depend on the
-``sticky'' bit being set on a given directory, test it; such tests take
-little time and could prevent a serious problem. If you worry about the
-execution time of some tests on each call, at least perform the test at
-installation time, or even better at least perform the test on application
-start-up.
-
-If you have a built-in scripting language, it may be possible for the
-language to set an environment variable which adversely affects the program
-invoking the script. Defend against this.
-
-If you need a complex configuration language, make sure the language has a
-comment character and include a number of commented-out secure examples.
-Often '#' is used for commenting, meaning ``the rest of this line is a
-comment''.
-
-If possible, don't create setuid or setgid root programs; make the user log
-in as root instead.
-
-Sign your code. That way, others can check to see if what's available was
-what was sent.
-
-In some applications you may need to worry about timing attacks, where the
-variation in timing or CPU utilitization is enough to give away important
-information. This kind of attack has been used to obtain keying information
-from Smartcards, for example. Mauro Lacy has published a paper titled [http:/
-/maurol.com.ar/security/RTT.pdf] Remote Timing Techniques, showing that you
-can (in some cases) determine over an Internet whether or not a given user id
-exists, simply from the effort expended by the CPU (which can be detected
-remotely using techniques described in the paper). The only way to deal with
-these sorts of problems is to make sure that the same effort is performed
-even when it isn't necessary. The problem is that in some cases this may make
-the system more vulnerable to a denial of service attack, since it can't
-optimize away unnecessary work.
-
-Consider statically linking secure programs. This counters attacks on the
-dynamic link library mechanism by making sure that the secure programs don't
-use it. There are several downsides to this however. This is likely to
-increase disk and memory use (from multiple copies of the same routines).
-Even worse, it makes updating of libraries (e.g., for security
-vulnerabilities) more difficult - in most systems they won't be automatically
-updated and have to be tracked and implemented separately.
-
-When reading over code, consider all the cases where a match is not made. For
-example, if there is a switch statement, what happens when none of the cases
-match? If there is an ``if'' statement, what happens when the condition is
-false?
-
-Merely ``removing'' a file doesn't eliminate the file's data from a disk; on
-most systems this simply marks the content as ``deleted'' and makes it
-eligible for later reuse, and often data is at least temporarily stored in
-other places (such as memory, swap files, and temporary files). Indeed,
-against a determined attacker, writing over the data isn't enough. A classic
-paper on the problems of erasing magnetic media is Peter Gutmann's paper
-[http://www-tac.cisco.com/Support_Library/field_alerts/fn13070.html] ``Secure
-Deletion of Data from Magnetic and Solid-State Memory''. A determined
-adversary can use other means, too, such as monitoring electromagnetic
-emissions from computers (military systems have to obey TEMPEST rules to
-overcome this) and/or surreptitious attacks (such as monitors hidden in
-keyboards).
-
-When fixing a security vulnerability, consider adding a ``warning'' to detect
-and log an attempt to exploit the (now fixed) vulnerability. This will reduce
-the likelihood of an attack, especially if there's no way for an attacker to
-predetermine if the attack will work, since it exposes an attack in progress.
-In short, it turns a vulnerability into an intrusion detection system. This
-also suggests that exposing the version of a server program before
-authentication is usually a bad idea for security, since doing so makes it
-easy for an attacker to only use attacks that would work. Some programs make
-it possible for users to intentionally ``lie'' about their version, so that
-attackers will use the ``wrong attacks'' and be detected. Also, if the
-vulnerability can be triggered over a network, please make sure that security
-scanners can detect the vulnerability. I suggest contacting Nessus ([http://
-www.nessus.org] http://www.nessus.org) and make sure that their open source
-security scanner can detect the problem. That way, users who don't check
-their software for upgrades will at least learn about the problem during
-their security vulnerability scans (if they do them as they should).
-
-Always include in your documentation contact information for where to report
-security problems. You should also support at least one of the common email
-addresses for reporting security problems (security-alert@SITE, secure@SITE,
-or security@SITE); it's often good to have support@SITE and info@SITE working
-as well. Be prepared to support industry practices by those who have a
-security flaw to report, such as the [http://www.wiretrip.net/rfp/
-policy.html] Full Disclosure Policy (RFPolicy) and the IETF Internet draft,
-``Responsible Vulnerability Disclosure Process''. It's important to quickly
-work with anyone who is reporting a security flaw; remember that they are
-doing you a favor by reporting the problem to you, and that they are under no
-obligation to do so. It's especially important, once the problem is fixed, to
-give proper credit to the reporter of the flaw (unless they ask otherwise).
-Many reporters provide the information solely to gain the credit, and it's
-generally accepted that credit is owed to the reporter. Some vendors argue
-that people should never report vulnerabilities to the public; the problem
-with this argument is that this was once common, and the result was vendors
-who denied vulnerabilities while their customers were getting constantly
-subverted for years at a time.
-
-Follow best practices and common conventions when leading a software
-development project. If you are leading an open source software / free
-software project, some useful guidelines can be found in [http://www.tldp.org
-/HOWTO/Software-Proj-Mgmt-HOWTO/index.html] Free Software Project Management
-HOWTO and [http://www.tldp.org/HOWTO/Software-Release-Practice-HOWTO/
-index.html] Software Release Practice HOWTO; you should also read [http://
-www.catb.org/~esr/writings/cathedral-bazaar] The Cathedral and the Bazaar.
-
-Every once in a while, review security guidelines like this one. At least
-re-read the conclusions in Chapter 12, and feel free to go back to the
-introduction (Chapter 1) and start again!
------------------------------------------------------------------------------
-
-Chapter 12. Conclusion
-
- The end of a matter is better than its
- beginning, and patience is better than
- pride.
- Ecclesiastes 7:8 (NIV)
-
-Designing and implementing a truly secure program is actually a difficult
-task on Unix-like systems such as Linux and Unix. The difficulty is that a
-truly secure program must respond appropriately to all possible inputs and
-environments controlled by a potentially hostile user. Developers of secure
-programs must deeply understand their platform, seek and use guidelines (such
-as these), and then use assurance processes (such as inspections and other
-peer review techniques) to reduce their programs' vulnerabilities.
-
-In conclusion, here are some of the key guidelines in this book:
-
- * Validate all your inputs, including command line inputs, environment
- variables, CGI inputs, and so on. Don't just reject ``bad'' input; define
- what is an ``acceptable'' input and reject anything that doesn't match.
-
- * Avoid buffer overflow. Make sure that long inputs (and long intermediate
- data values) can't be used to take over your program. This is the primary
- programmatic error at this time.
-
- * Structure program internals. Secure the interface, minimize privileges,
- make the initial configuration and defaults safe, and fail safe. Avoid
- race conditions (e.g., by safely opening any files in a shared directory
- like /tmp). Trust only trustworthy channels (e.g., most servers must not
- trust their clients for security checks or other sensitive data such as
- an item's price in a purchase).
-
- * Carefully call out to other resources. Limit their values to valid values
- (in particular be concerned about metacharacters), and check all system
- call return values.
-
- * Reply information judiciously. In particular, minimize feedback, and
- handle full or unresponsive output to an untrusted user.
-
-
-
------------------------------------------------------------------------------
-
-Chapter 13. Bibliography
-
- The words of the wise are like goads,
- their collected sayings like firmly
- embedded nails--given by one Shepherd.
- Be warned, my son, of anything in
- addition to them. Of making many books
- there is no end, and much study
- wearies the body.
- Ecclesiastes 12:11-12 (NIV)
-
-Note that there is a heavy emphasis on technical articles available on the
-web, since this is where most of this kind of technical information is
-available.
-
-[Advosys 2000] Advosys Consulting (formerly named Webber Technical Services).
-Writing Secure Web Applications. [http://advosys.ca/tips/web-security.html]
-http://advosys.ca/tips/web-security.html
-
-[Al-Herbish 1999] Al-Herbish, Thamer. 1999. Secure Unix Programming FAQ.
-[http://www.whitefang.com/sup] http://www.whitefang.com/sup.
-
-[Aleph1 1996] Aleph1. November 8, 1996. ``Smashing The Stack For Fun And
-Profit''. Phrack Magazine. Issue 49, Article 14. [http://www.phrack.com/
-search.phtml?view&article=p49-14] http://www.phrack.com/search.phtml?view&
-article=p49-14 or alternatively [http://www.2600.net/phrack/p49-14.html]
-http://www.2600.net/phrack/p49-14.html.
-
-[Anonymous 1999] Anonymous. October 1999. Maximum Linux Security: A Hacker's
-Guide to Protecting Your Linux Server and Workstation Sams. ISBN: 0672316706.
-
-[Anonymous 1998] Anonymous. September 1998. Maximum Security : A Hacker's
-Guide to Protecting Your Internet Site and Network. Sams. Second Edition.
-ISBN: 0672313413.
-
-[Anonymous Phrack 2001] Anonymous. August 11, 2001. Once upon a free().
-Phrack, Volume 0x0b, Issue 0x39, Phile #0x09 of 0x12. [http://phrack.org/
-show.php?p=57&a=9] http://phrack.org/show.php?p=57&a=9
-
-[AUSCERT 1996] Australian Computer Emergency Response Team (AUSCERT) and
-O'Reilly. May 23, 1996 (rev 3C). A Lab Engineers Check List for Writing
-Secure Unix Code. [ftp://ftp.auscert.org.au/pub/auscert/papers/
-secure_programming_checklist] ftp://ftp.auscert.org.au/pub/auscert/papers/
-secure_programming_checklist
-
-[Bach 1986] Bach, Maurice J. 1986. The Design of the Unix Operating System.
-Englewood Cliffs, NJ: Prentice-Hall, Inc. ISBN 0-13-201799-7 025.
-
-[Beattie 2002] Beattie, Steve, Seth Arnold, Crispin Cowan, Perry Wagle, Chris
-Wright, Adam Shostack. November 2002. Timing the Application of Security
-Patches for Optimal Uptime. 2002 LISA XVI, November 3-8, 2002, Philadelphia,
-PA.
-
-[Bellovin 1989] Bellovin, Steven M. April 1989. "Security Problems in the TCP
-/IP Protocol Suite" Computer Communications Review 2:19, pp. 32-48. [http://
-www.research.att.com/~smb/papers/ipext.pdf] http://www.research.att.com/~smb/
-papers/ipext.pdf
-
-[Bellovin 1994] Bellovin, Steven M. December 1994. Shifting the Odds --
-Writing (More) Secure Software. Murray Hill, NJ: AT&T Research. [http://
-www.research.att.com/~smb/talks] http://www.research.att.com/~smb/talks
-
-[Bishop 1996] Bishop, Matt. May 1996. ``UNIX Security: Security in
-Programming''. SANS '96. Washington DC (May 1996). [http://
-olympus.cs.ucdavis.edu/~bishop/secprog.html] http://olympus.cs.ucdavis.edu/
-~bishop/secprog.html
-
-[Bishop 1997] Bishop, Matt. October 1997. ``Writing Safe Privileged
-Programs''. Network Security 1997 New Orleans, LA. [http://
-olympus.cs.ucdavis.edu/~bishop/secprog.html] http://olympus.cs.ucdavis.edu/
-~bishop/secprog.html
-
-[Blaze 1996] Blaze, Matt, Whitfield Diffie, Ronald L. Rivest, Bruce Schneier,
-Tsutomu Shimomura, Eric Thompson, and Michael Wiener. January 1996. ``Minimal
-Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security: A
-Report by an Ad Hoc Group of Cryptographers and Computer Scientists.'' [ftp:/
-/ftp.research.att.com/dist/mab/keylength.txt] ftp://ftp.research.att.com/dist
-/mab/keylength.txt and [ftp://ftp.research.att.com/dist/mab/keylength.ps]
-ftp://ftp.research.att.com/dist/mab/keylength.ps.
-
-[CC 1999] The Common Criteria for Information Technology Security Evaluation
-(CC). August 1999. Version 2.1. Technically identical to International
-Standard ISO/IEC 15408:1999. [http://csrc.nist.gov/cc/ccv20/ccv2list.htm]
-http://csrc.nist.gov/cc/ccv20/ccv2list.htm
-
-[CERT 1998] Computer Emergency Response Team (CERT) Coordination Center (CERT
-/CC). February 13, 1998. Sanitizing User-Supplied Data in CGI Scripts. CERT
-Advisory CA-97.25.CGI_metachar. [http://www.cert.org/advisories/
-CA-97.25.CGI_metachar.html] http://www.cert.org/advisories/
-CA-97.25.CGI_metachar.html.
-
-[Cheswick 1994] Cheswick, William R. and Steven M. Bellovin. Firewalls and
-Internet Security: Repelling the Wily Hacker. Full text at [http://
-www.wilyhacker.com] http://www.wilyhacker.com.
-
-[Clowes 2001] Clowes, Shaun. 2001. ``A Study In Scarlet - Exploiting Common
-Vulnerabilities in PHP'' [http://www.securereality.com.au/archives.html]
-http://www.securereality.com.au/archives.html
-
-[CMU 1998] Carnegie Mellon University (CMU). February 13, 1998 Version 1.4.
-``How To Remove Meta-characters From User-Supplied Data In CGI Scripts''.
-[ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters] ftp://ftp.cert.org/pub/
-tech_tips/cgi_metacharacters.
-
-[Cowan 1999] Cowan, Crispin, Perry Wagle, Calton Pu, Steve Beattie, and
-Jonathan Walpole. ``Buffer Overflows: Attacks and Defenses for the
-Vulnerability of the Decade''. Proceedings of DARPA Information Survivability
-Conference and Expo (DISCEX), [http://schafercorp-ballston.com/discex] http:/
-/schafercorp-ballston.com/discex SANS 2000. [http://www.sans.org/newlook/
-events/sans2000.htm] http://www.sans.org/newlook/events/sans2000.htm. For a
-copy, see [http://immunix.org/documentation.html] http://immunix.org/
-documentation.html.
-
-[Cox 2000] Cox, Philip. March 30, 2001. Hardening Windows 2000. [http://
-www.systemexperts.com/win2k/hardenW2K11.pdf] http://www.systemexperts.com/
-win2k/hardenW2K11.pdf.
-
-[Dobbertin 1996]. Dobbertin, H. 1996. The Status of MD5 After a Recent
-Attack. RSA Laboratories' CryptoBytes. Vol. 2, No. 2.
-
-[Felten 1997] Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach.
-Web Spoofing: An Internet Con Game Technical Report 540-96 (revised Feb.
-1997) Department of Computer Science, Princeton University [http://
-www.cs.princeton.edu/sip/pub/spoofing.pdf] http://www.cs.princeton.edu/sip/
-pub/spoofing.pdf
-
-[Fenzi 1999] Fenzi, Kevin, and Dave Wrenski. April 25, 1999. Linux Security
-HOWTO. Version 1.0.2. [http://www.tldp.org/HOWTO/Security-HOWTO.html] http://
-www.tldp.org/HOWTO/Security-HOWTO.html
-
-[FHS 1997] Filesystem Hierarchy Standard (FHS 2.0). October 26, 1997.
-Filesystem Hierarchy Standard Group, edited by Daniel Quinlan. Version 2.0.
-[http://www.pathname.com/fhs] http://www.pathname.com/fhs.
-
-[Filipski 1986] Filipski, Alan and James Hanko. April 1986. ``Making Unix
-Secure.'' Byte (Magazine). Peterborough, NH: McGraw-Hill Inc. Vol. 11, No. 4.
-ISSN 0360-5280. pp. 113-128.
-
-[Flake 2001] Flake, Havlar. Auditing Binaries for Security Vulnerabilities.
-[http://www.blackhat.com/html/win-usa-01/win-usa-01-speakers.html] http://
-www.blackhat.com/html/win-usa-01/win-usa-01-speakers.html.
-
-[FOLDOC] Free On-Line Dictionary of Computing. [http://foldoc.doc.ic.ac.uk/
-foldoc/index.html] http://foldoc.doc.ic.ac.uk/foldoc/index.html.
-
-[Forristal 2001] Forristal, Jeff, and Greg Shipley. January 8, 2001.
-Vulnerability Assessment Scanners. Network Computing. [http://www.nwc.com/
-1201/1201f1b1.html] http://www.nwc.com/1201/1201f1b1.html
-
-[FreeBSD 1999] FreeBSD, Inc. 1999. ``Secure Programming Guidelines''. FreeBSD
-Security Information. [http://www.freebsd.org/security/security.html] http://
-www.freebsd.org/security/security.html
-
-[Friedl 1997] Friedl, Jeffrey E. F. 1997. Mastering Regular Expressions.
-O'Reilly. ISBN 1-56592-257-3.
-
-[FSF 1998] Free Software Foundation. December 17, 1999. Overview of the GNU
-Project. [http://www.gnu.ai.mit.edu/gnu/gnu-history.html] http://
-www.gnu.ai.mit.edu/gnu/gnu-history.html
-
-[FSF 1999] Free Software Foundation. January 11, 1999. The GNU C Library
-Reference Manual. Edition 0.08 DRAFT, for Version 2.1 Beta of the GNU C
-Library. Available at, for example, [http://www.netppl.fi/~pp/glibc21/
-libc_toc.html] http://www.netppl.fi/~pp/glibc21/libc_toc.html
-
-[Fu 2001] Fu, Kevin, Emil Sit, Kendra Smith, and Nick Feamster. August 2001.
-``Dos and Don'ts of Client Authentication on the Web''. Proceedings of the
-10th USENIX Security Symposium, Washington, D.C., August 2001. [http://
-cookies.lcs.mit.edu/pubs/webauth.html] http://cookies.lcs.mit.edu/pubs/
-webauth.html.
-
-[Gabrilovich 2002] Gabrilovich, Evgeniy, and Alex Gontmakher. February 2002.
-``Inside Risks: The Homograph Attack''. Communications of the ACM. Volume 45,
-Number 2. Page 128.
-
-[Galvin 1998a] Galvin, Peter. April 1998. ``Designing Secure Software''.
-Sunworld. [http://www.sunworld.com/swol-04-1998/swol-04-security.html] http:/
-/www.sunworld.com/swol-04-1998/swol-04-security.html.
-
-[Galvin 1998b] Galvin, Peter. August 1998. ``The Unix Secure Programming
-FAQ''. Sunworld. [http://www.sunworld.com/sunworldonline/swol-08-1998/
-swol-08-security.html] http://www.sunworld.com/sunworldonline/swol-08-1998/
-swol-08-security.html
-
-[Garfinkel 1996] Garfinkel, Simson and Gene Spafford. April 1996. Practical
-UNIX & Internet Security, 2nd Edition. ISBN 1-56592-148-8. Sebastopol, CA:
-O'Reilly & Associates, Inc. [http://www.oreilly.com/catalog/puis] http://
-www.oreilly.com/catalog/puis
-
-[Garfinkle 1997] Garfinkle, Simson. August 8, 1997. 21 Rules for Writing
-Secure CGI Programs. [http://webreview.com/wr/pub/97/08/08/bookshelf] http://
-webreview.com/wr/pub/97/08/08/bookshelf
-
-[Gay 2000] Gay, Warren W. October 2000. Advanced Unix Programming.
-Indianapolis, Indiana: Sams Publishing. ISBN 0-67231-990-X.
-
-[Geodsoft 2001] Geodsoft. February 7, 2001. Hardening OpenBSD Internet
-Servers. [http://www.geodsoft.com/howto/harden] http://www.geodsoft.com/howto
-/harden.
-
-[Graham 1999] Graham, Jeff. May 4, 1999. Security-Audit's Frequently Asked
-Questions (FAQ). [http://lsap.org/faq.txt] http://lsap.org/faq.txt
-
-[Gong 1999] Gong, Li. June 1999. Inside Java 2 Platform Security. Reading,
-MA: Addison Wesley Longman, Inc. ISBN 0-201-31000-7.
-
-[Gundavaram Unknown] Gundavaram, Shishir, and Tom Christiansen. Date Unknown.
-Perl CGI Programming FAQ. [http://language.perl.com/CPAN/doc/FAQs/cgi/
-perl-cgi-faq.html] http://language.perl.com/CPAN/doc/FAQs/cgi/
-perl-cgi-faq.html
-
-[Hall 1999] Hall, Brian "Beej". Beej's Guide to Network Programming Using
-Internet Sockets. 13-Jan-1999. Version 1.5.5. [http://www.ecst.csuchico.edu/
-~beej/guide/net] http://www.ecst.csuchico.edu/~beej/guide/net
-
-[Howard 2002] Howard, Michael and David LeBlanc. 2002. Writing Secure Code.
-Redmond, Washington: Microsoft Press. ISBN 0-7356-1588-8.
-
-[ISO 12207] International Organization for Standardization (ISO). 1995.
-Information technology -- Software life cycle processes ISO/IEC 12207:1995.
-
-[ISO 13335] International Organization for Standardization (ISO). ISO/IEC TR
-13335. Guidelines for the Management of IT Security (GMITS). Note that this
-is a five-part technical report (not a standard); see also ISO/IEC 17799:
-2000. It includes:
-
- * ISO 13335-1: Concepts and Models for IT Security
-
- * ISO 13335-2: Managing and Planning IT Security
-
- * ISO 13335-3: Techniques for the Management of IT Security
-
- * ISO 13335-4: Selection of Safeguards
-
- * ISO 13335-5: Safeguards for External Connections
-
-
-[ISO 17799] International Organization for Standardization (ISO). December
-2000. Code of Practice for Information Security Management. ISO/IEC 17799:
-2000.
-
-[ISO 9000] International Organization for Standardization (ISO). 2000.
-Quality management systems - Fundamentals and vocabulary. ISO 9000:2000. See
-[http://www.iso.ch/iso/en/iso9000-14000/iso9000/selection_use/
-iso9000family.html] http://www.iso.ch/iso/en/iso9000-14000/iso9000/
-selection_use/iso9000family.html
-
-[ISO 9001] International Organization for Standardization (ISO). 2000.
-Quality management systems - Requirements ISO 9001:2000
-
-[Jones 2000] Jones, Jennifer. October 30, 2000. ``Banking on Privacy''.
-InfoWorld, Volume 22, Issue 44. San Mateo, CA: International Data Group
-(IDG). pp. 1-12.
-
-[Kelsey 1998] Kelsey, J., B. Schneier, D. Wagner, and C. Hall. March 1998.
-"Cryptanalytic Attacks on Pseudorandom Number Generators." Fast Software
-Encryption, Fifth International Workshop Proceedings (March 1998),
-Springer-Verlag, 1998, pp. 168-188. [http://www.counterpane.com/
-pseudorandom_number.html] http://www.counterpane.com/
-pseudorandom_number.html.
-
-[Kernighan 1988] Kernighan, Brian W., and Dennis M. Ritchie. 1988. The C
-Programming Language. Second Edition. Englewood Cliffs, NJ: Prentice-Hall.
-ISBN 0-13-110362-8.
-
-[Kim 1996] Kim, Eugene Eric. 1996. CGI Developer's Guide. SAMS.net
-Publishing. ISBN: 1-57521-087-8 [http://www.eekim.com/pubs/cgibook] http://
-www.eekim.com/pubs/cgibook
-
-Kolsek [2002] Kolsek, Mitja. December 2002. Session Fixation Vulnerability in
-Web-based Applications [http://www.acros.si/papers/session_fixation.pdf]
-http://www.acros.si/papers/session_fixation.pdf.
-
-[Kuchling 2000]. Kuchling, A.M. 2000. Restricted Execution HOWTO. [http://
-www.python.org/doc/howto/rexec/rexec.html] http://www.python.org/doc/howto/
-rexec/rexec.html
-
-[Kuhn 2002] Kuhn, Markus G. Optical Time-Domain Eavesdropping Risks of CRT
-displays. Proceedings of the 2002 IEEE Symposium on Security and Privacy,
-Oakland, CA, May 12-15, 2002. [http://www.cl.cam.ac.uk/~mgk25/
-ieee02-optical.pdf] http://www.cl.cam.ac.uk/~mgk25/ieee02-optical.pdf
-
-[LSD 2001] The Last Stage of Delirium. July 4, 2001. UNIX Assembly Codes
-Development for Vulnerabilities Illustration Purposes. [http://lsd-pl.net/
-papers.html#assembly] http://lsd-pl.net/papers.html#assembly.
-
-[McClure 1999] McClure, Stuart, Joel Scambray, and George Kurtz. 1999.
-Hacking Exposed: Network Security Secrets and Solutions. Berkeley, CA:
-Osbourne/McGraw-Hill. ISBN 0-07-212127-0.
-
-[McKusick 1999] McKusick, Marshall Kirk. January 1999. ``Twenty Years of
-Berkeley Unix: From AT&T-Owned to Freely Redistributable.'' Open Sources:
-Voices from the Open Source Revolution. [http://www.oreilly.com/catalog/
-opensources/book/kirkmck.html] http://www.oreilly.com/catalog/opensources/
-book/kirkmck.html.
-
-[McGraw 1999] McGraw, Gary, and Edward W. Felten. December 1998. Twelve Rules
-for developing more secure Java code. Javaworld. [http://www.javaworld.com/
-javaworld/jw-12-1998/jw-12-securityrules.html] http://www.javaworld.com/
-javaworld/jw-12-1998/jw-12-securityrules.html.
-
-[McGraw 1999] McGraw, Gary, and Edward W. Felten. January 25, 1999. Securing
-Java: Getting Down to Business with Mobile Code, 2nd Edition John Wiley &
-Sons. ISBN 047131952X. [http://www.securingjava.com] http://
-www.securingjava.com.
-
-[McGraw 2000a] McGraw, Gary and John Viega. March 1, 2000. Make Your Software
-Behave: Learning the Basics of Buffer Overflows. [http://www-4.ibm.com/
-software/developer/library/overflows/index.html] http://www-4.ibm.com/
-software/developer/library/overflows/index.html.
-
-[McGraw 2000b] McGraw, Gary and John Viega. April 18, 2000. Make Your
-Software Behave: Software strategies In the absence of hardware, you can
-devise a reasonably secure random number generator through software. [http://
-www-106.ibm.com/developerworks/library/randomsoft/index.html?dwzone=security]
-http://www-106.ibm.com/developerworks/library/randomsoft/index.html?dwzone=
-security.
-
-[Miller 1995] Miller, Barton P., David Koski, Cjin Pheow Lee, Vivekananda
-Maganty, Ravi Murthy, Ajitkumar Natarajan, and Jeff Steidl. 1995. Fuzz
-Revisited: A Re-examination of the Reliability of UNIX Utilities and
-Services. [ftp://grilled.cs.wisc.edu/technical_papers/fuzz-revisited.pdf]
-ftp://grilled.cs.wisc.edu/technical_papers/fuzz-revisited.pdf.
-
-[Miller 1999] Miller, Todd C. and Theo de Raadt. ``strlcpy and strlcat --
-Consistent, Safe, String Copy and Concatenation'' Proceedings of Usenix '99.
-[http://www.usenix.org/events/usenix99/millert.html] http://www.usenix.org/
-events/usenix99/millert.html and [http://www.usenix.org/events/usenix99/
-full_papers/millert/PACKING_LIST] http://www.usenix.org/events/usenix99/
-full_papers/millert/PACKING_LIST
-
-[Mookhey 2002] Mookhey, K. K. The Unix Auditor's Practical Handbook. [http://
-www.nii.co.in/tuaph.html] http://www.nii.co.in/tuaph.html.
-
-[Mudge 1995] Mudge. October 20, 1995. How to write Buffer Overflows. l0pht
-advisories. [http://www.l0pht.com/advisories/bufero.html] http://
-www.l0pht.com/advisories/bufero.html.
-
-[Murhammer 1998] Murhammer, Martin W., Orcun Atakan, Stefan Bretz, Larry R.
-Pugh, Kazunari Suzuki, and David H. Wood. October 1998. TCP/IP Tutorial and
-Technical Overview IBM International Technical Support Organization. [http://
-www.redbooks.ibm.com/pubs/pdfs/redbooks/gg243376.pdf] http://
-www.redbooks.ibm.com/pubs/pdfs/redbooks/gg243376.pdf
-
-[NCSA] NCSA Secure Programming Guidelines. [http://www.ncsa.uiuc.edu/General/
-Grid/ACES/security/programming] http://www.ncsa.uiuc.edu/General/Grid/ACES/
-security/programming.
-
-[Neumann 2000] Neumann, Peter. 2000. "Robust Nonproprietary Software."
-Proceedings of the 2000 IEEE Symposium on Security and Privacy (the ``Oakland
-Conference''), May 14-17, 2000, Berkeley, CA. Los Alamitos, CA: IEEE Computer
-Society. pp.122-123.
-
-[NSA 2000] National Security Agency (NSA). September 2000. Information
-Assurance Technical Framework (IATF). [http://www.iatf.net] http://
-www.iatf.net.
-
-[Open Group 1997] The Open Group. 1997. Single UNIX Specification, Version 2
-(UNIX 98). [http://www.opengroup.org/online-pubs?DOC=007908799] http://
-www.opengroup.org/online-pubs?DOC=007908799.
-
-[OSI 1999] Open Source Initiative. 1999. The Open Source Definition. [http://
-www.opensource.org/osd.html] http://www.opensource.org/osd.html.
-
-[Opplinger 1998] Oppliger, Rolf. 1998. Internet and Intranet Security.
-Norwood, MA: Artech House. ISBN 0-89006-829-1.
-
-[Paulk 1993a] Mark C. Paulk, Bill Curtis, Mary Beth Chrissis, and Charles V.
-Weber. Capability Maturity Model for Software, Version 1.1. Software
-Engineering Institute, CMU/SEI-93-TR-24. DTIC Number ADA263403, February
-1993. [http://www.sei.cmu.edu/activities/cmm/obtain.cmm.html] http://
-www.sei.cmu.edu/activities/cmm/obtain.cmm.html.
-
-[Paulk 1993b] Mark C. Paulk, Charles V. Weber, Suzanne M. Garcia, Mary Beth
-Chrissis, and Marilyn W. Bush. Key Practices of the Capability Maturity
-Model, Version 1.1. Software Engineering Institute. CMU/SEI-93-TR-25, DTIC
-Number ADA263432, February 1993.
-
-[Peteanu 2000] Peteanu, Razvan. July 18, 2000. Best Practices for Secure Web
-Development. [http://members.home.net/razvan.peteanu] http://members.home.net
-/razvan.peteanu
-
-[Pfleeger 1997] Pfleeger, Charles P. 1997. Security in Computing. Upper
-Saddle River, NJ: Prentice-Hall PTR. ISBN 0-13-337486-6.
-
-[Phillips 1995] Phillips, Paul. September 3, 1995. Safe CGI Programming.
-[http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt] http://
-www.go2net.com/people/paulp/cgi-security/safe-cgi.txt
-
-[Quintero 1999] Quintero, Federico Mena, Miguel de Icaza, and Morten Welinder
-GNOME Programming Guidelines [http://developer.gnome.org/doc/guides/
-programming-guidelines/book1.html] http://developer.gnome.org/doc/guides/
-programming-guidelines/book1.html
-
-[Raymond 1997] Raymond, Eric. 1997. The Cathedral and the Bazaar. [http://
-www.catb.org/~esr/writings/cathedral-bazaar] http://www.catb.org/~esr/
-writings/cathedral-bazaar
-
-[Raymond 1998] Raymond, Eric. April 1998. Homesteading the Noosphere. [http:/
-/www.catb.org/~esr/writings/homesteading/homesteading.html] http://
-www.catb.org/~esr/writings/homesteading/homesteading.html
-
-[Ranum 1998] Ranum, Marcus J. 1998. Security-critical coding for programmers
-- a C and UNIX-centric full-day tutorial. [http://www.clark.net/pub/mjr/pubs/
-pdf/] http://www.clark.net/pub/mjr/pubs/pdf/.
-
-[RFC 822] August 13, 1982 Standard for the Format of ARPA Internet Text
-Messages. IETF RFC 822. [http://www.ietf.org/rfc/rfc0822.txt] http://
-www.ietf.org/rfc/rfc0822.txt.
-
-[rfp 1999] rain.forest.puppy. 1999. ``Perl CGI problems''. Phrack Magazine.
-Issue 55, Article 07. [http://www.phrack.com/search.phtml?view&article=p55-7]
-http://www.phrack.com/search.phtml?view&article=p55-7 or [http://
-www.insecure.org/news/P55-07.txt] http://www.insecure.org/news/P55-07.txt.
-
-[Rijmen 2000] Rijmen, Vincent. "LinuxSecurity.com Speaks With AES Winner".
-[http://www.linuxsecurity.com/feature_stories/interview-aes-3.html] http://
-www.linuxsecurity.com/feature_stories/interview-aes-3.html.
-
-[Rochkind 1985]. Rochkind, Marc J. Advanced Unix Programming. Englewood
-Cliffs, NJ: Prentice-Hall, Inc. ISBN 0-13-011818-4.
-
-[Sahu 2002] Sahu, Bijaya Nanda, Srinivasan S. Muthuswamy, Satya Nanaji Rao
-Mallampalli, and Venkata R. Bonam. July 2002 ``Is your Java code secure -- or
-exposed? Build safer applications now to avoid trouble later'' [http://
-www-106.ibm.com/developerworks/java/library/j-staticsec.html?loc=dwmain]
-http://www-106.ibm.com/developerworks/java/library/j-staticsec.html?loc=
-dwmain
-
-[St. Laurent 2000] St. Laurent, Simon. February 2000. XTech 2000 Conference
-Reports. ``When XML Gets Ugly''. [http://www.xml.com/pub/2000/02/xtech/
-megginson.html] http://www.xml.com/pub/2000/02/xtech/megginson.html.
-
-[Saltzer 1974] Saltzer, J. July 1974. ``Protection and the Control of
-Information Sharing in MULTICS''. Communications of the ACM. v17 n7. pp.
-388-402.
-
-[Saltzer 1975] Saltzer, J., and M. Schroeder. September 1975. ``The
-Protection of Information in Computing Systems''. Proceedings of the IEEE.
-v63 n9. pp. 1278-1308. [http://www.mediacity.com/~norm/CapTheory/ProtInf]
-http://www.mediacity.com/~norm/CapTheory/ProtInf. Summarized in [Pfleeger
-1997, 286].
-
-[Schneider 2000] Schneider, Fred B. 2000. "Open Source in Security: Visting
-the Bizarre." Proceedings of the 2000 IEEE Symposium on Security and Privacy
-(the ``Oakland Conference''), May 14-17, 2000, Berkeley, CA. Los Alamitos,
-CA: IEEE Computer Society. pp.126-127.
-
-[Schneier 1996] Schneier, Bruce. 1996. Applied Cryptography, Second Edition:
-Protocols, Algorithms, and Source Code in C. New York: John Wiley and Sons.
-ISBN 0-471-12845-7.
-
-[Schneier 1998] Schneier, Bruce and Mudge. November 1998. Cryptanalysis of
-Microsoft's Point-to-Point Tunneling Protocol (PPTP) Proceedings of the 5th
-ACM Conference on Communications and Computer Security, ACM Press. [http://
-www.counterpane.com/pptp.html] http://www.counterpane.com/pptp.html.
-
-[Schneier 1999] Schneier, Bruce. September 15, 1999. ``Open Source and
-Security''. Crypto-Gram. Counterpane Internet Security, Inc. [http://
-www.counterpane.com/crypto-gram-9909.html] http://www.counterpane.com/
-crypto-gram-9909.html
-
-[Seifried 1999] Seifried, Kurt. October 9, 1999. Linux Administrator's
-Security Guide. [http://www.securityportal.com/lasg] http://
-www.securityportal.com/lasg.
-
-[Seifried 2001] Seifried, Kurt. September 2, 2001. WWW Authentication [http:/
-/www.seifried.org/security/www-auth/index.html] http://www.seifried.org/
-security/www-auth/index.html.
-
-[Shankland 2000] Shankland, Stephen. ``Linux poses increasing threat to
-Windows 2000''. CNET. [http://news.cnet.com/news/0-1003-200-1549312.html]
-http://news.cnet.com/news/0-1003-200-1549312.html
-
-[Shostack 1999] Shostack, Adam. June 1, 1999. Security Code Review Guidelines
-. [http://www.homeport.org/~adam/review.html] http://www.homeport.org/~adam/
-review.html.
-
-[Sibert 1996] Sibert, W. Olin. Malicious Data and Computer Security. (NIST)
-NISSC '96. [http://www.fish.com/security/maldata.html] http://www.fish.com/
-security/maldata.html
-
-[Sitaker 1999] Sitaker, Kragen. Feb 26, 1999. How to Find Security Holes
-[http://www.pobox.com/~kragen/security-holes.html] http://www.pobox.com/
-~kragen/security-holes.html and [http://www.dnaco.net/~kragen/
-security-holes.html] http://www.dnaco.net/~kragen/security-holes.html
-
-[SSE-CMM 1999] SSE-CMM Project. April 1999. Systems Security Engineering
-Capability Maturity Model (SSE CMM) Model Description Document. Version 2.0.
-[http://www.sse-cmm.org] http://www.sse-cmm.org
-
-[Stallings 1996] Stallings, William. Practical Cryptography for Data
-Internetworks. Los Alamitos, CA: IEEE Computer Society Press. ISBN
-0-8186-7140-8.
-
-[Stein 1999]. Stein, Lincoln D. September 13, 1999. The World Wide Web
-Security FAQ. Version 2.0.1 [http://www.w3.org/Security/Faq/
-www-security-faq.html] http://www.w3.org/Security/Faq/www-security-faq.html
-
-[Swan 2001] Swan, Daniel. January 6, 2001. comp.os.linux.security FAQ.
-Version 1.0. [http://www.linuxsecurity.com/docs/colsfaq.html] http://
-www.linuxsecurity.com/docs/colsfaq.html.
-
-[Swanson 1996] Swanson, Marianne, and Barbara Guttman. September 1996.
-Generally Accepted Principles and Practices for Securing Information
-Technology Systems. NIST Computer Security Special Publication (SP) 800-14.
-[http://csrc.nist.gov/publications/nistpubs/index.html] http://csrc.nist.gov/
-publications/nistpubs/index.html.
-
-[Thompson 1974] Thompson, K. and D.M. Richie. July 1974. ``The UNIX
-Time-Sharing System''. Communications of the ACM Vol. 17, No. 7. pp. 365-375.
-
-[Torvalds 1999] Torvalds, Linus. February 1999. ``The Story of the Linux
-Kernel''. Open Sources: Voices from the Open Source Revolution. Edited by
-Chris Dibona, Mark Stone, and Sam Ockman. O'Reilly and Associates. ISBN
-1565925823. [http://www.oreilly.com/catalog/opensources/book/linus.html]
-http://www.oreilly.com/catalog/opensources/book/linus.html
-
-[TruSecure 2001] TruSecure. August 2001. Open Source Security: A Look at the
-Security Benefits of Source Code Access. [http://www.trusecure.com/html/tspub
-/whitepapers/open_source_security5.pdf] http://www.trusecure.com/html/tspub/
-whitepapers/open_source_security5.pdf
-
-[Unknown] SETUID(7) [http://www.homeport.org/~adam/setuid.7.html] http://
-www.homeport.org/~adam/setuid.7.html.
-
-[Van Biesbrouck 1996] Van Biesbrouck, Michael. April 19, 1996. [http://
-www.csclub.uwaterloo.ca/u/mlvanbie/cgisec] http://www.csclub.uwaterloo.ca/u/
-mlvanbie/cgisec.
-
-[van Oorschot 1994] van Oorschot, P. and M. Wiener. November 1994. ``Parallel
-Collision Search with Applications to Hash Functions and Discrete
-Logarithms.'' Proceedings of ACM Conference on Computer and Communications
-Security.
-
-[Venema 1996] Venema, Wietse. 1996. Murphy's law and computer security.
-[http://www.fish.com/security/murphy.html] http://www.fish.com/security/
-murphy.html
-
-[Viega 2002] Viega, John, and Gary McGraw. 2002. Building Secure Software.
-Addison-Wesley. ISBN 0201-72152-X.
-
-[Watters 1996] Watters, Arron, Guido van Rossum, James C. Ahlstrom. 1996.
-Internet Programming with Python. NY, NY: Henry Hold and Company, Inc.
-
-[Wheeler 1996] Wheeler, David A., Bill Brykczynski, and Reginald N. Meeson,
-Jr. Software Inspection: An Industry Best Practice. 1996. Los Alamitos, CA:
-IEEE Computer Society Press. IEEE Copmuter Society Press Order Number
-BP07340. Library of Congress Number 95-41054. ISBN 0-8186-7340-0.
-
-[Witten 2001] September/October 2001. Witten, Brian, Carl Landwehr, and
-Michael Caloyannides. ``Does Open Source Improve System Security?'' IEEE
-Software. pp. 57-61. [http://www.computer.org/software] http://
-www.computer.org/software
-
-[Wood 1985] Wood, Patrick H. and Stephen G. Kochan. 1985. Unix System
-Security. Indianapolis, Indiana: Hayden Books. ISBN 0-8104-6267-2.
-
-[Wreski 1998] Wreski, Dave. August 22, 1998. Linux Security Administrator's
-Guide. Version 0.98. [http://www.nic.com/~dave/SecurityAdminGuide/index.html]
-http://www.nic.com/~dave/SecurityAdminGuide/index.html
-
-[Yoder 1998] Yoder, Joseph and Jeffrey Barcalow. 1998. Architectural Patterns
-for Enabling Application Security. PLoP '97 [http://st-www.cs.uiuc.edu/
-~hanmer/PLoP-97/Proceedings/yoder.pdf] http://st-www.cs.uiuc.edu/~hanmer/
-PLoP-97/Proceedings/yoder.pdf
-
-[Zalewski 2001] Zalewski, Michael. May 16-17, 2001. Delivering Signals for
-Fun and Profit: Understanding, exploiting and preventing signal-handling
-related vulnerabilities. Bindview Corporation. [http://razor.bindview.com/
-publish/papers/signals.txt] http://razor.bindview.com/publish/papers/
-signals.txt
-
-[Zoebelein 1999] Zoebelein, Hans U. April 1999. The Internet Operating System
-Counter. [http://www.leb.net/hzo/ioscount] http://www.leb.net/hzo/ioscount.
------------------------------------------------------------------------------
-
-Appendix A. History
-
-Here are a few key events in the development of this book, starting from most
-recent events:
-
-2002-10-29 David A. Wheeler
- Version 3.000 released, adding a new section on determining security
- requirements and a discussion of the Common Criteria, broadening the
- document. Many smaller improvements were incorporated as well.
-
-2001-01-01 David A. Wheeler
- Version 2.70 released, adding a significant amount of additional
- material, such as a significant expansion of the discussion of cross-site
- malicious content, HTML/URI filtering, and handling temporary files.
-
-2000-05-24 David A. Wheeler
- Switched to GNU's GFDL license, added more content.
-
-2000-04-21 David A. Wheeler
- Version 2.00 released, dated 21 April 2000, which switched the document's
- internal format from the Linuxdoc DTD to the DocBook DTD. Thanks to Jorge
- Godoy for helping me perform the transition.
-
-2000-04-04 David A. Wheeler
- Version 1.60 released; changed so that it now covers both Linux and Unix.
- Since most of the guidelines covered both, and many/most app developers
- want their apps to run on both, it made sense to cover both.
-
-2000-02-09 David A. Wheeler
- Noted that the document is now part of the Linux Documentation Project
- (LDP).
-
-1999-11-29 David A. Wheeler
- Initial version (1.0) completed and released to the public.
-
-
-Note that a more detailed description of changes is available on-line in the
-``ChangeLog'' file.
------------------------------------------------------------------------------
-
-Appendix B. Acknowledgements
-
- As iron sharpens iron, so one man
- sharpens another.
- Proverbs 27:17 (NIV)
-
-My thanks to the following people who kept me honest by sending me emails
-noting errors, suggesting areas to cover, asking questions, and so on. Where
-email addresses are included, they've been shrouded by prepending my
-``thanks.'' so bulk emailers won't easily get these addresses; inclusion of
-people in this list is not an authorization to send unsolicited bulk email to
-them.
-
- * Neil Brown (thanks.neilb@cse.unsw.edu.au)
-
- * Martin Douda (thanks.mad@students.zcu.cz)
-
- * Jorge Godoy
-
- * Scott Ingram (thanks.scott@silver.jhuapl.edu)
-
- * Michael Kerrisk
-
- * Doug Kilpatrick
-
- * John Levon (levon@movementarian.org)
-
- * Ryan McCabe (thanks.odin@numb.org)
-
- * Paul Millar (thanks.paulm@astro.gla.ac.uk)
-
- * Chuck Phillips (thanks.cdp@peakpeak.com)
-
- * Martin Pool (thanks.mbp@humbug.org.au)
-
- * Eric S. Raymond (thanks.esr@snark.thyrsus.com)
-
- * Marc Welz
-
- * Eric Werme (thanks.werme@alpha.zk3.dec.com)
-
-
-
-
-If you want to be on this list, please send me a constructive suggestion at
-[mailto:dwheeler@dwheeler.com] dwheeler@dwheeler.com. If you send me a
-constructive suggestion, but do not want credit, please let me know that when
-you send your suggestion, comment, or criticism; normally I expect that
-people want credit, and I want to give them that credit. My current process
-is to add contributor names to this list in the document, with more detailed
-explanation of their comment in the ChangeLog for this document (available
-on-line). Note that although these people have sent in ideas, the actual text
-is my own, so don't blame them for any errors that may remain. Instead,
-please send me another constructive suggestion.
------------------------------------------------------------------------------
-
-Appendix C. About the Documentation License
-
- A copy of the text of the edict was to
- be issued as law in every province and
- made known to the people of every
- nationality so they would be ready for
- that day.
- Esther 3:14 (NIV)
-
-This document is Copyright (C) 1999-2000 David A. Wheeler. Permission is
-granted to copy, distribute and/or modify this document under the terms of
-the GNU Free Documentation License (FDL), Version 1.1 or any later version
-published by the Free Software Foundation; with the invariant sections being
-``About the Author'', with no Front-Cover Texts, and no Back-Cover texts. A
-copy of the license is included below in Appendix D.
-
-These terms do permit mirroring by other web sites, but be sure to do the
-following:
-
- * make sure your mirrors automatically get upgrades from the master site,
-
- * clearly show the location of the master site ([http://www.dwheeler.com/
- secure-programs] http://www.dwheeler.com/secure-programs), with a
- hypertext link to the master site, and
-
- * give me (David A. Wheeler) credit as the author.
-
-
-
-
-The first two points primarily protect me from repeatedly hearing about
-obsolete bugs. I do not want to hear about bugs I fixed a year ago, just
-because you are not properly mirroring the document. By linking to the master
-site, users can check and see if your mirror is up-to-date. I'm sensitive to
-the problems of sites which have very strong security requirements and
-therefore cannot risk normal connections to the Internet; if that describes
-your situation, at least try to meet the other points and try to occasionally
-sneakernet updates into your environment.
-
-By this license, you may modify the document, but you can't claim that what
-you didn't write is yours (i.e., plagiarism) nor can you pretend that a
-modified version is identical to the original work. Modifying the work does
-not transfer copyright of the entire work to you; this is not a ``public
-domain'' work in terms of copyright law. See the license in Appendix D for
-details. If you have questions about what the license allows, please contact
-me. In most cases, it's better if you send your changes to the master
-integrator (currently David A. Wheeler), so that your changes will be
-integrated with everyone else's changes into the master copy.
-
-I am not a lawyer, nevertheless, it's my position as an author and software
-developer that any code fragments not explicitly marked otherwise are so
-small that their use fits under the ``fair use'' doctrine in copyright law.
-In other words, unless marked otherwise, you can use the code fragments
-without any restriction at all. Copyright law does not permit copyrighting
-absurdly small components of a work (e.g., ``I own all rights to B-flat and
-B-flat minor chords''), and the fragments not marked otherwise are of the
-same kind of minuscule size when compared to real programs. I've done my best
-to give credit for specific pieces of code written by others. Some of you may
-still be concerned about the legal status of this code, and I want make sure
-that it's clear that you can use this code in your software. Therefore, code
-fragments included directly in this document not otherwise marked have also
-been released by me under the terms of the ``MIT license'', to ensure you
-that there's no serious legal encumbrance:
- Source code in this book not otherwise identified is
- Copyright (c) 1999-2001 David A. Wheeler.
-
- Permission is hereby granted, free of charge, to any person
- obtaining a copy of the source code in this book not
- otherwise identified (the "Software"), to deal in the
- Software without restriction, including without limitation
- the rights to use, copy, modify, merge, publish, distribute,
- sublicense, and/or sell copies of the Software, and to
- permit persons to whom the Software is furnished to do so,
- subject to the following conditions:
-
- The above copyright notice and this permission notice shall be
- included in all copies or substantial portions of the Software.
-
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
- WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
- PURPOSE AND NONINFRINGEMENT.
- IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
- LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
- WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
- ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
- OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
------------------------------------------------------------------------------
-
-Appendix D. GNU Free Documentation License
-
-Version 1.1, March 2000
-
-Copyright © 2000
-
- Free Software Foundation, Inc.
- 59 Temple Place, Suite 330,
- Boston,
- MA
- 02111-1307
- USA
-
-Everyone is permitted to copy and distribute verbatim copies of this license
-document, but changing it is not allowed.
-
-0. PREAMBLE
- The purpose of this License is to make a manual, textbook, or other
- written document "free" in the sense of freedom: to assure everyone the
- effective freedom to copy and redistribute it, with or without modifying
- it, either commercially or noncommercially. Secondarily, this License
- preserves for the author and publisher a way to get credit for their
- work, while not being considered responsible for modifications made by
- others.
-
- This License is a kind of "copyleft", which means that derivative works
- of the document must themselves be free in the same sense. It complements
- the GNU General Public License, which is a copyleft license designed for
- free software.
-
- We have designed this License in order to use it for manuals for free
- software, because free software needs free documentation: a free program
- should come with manuals providing the same freedoms that the software
- does. But this License is not limited to software manuals; it can be used
- for any textual work, regardless of subject matter or whether it is
- published as a printed book. We recommend this License principally for
- works whose purpose is instruction or reference.
-
-1. APPLICABILITY AND DEFINITIONS
- This License applies to any manual or other work that contains a notice
- placed by the copyright holder saying it can be distributed under the
- terms of this License. The "Document" , below, refers to any such manual
- or work. Any member of the public is a licensee, and is addressed as
- "you".
-
- A "Modified Version" of the Document means any work containing the
- Document or a portion of it, either copied verbatim, or with
- modifications and/or translated into another language.
-
- A "Secondary Section" is a named appendix or a front-matter section of
- the Document that deals exclusively with the relationship of the
- publishers or authors of the Document to the Document's overall subject
- (or to related matters) and contains nothing that could fall directly
- within that overall subject. (For example, if the Document is in part a
- textbook of mathematics, a Secondary Section may not explain any
- mathematics.) The relationship could be a matter of historical connection
- with the subject or with related matters, or of legal, commercial,
- philosophical, ethical or political position regarding them.
-
- The "Invariant Sections" are certain Secondary Sections whose titles are
- designated, as being those of Invariant Sections, in the notice that says
- that the Document is released under this License.
-
- The "Cover Texts" are certain short passages of text that are listed, as
- Front-Cover Texts or Back-Cover Texts, in the notice that says that the
- Document is released under this License.
-
- A "Transparent" copy of the Document means a machine-readable copy,
- represented in a format whose specification is available to the general
- public, whose contents can be viewed and edited directly and
- straightforwardly with generic text editors or (for images composed of
- pixels) generic paint programs or (for drawings) some widely available
- drawing editor, and that is suitable for input to text formatters or for
- automatic translation to a variety of formats suitable for input to text
- formatters. A copy made in an otherwise Transparent file format whose
- markup has been designed to thwart or discourage subsequent modification
- by readers is not Transparent. A copy that is not "Transparent" is called
- "Opaque".
-
- Examples of suitable formats for Transparent copies include plain ASCII
- without markup, Texinfo input format, LaTeX input format, SGML or XML
- using a publicly available DTD, and standard-conforming simple HTML
- designed for human modification. Opaque formats include PostScript, PDF,
- proprietary formats that can be read and edited only by proprietary word
- processors, SGML or XML for which the DTD and/or processing tools are not
- generally available, and the machine-generated HTML produced by some word
- processors for output purposes only.
-
- The "Title Page" means, for a printed book, the title page itself, plus
- such following pages as are needed to hold, legibly, the material this
- License requires to appear in the title page. For works in formats which
- do not have any title page as such, "Title Page" means the text near the
- most prominent appearance of the work's title, preceding the beginning of
- the body of the text.
-
-2. VERBATIM COPYING
- You may copy and distribute the Document in any medium, either
- commercially or noncommercially, provided that this License, the
- copyright notices, and the license notice saying this License applies to
- the Document are reproduced in all copies, and that you add no other
- conditions whatsoever to those of this License. You may not use technical
- measures to obstruct or control the reading or further copying of the
- copies you make or distribute. However, you may accept compensation in
- exchange for copies. If you distribute a large enough number of copies
- you must also follow the conditions in section 3.
-
- You may also lend copies, under the same conditions stated above, and you
- may publicly display copies.
-
-3. COPYING IN QUANTITY
- If you publish printed copies of the Document numbering more than 100,
- and the Document's license notice requires Cover Texts, you must enclose
- the copies in covers that carry, clearly and legibly, all these Cover
- Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the
- back cover. Both covers must also clearly and legibly identify you as the
- publisher of these copies. The front cover must present the full title
- with all words of the title equally prominent and visible. You may add
- other material on the covers in addition. Copying with changes limited to
- the covers, as long as they preserve the title of the Document and
- satisfy these conditions, can be treated as verbatim copying in other
- respects.
-
- If the required texts for either cover are too voluminous to fit legibly,
- you should put the first ones listed (as many as fit reasonably) on the
- actual cover, and continue the rest onto adjacent pages.
-
- If you publish or distribute Opaque copies of the Document numbering more
- than 100, you must either include a machine-readable Transparent copy
- along with each Opaque copy, or state in or with each Opaque copy a
- publicly-accessible computer-network location containing a complete
- Transparent copy of the Document, free of added material, which the
- general network-using public has access to download anonymously at no
- charge using public-standard network protocols. If you use the latter
- option, you must take reasonably prudent steps, when you begin
- distribution of Opaque copies in quantity, to ensure that this
- Transparent copy will remain thus accessible at the stated location until
- at least one year after the last time you distribute an Opaque copy
- (directly or through your agents or retailers) of that edition to the
- public.
-
- It is requested, but not required, that you contact the authors of the
- Document well before redistributing any large number of copies, to give
- them a chance to provide you with an updated version of the Document.
-
-4. MODIFICATIONS
- You may copy and distribute a Modified Version of the Document under the
- conditions of sections 2 and 3 above, provided that you release the
- Modified Version under precisely this License, with the Modified Version
- filling the role of the Document, thus licensing distribution and
- modification of the Modified Version to whoever possesses a copy of it.
- In addition, you must do these things in the Modified Version:
-
- A. Use in the Title Page (and on the covers, if any) a title distinct
- from that of the Document, and from those of previous versions (which
- should, if there were any, be listed in the History section of the
- Document). You may use the same title as a previous version if the
- original publisher of that version gives permission.
-
- B. List on the Title Page, as authors, one or more persons or entities
- responsible for authorship of the modifications in the Modified
- Version, together with at least five of the principal authors of the
- Document (all of its principal authors, if it has less than five).
-
- C. State on the Title Page the name of the publisher of the Modified
- Version, as the publisher.
-
- D. Preserve all the copyright notices of the Document.
-
- E. Add an appropriate copyright notice for your modifications adjacent
- to the other copyright notices.
-
- F. Include, immediately after the copyright notices, a license notice
- giving the public permission to use the Modified Version under the
- terms of this License, in the form shown in the Addendum below.
-
- G. Preserve in that license notice the full lists of Invariant Sections
- and required Cover Texts given in the Document's license notice.
-
- H. Include an unaltered copy of this License.
-
- I. Preserve the section entitled "History", and its title, and add to it
- an item stating at least the title, year, new authors, and publisher
- of the Modified Version as given on the Title Page. If there is no
- section entitled "History" in the Document, create one stating the
- title, year, authors, and publisher of the Document as given on its
- Title Page, then add an item describing the Modified Version as
- stated in the previous sentence.
-
- J. Preserve the network location, if any, given in the Document for
- public access to a Transparent copy of the Document, and likewise the
- network locations given in the Document for previous versions it was
- based on. These may be placed in the "History" section. You may omit
- a network location for a work that was published at least four years
- before the Document itself, or if the original publisher of the
- version it refers to gives permission.
-
- K. In any section entitled "Acknowledgements" or "Dedications", preserve
- the section's title, and preserve in the section all the substance
- and tone of each of the contributor acknowledgements and/or
- dedications given therein.
-
- L. Preserve all the Invariant Sections of the Document, unaltered in
- their text and in their titles. Section numbers or the equivalent are
- not considered part of the section titles.
-
- M. Delete any section entitled "Endorsements". Such a section may not be
- included in the Modified Version.
-
- N. Do not retitle any existing section as "Endorsements" or to conflict
- in title with any Invariant Section.
-
-
- If the Modified Version includes new front-matter sections or appendices
- that qualify as Secondary Sections and contain no material copied from
- the Document, you may at your option designate some or all of these
- sections as invariant. To do this, add their titles to the list of
- Invariant Sections in the Modified Version's license notice. These titles
- must be distinct from any other section titles.
-
- You may add a section entitled "Endorsements", provided it contains
- nothing but endorsements of your Modified Version by various parties--for
- example, statements of peer review or that the text has been approved by
- an organization as the authoritative definition of a standard.
-
- You may add a passage of up to five words as a Front-Cover Text, and a
- passage of up to 25 words as a Back-Cover Text, to the end of the list of
- Cover Texts in the Modified Version. Only one passage of Front-Cover Text
- and one of Back-Cover Text may be added by (or through arrangements made
- by) any one entity. If the Document already includes a cover text for the
- same cover, previously added by you or by arrangement made by the same
- entity you are acting on behalf of, you may not add another; but you may
- replace the old one, on explicit permission from the previous publisher
- that added the old one.
-
- The author(s) and publisher(s) of the Document do not by this License
- give permission to use their names for publicity for or to assert or
- imply endorsement of any Modified Version .
-
-5. COMBINING DOCUMENTS
- You may combine the Document with other documents released under this
- License, under the terms defined in section 4 above for modified
- versions, provided that you include in the combination all of the
- Invariant Sections of all of the original documents, unmodified, and list
- them all as Invariant Sections of your combined work in its license
- notice.
-
- The combined work need only contain one copy of this License, and
- multiple identical Invariant Sections may be replaced with a single copy.
- If there are multiple Invariant Sections with the same name but different
- contents, make the title of each such section unique by adding at the end
- of it, in parentheses, the name of the original author or publisher of
- that section if known, or else a unique number. Make the same adjustment
- to the section titles in the list of Invariant Sections in the license
- notice of the combined work.
-
- In the combination, you must combine any sections entitled "History" in
- the various original documents, forming one section entitled "History";
- likewise combine any sections entitled "Acknowledgements", and any
- sections entitled "Dedications". You must delete all sections entitled
- "Endorsements."
-
-6. COLLECTIONS OF DOCUMENTS
- You may make a collection consisting of the Document and other documents
- released under this License, and replace the individual copies of this
- License in the various documents with a single copy that is included in
- the collection, provided that you follow the rules of this License for
- verbatim copying of each of the documents in all other respects.
-
- You may extract a single document from such a collection, and distribute
- it individually under this License, provided you insert a copy of this
- License into the extracted document, and follow this License in all other
- respects regarding verbatim copying of that document.
-
-7. AGGREGATION WITH INDEPENDENT WORKS
- A compilation of the Document or its derivatives with other separate and
- independent documents or works, in or on a volume of a storage or
- distribution medium, does not as a whole count as a Modified Version of
- the Document, provided no compilation copyright is claimed for the
- compilation. Such a compilation is called an "aggregate", and this
- License does not apply to the other self-contained works thus compiled
- with the Document , on account of their being thus compiled, if they are
- not themselves derivative works of the Document. If the Cover Text
- requirement of section 3 is applicable to these copies of the Document,
- then if the Document is less than one quarter of the entire aggregate,
- the Document's Cover Texts may be placed on covers that surround only the
- Document within the aggregate. Otherwise they must appear on covers
- around the whole aggregate.
-
-8. TRANSLATION
- Translation is considered a kind of modification, so you may distribute
- translations of the Document under the terms of section 4. Replacing
- Invariant Sections with translations requires special permission from
- their copyright holders, but you may include translations of some or all
- Invariant Sections in addition to the original versions of these
- Invariant Sections. You may include a translation of this License
- provided that you also include the original English version of this
- License. In case of a disagreement between the translation and the
- original English version of this License, the original English version
- will prevail.
-
-9. TERMINATION
- You may not copy, modify, sublicense, or distribute the Document except
- as expressly provided for under this License. Any other attempt to copy,
- modify, sublicense or distribute the Document is void, and will
- automatically terminate your rights under this License. However, parties
- who have received copies, or rights, from you under this License will not
- have their licenses terminated so long as such parties remain in full
- compliance.
-
-10. FUTURE REVISIONS OF THIS LICENSE
- The Free Software Foundation may publish new, revised versions of the GNU
- Free Documentation License from time to time. Such new versions will be
- similar in spirit to the present version, but may differ in detail to
- address new problems or concerns. See [http://www.gnu.org/copyleft] http:
- //www.gnu.org/copyleft/.
-
- Each version of the License is given a distinguishing version number. If
- the Document specifies that a particular numbered version of this License
- "or any later version" applies to it, you have the option of following
- the terms and conditions either of that specified version or of any later
- version that has been published (not as a draft) by the Free Software
- Foundation. If the Document does not specify a version number of this
- License, you may choose any version ever published (not as a draft) by
- the Free Software Foundation.
-
-Addendum
- To use this License in a document you have written, include a copy of the
- License in the document and put the following copyright and license
- notices just after the title page:
-
- Copyright © YEAR YOUR NAME.
-
- Permission is granted to copy, distribute and/or modify this document
- under the terms of the GNU Free Documentation License, Version 1.1 or any
- later version published by the Free Software Foundation; with the
- Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts
- being LIST, and with the Back-Cover Texts being LIST. A copy of the
- license is included in the section entitled "GNU Free Documentation
- License".
-
- If you have no Invariant Sections, write "with no Invariant Sections"
- instead of saying which ones are invariant. If you have no Front-Cover
- Texts, write "no Front-Cover Texts" instead of "Front-Cover Texts being
- LIST"; likewise for Back-Cover Texts.
-
- If your document contains nontrivial examples of program code, we
- recommend releasing these examples in parallel under your choice of free
- software license, such as the GNU General Public License, to permit their
- use in free software.
-
-
------------------------------------------------------------------------------
-Appendix E. Endorsements
-
-This version of the document is endorsed by the original author, David A.
-Wheeler, as a document that should improve the security of programs, when
-applied correctly. Note that no book, including this one, can guarantee that
-a developer who follows its guidelines will produce perfectly secure
-software. Modifications (including translations) must remove this appendix
-per the license agreement included above.
------------------------------------------------------------------------------
-
-Appendix F. About the Author
-
-[dwheeler2003b]
-
-David A. Wheeler
-
-David A. Wheeler is an expert in computer security and has long specialized
-in development techniques for large and high-risk software systems. He has
-been involved in software development since the mid-1970s, and been involved
-with Unix and computer security since the early 1980s. His areas of knowledge
-include computer security, software safety, vulnerability analysis,
-inspections, Internet technologies, software-related standards (including
-POSIX), real-time software development techniques, and numerous computer
-languages (including Ada, C, C++, Perl, Python, and Java).
-
-Mr. Wheeler is co-author and lead editor of the IEEE book Software
-Inspection: An Industry Best Practice, author of the book Ada95: The Lovelace
-Tutorial, and co-author of the GNOME User's Guide. He is also the author of
-many smaller papers and articles, including the Linux Program Library HOWTO.
-
-Mr. Wheeler hopes that, by making this document available, other developers
-will make their software more secure. You can reach him by email at
-dwheeler@dwheeler.com (no spam please), and you can also see his web site at
-[http://www.dwheeler.com] http://www.dwheeler.com.
-
-Notes
-
-[1] Technically, a hypertext link can be any ``uniform resource identifier''
- (URI). The term "Uniform Resource Locator" (URL) refers to the subset of
- URIs that identify resources via a representation of their primary
- access mechanism (e.g., their network "location"), rather than
- identifying the resource by name or by some other attribute(s) of that
- resource. Many people use the term ``URL'' as synonymous with ``URI'',
- since URLs are the most common kind of URI. For example, the encoding
- used in URIs is actually called ``URL encoding''.
-
-Security Quick-Start HOWTO for Linux
-
-Hal Burgiss
-
- hal@foobox.net
-
-
-v. 1.2, 2002-07-21
-Revision History
-Revision v. 1.2 2002-07-21 Revised by: hb
-A few small additions, and fix the usual broken links.
-Revision v. 1.1 2002-02-06 Revised by: hb
-A few fixes, some additions and many touch-ups from the original.
-Revision v. 1.0 2001-11-07 Revised by: hb
-Initial Release.
-
-
-This document is a an overview of the basic steps required to secure a Linux
-installation from intrusion. It is intended to be an introduction.
-
------------------------------------------------------------------------------
-Table of Contents
-1. Introduction
- 1.1. Why me?
- 1.2. Copyright
- 1.3. Credits
- 1.4. Disclaimer
- 1.5. New Versions and Changelog
- 1.6. Feedback
-
-
-2. Foreword
- 2.1. The Optimum Configuration
- 2.2. Before We Start
-
-
-3. Step 1: Which services do we really need?
- 3.1. System Audit
- 3.2. The Danger Zone (or r00t m3 pl34s3)
- 3.3. Stopping Services
- 3.4. Exceptions
- 3.5. Summary and Conclusions for Step 1
-
-
-4. Step 2: Updating
- 4.1. Summary and Conclusions for Step 2
-
-
-5. Step 3: Firewalls and Setting Access Policies
- 5.1. Strategy
- 5.2. Packet Filters -- Ipchains and Iptables
- 5.3. Tcpwrappers (libwrap)
- 5.4. PortSentry
- 5.5. Proxies
- 5.6. Individual Applications
- 5.7. Verifying
- 5.8. Logging
- 5.9. Where to Start
- 5.10. Summary and Conclusions for Step 3
-
-
-6. Intrusion Detection
- 6.1. Intrusion Detection Systems (IDS)
- 6.2. Have I Been Hacked?
- 6.3. Reclaiming a Compromised System
-
-
-7. General Tips
-8. Appendix
- 8.1. Servers, Ports, and Packets
- 8.2. Common Ports
- 8.3. Netstat Tutorial
- 8.4. Attacks and Threats
- 8.5. Links
- 8.6. Editing Text Files
- 8.7. nmap
- 8.8. Sysctl Options
- 8.9. Secure Alternatives
- 8.10. Ipchains and Iptables Redux
-
-
-
-1. Introduction
-
-1.1. Why me?
-
-Who should be reading this document and why should the average Linux user
-care about security? Those new to Linux, or unfamiliar with the inherent
-security issues of connecting a Linux system to large networks like Internet
-should be reading. "Security" is a broad subject with many facets, and is
-covered in much more depth in other documents, books, and on various sites on
-the Web. This document is intended to be an introduction to the most basic
-concepts as they relate to Linux, and as a starting point only.
-
-
-Iptables Weekly Log Summary from Jul 15 04:24:13 to Jul 22 04:06:00
-Blocked Connection Attempts:
-
-Rejected tcp packets by destination port
-
-port count
-111 19
-53 12
-21 9
-515 9
-27374 8
-443 6
-1080 2
-1138 1
-
-
-Rejected udp packets by destination port
-
-port count
-137 34
-22 1
-
-
-
-The above is real, live data from a one week period for my home LAN. Much of
-the above would seem to be specifically targeted at Linux systems. Many of
-the targeted "destination" ports are used by well known Linux and Unix
-services, and all may be installed, and possibly even running, on your
-system.
-
-The focus here will be on threats that are shared by all Linux users, whether
-a dual boot home user, or large commercial site. And we will take a few,
-relatively quick and easy steps that will make a typical home Desktop system
-or small office system running Linux reasonably safe from the majority of
-outside threats. For those responsible for Linux systems in a larger or more
-complex environment, you'd be well advised to read this, and then follow up
-with additional reading suitable to your particular situation. Actually, this
-is probably good advice for everybody.
-
-We will assume the reader knows little about Linux, networking, TCP/IP, and
-the finer points of running a server Operating System like Linux. We will
-also assume, for the sake of this document, that all local users are
-"trusted" users, and won't address physical or local network security issues
-in any detail. Again, if this is not the case, further reading is strongly
-recommended.
-
-The principles that will guide us in our quest are:
-
- * There is no magic bullet. There is no one single thing we can do to make
- us secure. It is not that simple.
-
- * Security is a process that requires maintenance, not an objective to be
- reached.
-
- * There is no 100% safe program, package or distribution. Just varying
- degrees of insecurity.
-
-
-The steps we will be taking to get there are:
-
- * Step 1: Turn off, and perhaps uninstall, any and all unnecessary
- services.
-
- * Step 2: Make sure that any services that are installed are updated and
- patched to the current, safe version -- and then stay that way. Every
- server application has potential exploits. Some have just not been found
- yet.
-
- * Step 3: Limit connections to us from outside sources by implementing a
- firewall and/or other restrictive policies. The goal is to allow only the
- minimum traffic necessary for whatever our individual situation may be.
-
- * Awareness. Know your system, and how to properly maintain and secure it.
- New vulnerabilities are found, and exploited, all the time. Today's
- secure system may have tomorrow's as yet unfound weaknesses.
-
-
-If you don't have time to read everything, concentrate on Steps 1, 2, and 3.
-This is where the meat of the subject matter is. The Appendix has a lot of
-supporting information, which may be helpful, but may not be necessary for
-all readers.
------------------------------------------------------------------------------
-
-1.2. Copyright
-
-Security-Quickstart HOWTO for Linux
-
-Copyright © 2001 Hal Burgiss.
-
-This document is free; you can redistribute it and/or modify it under the
-terms of the GNU General Public License as published by the Free Software
-Foundation; either version 2 of the License, or (at your option) any later
-version.
-
-This document is distributed in the hope that it will be useful, but WITHOUT
-ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
-FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
-details.
-
-You can get a copy of the GNU GPL at at [http://www.gnu.org/copyleft/
-gpl.html] http://www.gnu.org/copyleft/gpl.html.
------------------------------------------------------------------------------
-
-1.3. Credits
-
-Many thanks to those who helped with the production of this document.
-
- * Bill Staehle, who has done a little bit of everything: ideas, editing,
- encouragement, and suggestions, many of which have been incorporated.
- Bill helped greatly with the content of this document.
-
- * Others who have contributed in one way or another: Dave Wreski, Ian
- Jones, Jacco de Leeuw, and Indulis Bernsteins.
-
- * Various posters on comp.os.linux.security, a great place to learn about
- Linux and security.
-
- * The Netfilter Development team for their work on iptables and connection
- tracking, state of the art tools with which to protect our systems.
-
-
------------------------------------------------------------------------------
-1.4. Disclaimer
-
-The author accepts no liability for the contents of this document. Use the
-concepts, examples and other content at your own risk. As this is a new
-document, there may be errors and inaccuracies. Hopefully these are few and
-far between. Corrections and suggestions are welcomed.
-
-This document is intended to give the new user a starting point for securing
-their system while it is connected to the Internet. Please understand that
-there is no intention whatsoever of claiming that the contents of this
-document will necessarily result in an ultimately secure and worry-free
-computing environment. Security is a complex topic. This document just
-addresses some of the most basic issues that inexperienced users should be
-aware of.
-
-The reader is encouraged to read other security related documentation and
-articles. And to stay abreast of security issues as they evolve. Security is
-not an objective, but an ongoing process.
------------------------------------------------------------------------------
-
-1.5. New Versions and Changelog
-
-The current official version can always be found at [http://www.tldp.org/
-HOWTO/Security-Quickstart-HOWTO/] http://www.tldp.org/HOWTO/
-Security-Quickstart-HOWTO/. Pre-release versions can be found at [http://
-feenix.burgiss.net/ldp/quickstart/] http://feenix.burgiss.net/ldp/quickstart
-/.
-
-Other formats, including PDF, PS, single page HTML, may be found at the Linux
-Documentation HOWTO index page: [http://tldp.org/docs.html#howto] http://
-tldp.org/docs.html#howto.
-
-Changelog:
-
-Version 1.2: Clarifications on example firewall scripts, and small additions
-to 'Have I been Hacked'. Note on Zonealarm type applications. More on the use
-of "chattr" by script kiddies, and how to check for this. Other small
-additions and clarifications.
-
-Version 1.1: Various corrections, amplifications and numerous mostly small
-additions. Too many to list. Oh yea, learn to spell Red Hat correctly ;-)
-
-Version 1.0: This is the initial release of this document. Comments welcomed.
------------------------------------------------------------------------------
-
-1.6. Feedback
-
-Any and all comments on this document are most welcomed. Please make sure you
-have the most current version before submitting corrections or suggestions!
-These can be sent to .
------------------------------------------------------------------------------
-
-2. Foreword
-
-Before getting into specifics, let's try to briefly answer some questions
-about why we need to be concerned about security in the first place.
-
-It is easy to see why an e-commerce site, an on-line bank, or a government
-agency with sensitive documents would be concerned about security. But what
-about the average user? Why should even a Linux home Desktop user worry about
-security?
-
-Anyone connected to the Internet is a target, plain and simple. It makes
-little difference whether you have a part-time dialup connection, or a
-full-time connection, though full-time connections make for bigger targets.
-Larger sites make for bigger targets too, but this does not let small users
-off the hook since the "small user" may be less skilled and thus an easier
-victim.
-
-There are those out there that are scanning just for easy victims all the
-time. If you start logging unwanted connection attempts, you will see this
-soon enough. There is little doubt that many of these attempts are
-maliciously motivated and the attacker, in some cases, is looking for Linux
-boxes to crack. Does someone on the other side of the globe really want to
-borrow my printer?
-
-What do they want? Often, they just may want your computer, your IP address,
-and your bandwidth. Then they use you to either attack others, or possibly
-commit crimes or mischief and are hiding their true identity behind you. This
-is an all too common scenario. Commercial and high-profile sites are targeted
-more directly and have bigger worries, but we all face this type of common
-threat.
-
-With a few reasonable precautions, Linux can be very secure, and with all the
-available tools, makes for a fantastically fun and powerful Internet
-connection or server. Most successful break-ins are the result of ignorance
-or carelessness.
-
-The bottom line is:
-
- * Do you want control of your own system or not?
-
- * Do you want to unwittingly participate in criminal activity?
-
- * Do you want to be used by someone else?
-
- * Do you want to risk losing your Internet connection?
-
- * Do you want to have to go through the time consuming steps of reclaiming
- your system?
-
- * Do you want to chance the loss of data on your system?
-
-
-These are all real possibilities, unless we take the appropriate precautions.
-
-Warning If you are reading this because you have already been broken into, or
- suspect that you have, you cannot trust any of your system utilities
- to provide reliable information. And the suggestions made in the next
- several sections will not help you recover your system. Please jump
- straight to the Have I been Hacked? section, and read that first.
------------------------------------------------------------------------------
-
-2.1. The Optimum Configuration
-
-Ideally, we would want one computer as a dedicated firewall and router. This
-would be a bare bones installation, with no servers running, and only the
-required services and components installed. The rest of our systems would
-connect via this dedicated router/firewall system. If we wanted publicly
-accessible servers (web, mail, etc), these would be in a "DMZ"
-(De-militarized Zone). The router/firewall allows connections from outside to
-whatever services are running in the DMZ by "forwarding" these requests, but
-it is segregated from the rest of the internal network (aka LAN) otherwise.
-This leaves the rest of the internal network in fairly secure isolation, and
-relative safety. The "danger zone" is confined to the DMZ.
-
-But not everyone has the hardware to dedicate to this kind of installation.
-This would require a minimum of two computers. Or three, if you would be
-running any publicly available servers (not a good idea initially). Or maybe
-you are just new to Linux, and don't know your way around well enough yet. So
-if we can't do the ideal installation, we will do the next best thing.
------------------------------------------------------------------------------
-
-2.2. Before We Start
-
-Before we get to the actual configuration sections, a couple of notes.
-
-First, one of the interesting aspects of Linux, is the different
-distributions like Caldera, Red Hat, SuSE, and Debian. While these are all
-"Linux", and may share certain features, there is surely some differences as
-to what utilities they may install as defaults. Most Linux distributions will
-write their own system configuration tools as well. And with Linux, there is
-always more than one way to skin a cat. But for the purposes of our
-discussion, we will have to use as generic set of tools as we can.
-Unfortunately, GUI tools don't lend themselves to this type of documentation.
-We will be using text based, command line tools for the most part. If you are
-familiar with your distribution's utilities, feel free to substitute those in
-appropriate places. And if not, you should learn them or suitable
-alternatives.
-
-The next several sections have been written such that you can perform the
-recommended procedures as you read along. This is the "Quick Start" in the
-document title!
-
-To get ready, what you will need for the configuration sections below:
-
- * A text editor. There are many available. If you use a file manager
- application , it probably has a built in editor. This will be fine. pico
- and mcedit are two relatively easy to use editors if you don't already
- have a favorite. There is a quick guide to Text editors in the Appendix
- that might help you get started. It is always a good idea to make a back
- up copy, before editing system configuration files.
-
- * For non-GUI editors and some of the commands, you will also need a
- terminal window opened. xterm, rxvt, and gnome-terminal all will work, as
- well as others.
-
- * You should also be familiar with your distribution's method of stopping
- services from running on each boot. Also, how they install (and
- uninstall) packages (rpm, deb, etc). And where to find the updates for
- your release. This information is available in your release's
- documentation, or on your vendor's web site.
-
-
-We'll be using a hypothetical system here for examples with the hostname
-"bigcat". Bigcat is a Linux desktop with a fresh install of the latest/
-greatest Linux distro running. Bigcat has a full-time, direct Internet
-connection. Even if your installation is not so "fresh", don't be deterred.
-Better late than never.
------------------------------------------------------------------------------
-
-3. Step 1: Which services do we really need?
-
-In this section we will see which services are running on our freshly
-installed system, decide which we really need, and do away with the rest. If
-you are not familiar with how servers and TCP connections work, you may want
-to read the section on servers and ports in the Appendix first. If not
-familiar with the netstat utility, you may want to read a quick overview of
-it beforehand. There is also a section in the Appendix on ports, and
-corresponding services. You may want to look that over too.
-
-Our goal is to turn off as many services as possible. If we can turn them all
-off, or at least off to outside connections, so much the better. Some rules
-of thumb we will use to guide us:
-
- * It is perfectly possible to have a fully functional Internet connection
- with no servers running that are accessible to outside connections. Not
- only possible, but desirable in many cases. The principle here is that
- you will never be successfully broken into via a port that is not opened
- because no server is listening on it. No server == no port open == not
- vulnerable. At least to outside connections.
-
- * If you don't recognize a particular service, chances are good you don't
- really need it. We will assume that and so we'll turn it off. This may
- sound dangerous, but is a good rule of thumb to go by.
-
- * Some services are just not intended to be run over the Internet -- even
- if you decide it is something you really do need. We'll flag these as
- dangerous, and address these in later sections, should you decide you do
- really need them, and there is no good alternative.
-
-
------------------------------------------------------------------------------
-3.1. System Audit
-
-So what is really running on our system anyway? Let's not take anything for
-granted about what "should" be running, or what we "think" is running.
-
-Unfortunately, there is no such things as a standard Linux installation. The
-wide variety of servers available, coupled with each particular
-distribution's installation options, make providing a ready made list
-impossible. The best that can be done is show you how to list all running
-services, and point you in the right general direction.
-
-Now open an xterm, and su to root. You'll need to widen the window wide so
-the lines do not wrap. Use this command: netstat -tap |grep LISTEN. This will
-give us a list of all currently running servers as indicated by the keyword
-LISTEN, along with the "PID" and "Program Name" that started each particular
-service.
-
-+----------------------------------------------------------------------------------+
-|# netstat -tap |grep LISTEN |
-| *:exec *:* LISTEN 988/inetd |
-| *:login *:* LISTEN 988/inetd |
-| *:shell *:* LISTEN 988/inetd |
-| *:printer *:* LISTEN 988/inetd |
-| *:time *:* LISTEN 988/inetd |
-| *:x11 *:* LISTEN 1462/X |
-| *:http *:* LISTEN 1078/httpd |
-| bigcat:domain *:* LISTEN 956/named |
-| bigcat:domain *:* LISTEN 956/named |
-| *:ssh *:* LISTEN 972/sshd |
-| *:auth *:* LISTEN 388/in.identd |
-| *:telnet *:* LISTEN 988/inetd |
-| *:finger *:* LISTEN 988/inetd |
-| *:sunrpc *:* LISTEN 1290/portmap |
-| *:ftp *:* LISTEN 988/inetd |
-| *:smtp *:* LISTEN 1738/sendmail: accepting connections |
-| *:1694 *:* LISTEN 1319/rpc.mountd |
-| *:netbios-ssn *:* LISTEN 422/smbd |
-| |
-| |
-+----------------------------------------------------------------------------------+
-
-Note the first three columns are cropped above for readability. If your list
-is as long as the example, you have some work ahead of you! It is highly
-unlikely that you really need anywhere near this number of servers running.
-
-Please be aware that the example above is just one of many, many possible
-system configurations. Yours probably does look very different.
-
-You don't understand what any of this is telling you? Hopefully then, you've
-read the netstat tutorial in the Appendix, and understand how it works.
-Understanding exactly what each server is in the above example, and what it
-does, is beyond the scope of this document. You will have to check your
-system's documentation (e.g. Installation Guide, man pages, etc) if that
-service is important to you. For example, does "exec", "login", and "shell"
-sound important? Yes, but these are not what they may sound like. They are
-actually rexec, rlogin, and rsh, the "r" (for remote) commands. These are
-antiquated, unnecessary, and in fact, are very dangerous if exposed to the
-Internet.
-
-Let's make a few quick assumptions about what is necessary and unnecessary,
-and therefore what goes and what stays on bigcat. Since we are running a
-desktop on bigcat, X11 of course needs to stay. If bigcat were a dedicated
-server of some kind, then X11 would be unnecessary. If there is a printer
-physically attached, the printer (lp) daemon should stay. Otherwise, it goes.
-Print servers may sound harmless, but are potential targets too since they
-can hold ports open. If we plan on logging in to bigcat from other hosts,
-sshd (Secure SHell Daemon) would be necessary. If we have Microsoft hosts on
-our LAN, we probably want Samba, so smbd should stay. Otherwise, it is
-completely unnecessary. Everything else in this example is optional and not
-required for a normally functioning system, and should probably go. See
-anything that you don't recognize? Not sure about? It goes!
-
-To sum up: since bigcat is a desktop with a printer attached, we will need
-"x11", "printer". bigcat is on a LAN with MS hosts, and shares files and
-printing with them, so "netbios-ssn" (smbd) is desired. We will also need
-"ssh" so we can login from other machines. Everything else is unnecessary for
-this particular case.
-
-Nervous about this? If you want, you can make notes of any changes you make
-or save the list of servers you got from netstat, with this command: netstat
--tap |grep LISTEN > ~/services.lst. That will save it your home directory
-with the name of "services.lst" for future reference.
-
-This is to not say that the ones we have decided to keep are inherently safe.
-Just that we probably need these. So we will have to deal with these via
-firewalling or other means (addressed below).
-
-It is worth noting that the telnet and ftp daemons in the above example are
-servers, aka "listeners". These accept incoming connections to you. You do
-not need, or want, these just to use ftp or telnet clients. For instance, you
-can download files from an FTP site with just an ftp client. Running an ftp
-server on your end is not required at all, and has serious security
-implications.
-
-There may be individual situations where it is desirable to make exceptions
-to the conclusions reached above. See below.
------------------------------------------------------------------------------
-
-3.2. The Danger Zone (or r00t m3 pl34s3)
-
-The following is a list of services that should not be run over the Internet.
-Either disable these (see below), uninstall, or if you really do need these
-services running locally, make sure they are the current, patched versions
-and that they are effectively firewalled. And if you don't have a firewall in
-place now, turn them off until it is up and verified to be working properly.
-These are potentially insecure by their very nature, and as such are prime
-cracker targets.
-
- * NFS (Network File System) and related services, including nfsd, lockd,
- mountd, statd, portmapper, etc. NFS is the standard Unix service for
- sharing file systems across a network. Great system for LAN usage, but
- dangerous over the Internet. And its completely unnecessary on a stand
- alone system.
-
- * rpc.* services, Remote Procedure Call.*, typically NFS and NIS related
- (see above).
-
- * Printer services (lpd).
-
- * The so-called r* (for "remote", i.e. Remote SHell) services: rsh, rlogin,
- rexec, rcp etc. Unnecessary, insecure and potentially dangerous, and
- better utilities are available if these capabilities are needed. ssh will
- do everything these command do, and in a much more sane way. See the man
- pages for each if curious. These will probably show in netstat output
- without the "r": rlogin will be just "login", etc.
-
- * telnet server. There is no reason for this anymore. Use sshd instead.
-
- * ftp server. There are better, safer ways for most systems to exchange
- files like scp or via http (see below). ftp is a proper protocol only for
- someone who is running a dedicated ftp server, and who has the time and
- skill to keep it buttoned down. For everyone else, it is potentially big
- trouble.
-
- * BIND (named), DNS server package. With some work, this can be done
- without great risk, but is not necessary in many situations, and requires
- special handling no matter how you do it. See the sections on Exceptions
- and special handling for individual applications.
-
- * Mail Transport Agent, aka "MTA" (sendmail, exim, postfix, qmail). Most
- installations on single computers will not really need this. If you are
- not going to be directly receiving mail from Internet hosts (as a
- designated MX box), but will rather use the POP server of your ISP, then
- it is not needed. You may however need this if you are receiving mail
- directly from other hosts on your LAN, but initially it's safer to
- disable this. Later, you can enable it over the local interface once your
- firewall and access policies have been implemented.
-
-
-This is not necessarily a definitive list. Just some common services that are
-sometimes started on default Linux installations. And conversely, this does
-not imply that other services are inherently safe.
------------------------------------------------------------------------------
-
-3.3. Stopping Services
-
-The next step is to find where each server on our kill list is being started.
-If it is not obvious from the netstat output, use ps, find, grep or locate to
-find more information from the "Program name" or "PID" info in the last
-column. There is examples of this in the Process Owner section in the netstat
-Tutorial of the Appendix. If the service name or port number do not look
-familiar to you, you might get a real brief explanation in your /etc/services
-file.
-
-Skeptical that we are going to break your system, and the pieces won't go
-back together again? If so, take this approach: turn off everything listed
-above in "The Danger Zone", and run your system for a while. OK? Try stopping
-one of the ones we found to be "unnecessary" above. Then, run the system for
-a while. Keep repeating this process, until you get to the bare minimum. If
-this works, then make the changes permanent (see below).
-
-The ultimate objective is not just to stop the service now, but to make sure
-it is stopped permanently! So whatever steps you take here, be sure to check
-after your next reboot.
-
-There are various places and ways to start system services. Let's look at the
-most common ways this is done, and is probably how your system works. System
-services are typically either started by "init" scripts, or by inetd (or its
-replacement xinetd) on most distributions. (The location of the init scripts
-may vary from distribution to distribution.)
------------------------------------------------------------------------------
-
-3.3.1. Stopping Init Services
-
-Init services are typically started automatically during the boot process, or
-during a runlevel change. There is a naming scheme that uses symlinks to
-determine which services are to be started, or stopped, at any given
-runlevel. The scripts themselves should be in /etc/init.d/ (or possibly /etc/
-rc.d/init.d/ ). This init style is used by Red Hat, SuSE, Mandrake, Debian,
-Conectiva, and most Linuxes. Slackware is one notable exception (though
-recent versions have an option for this)! Typically on Slackware system
-services are all configured in one file: /etc/rc.d/rc.inet2.
-
-You can get a listing of these scripts:
-
-+---------------------------------------------------------------------------+
-| # ls -l /etc/init.d/ | less |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-Or use whichever tools your distribution provides for this.
-
-To stop a running service now, as root (on SysVinit style systems, which is
-pretty much everybody):
-
-+---------------------------------------------------------------------------+
-| # /etc/init.d/<$SERVICE_NAME> stop |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-Where "$SERVICE_NAME" is the name of the init script, which is often, but not
-always, the same as the service name itself. This should do the trick on most
-distributions. Older Red Hat versions may use the path /etc/rc.d/init.d/
-instead.
-
-This only stops this particular service now. It will restart again on the
-next reboot, or runlevel change, unless additional steps are taken. So this
-is really a two step process for init type services.
-
-Your distribution will have utilities available for controlling which
-services are started at various runlevels. Debian based systems have
-update-rc.d for this, and Red Hat based systems have chkconfig. If you are
-familiar with these tools, do it now, and then check again after the next
-reboot. If you are not familiar with these tools, see the man pages and learn
-it now! This is something that you need to know. For Debian (where
-$SERVICE_NAME is the init script name):
-
-+---------------------------------------------------------------------------+
-| |
-| # update-rc.d -f $SERVICE_NAME remove |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-And Red Hat:
-
-+---------------------------------------------------------------------------+
-| |
-| # chkconfig $SERVICE_NAME off |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-Another option here is to uninstall a package if you know you do not need it.
-This is a pretty sure-fire, permanent fix. This also alleviates the potential
-problem of keeping all installed packages updated and current (Step 2). And,
-package management systems like RPM or DEB make it very easy to re-install a
-package should you change your mind.
------------------------------------------------------------------------------
-
-3.3.2. Inetd
-
-Inetd is called a "super-daemon" because it is used to spawn sub-daemons.
-inetd itself will generally be started via init scripts, and will "listen" on
-the various ports as determined by which services are enable in its
-configuration file, /etc/inetd.conf. Any service listed here will be under
-the control of inetd. Likewise, any of the listening servers in netstat
-output that list "inetd" in the last column under "Program Name", will have
-been started by inetd. You will have to adjust the inetd configuration to
-stop these services. xinetd is an enhanced inetd replacement, and is
-configured differently (see next section below).
-
-Below is a partial snippet from a typical inetd.conf. Any service with a "#"
-at the beginning of the line is "commented out", and thus ignored by inetd,
-and consequently disabled.
-
-+---------------------------------------------------------------------------+
-|# |
-|# inetd.conf This file describes the services that will be available |
-|# through the INETD TCP/IP super server. To re-configure |
-|# the running INETD process, edit this file, then send the |
-|# INETD process a SIGHUP signal. |
-|# |
-|# Version: @(#)/etc/inetd.conf 3.10 05/27/93 |
-|# |
-|# Authors: Original taken from BSD UNIX 4.3/TAHOE. |
-|# Fred N. van Kempen, |
-|# |
-|# Modified for Debian Linux by Ian A. Murdock |
-|# |
-|# Echo, discard, daytime, and chargen are used primarily for testing. |
-|# |
-|# To re-read this file after changes, just do a 'killall -HUP inetd' |
-|# |
-|#echo stream tcp nowait root internal |
-|#echo dgram udp wait root internal |
-|#discard stream tcp nowait root internal |
-|#discard dgram udp wait root internal |
-|#daytime stream tcp nowait root internal |
-|#daytime dgram udp wait root internal |
-|#chargen stream tcp nowait root internal |
-|#chargen dgram udp wait root internal |
-|time stream tcp nowait root internal |
-|# |
-|# These are standard services. |
-|# |
-|#ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a |
-|#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd |
-|# |
-|# Shell, login, exec, comsat and talk are BSD protocols. |
-|# |
-|#shell stream tcp nowait root /usr/sbin/tcpd in.rshd |
-|#login stream tcp nowait root /usr/sbin/tcpd in.rlogind |
-|#exec stream tcp nowait root /usr/sbin/tcpd in.rexecd |
-|#comsat dgram udp wait root /usr/sbin/tcpd in.comsat |
-|#talk dgram udp wait root /usr/sbin/tcpd in.talkd |
-|#ntalk dgram udp wait root /usr/sbin/tcpd in.ntalkd |
-|#dtalk stream tcp wait nobody /usr/sbin/tcpd in.dtalkd |
-|# |
-|# Pop and imap mail services et al |
-|# |
-|#pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d |
-|pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d |
-|#imap stream tcp nowait root /usr/sbin/tcpd imapd |
-|# |
-|# The Internet UUCP service. |
-|# |
-|#uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico -l |
-|# |
-| |
-| |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-The above example has two services enabled: time and pop3. To disable these,
-all we need is to open the file with a text editor, comment out the two
-services with a "#", save the file, and then restart inetd (as root):
-
-+---------------------------------------------------------------------------+
-| # /etc/init.d/inetd restart |
-| |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-Check your logs for errors, and run netstat again to verify all went well.
-
-A quicker way of getting the same information, using grep:
-
-+---------------------------------------------------------------------------+
-| $ grep -v '^#' /etc/inetd.conf |
-| time stream tcp nowait root internal |
-| pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-Again, do you see anything there that you don't know what it is? Then in all
-likelihood you are not using it, and it should be disabled.
-
-Unlike the init services configuration, this is a lasting change so only the
-one step is required.
-
-Let's expose one myth that gets tossed around: you shouldn't disable a
-service by commenting out, or removing, entries from /etc/services. This may
-have the desired effect in some cases, but is not the right way to do it, and
-may interfere with the normal operation of other system utilities.
------------------------------------------------------------------------------
-
-3.3.3. Xinetd
-
-xinetd is an inetd replacement with enhancements. It essentially serves the
-same purpose as inetd, but the configuration is different. The configuration
-can be in the file /etc/xinetd.conf, or individual files in the directory /
-etc/xinetd.d/. Turning off xinetd services is done by either deleting the
-corresponding configuration section, or file. Or by using your text editor
-and simply setting disable = yes for the appropriate service. Then, xinetd
-will need to be restarted. See man xinetd and man xinetd.conf for syntax and
-configuration options. A sample xinetd configuration:
-
-+---------------------------------------------------------------------------+
-| # default: on |
-| # description: The wu-ftpd FTP server serves FTP connections. It uses \ |
-| # normal, unencrypted usernames and passwords for authentication. |
-| service ftp |
-| { |
-| disable = no |
-| socket_type = stream |
-| wait = no |
-| user = root |
-| server = /usr/sbin/in.ftpd |
-| server_args = -l -a |
-| log_on_success += DURATION USERID |
-| log_on_failure += USERID |
-| nice = 10 |
-| } |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-You can get a quick list of enabled services:
-
-+---------------------------------------------------------------------------+
-| $ grep disable /etc/xinetd.d/* |grep no |
-| /etc/xinetd.d/finger: disable = no |
-| /etc/xinetd.d/rexec: disable = no |
-| /etc/xinetd.d/rlogin: disable = no |
-| /etc/xinetd.d/rsh: disable = no |
-| /etc/xinetd.d/telnet: disable = no |
-| /etc/xinetd.d/wu-ftpd: disable = no |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-At this point, the above output should raise some red flags. In the
-overwhelming majority of systems, all the above can be disabled without any
-adverse impact. Not sure? Try it without that service. After disabling
-unnecessary services, then restart xinetd:
-
-+---------------------------------------------------------------------------+
-| # /etc/init.d/xinetd restart |
-| |
-| |
-| |
-+---------------------------------------------------------------------------+
------------------------------------------------------------------------------
-
-3.3.4. When All Else Fails
-
-OK, if you can't find the "right" way to stop a service, or maybe a service
-is being started and you can't find how or where, you can "kill" the process.
-To do this, you will need to know the PID (Process I.D.). This can be found
-with ps, top, fuser or other system utilities. For top and ps, this will be
-the number in the first column. See the Port and Process Owner section in the
-Appendix for examples.
-
-Example (as root):
-
-+---------------------------------------------------------------------------+
-| # kill 1163 |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-Then run top or ps again to verify that the process is gone. If not, then:
-
-+---------------------------------------------------------------------------+
-| # kill -KILL 1163 |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-Note the second "KILL" in there. This must be done either by the user who
-owns the process, or root. Now go find where and how this process got started
-;-)
-
-The /proc filesystem can also be used to find out more information about each
-process. Armed with the PID, we can find the path to a mysterious process:
-
-+---------------------------------------------------------------------------+
-| $ /bin/ps ax|grep tcpgate |
-| 921 ? S 0:00 tcpgate |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-+----------------------------------------------------------------------------------+
-| # ls -l /proc/921/exe |
-| lrwxrwxrwx 1 root root 0 July 21 12:11 /proc/921/exe -> /usr/local/bin/tcpgate |
-| |
-| |
-+----------------------------------------------------------------------------------+
------------------------------------------------------------------------------
-
-3.4. Exceptions
-
-Above we used the criteria of turning off all unnecessary services. Sometimes
-that is not so obvious. And sometimes what may be required for one person's
-configuration is not the same for another's. Let's look at a few common
-services that fall in this category.
-
-Again, our rule of thumb is if we don't need it, we won't run it. It's that
-simple. If we do need any of these, they are prime candidates for some kind
-of restrictive policies via firewall rules or other mechanisms (see below).
-
- * identd - This is a protocol that has been around for ages, and is often
- installed and running by default. It is used to provide a minimal amount
- of information about who is connecting to a server. But, it is not
- necessary in many cases. Where might you need it? Most IRC servers
- require it. Many mail servers use it, but don't really require it. Try
- your mail setup without it. If identd is going to be a problem, it will
- be because there is a time out before before the server starts sending or
- receiving mail. So mail should work fine without it, but may be slower. A
- few ftp servers may require it. Most don't though.
-
- If identd is required, there are some configuration options that can
- greatly reduce the information that is revealed:
-
- +---------------------------------------------------------------+
- | |
- | /usr/sbin/in.identd in.identd -l -e -o -n -N |
- | |
- | |
- +---------------------------------------------------------------+
-
- The -o flag tells identd to not reveal the operating system type it is
- run on and to instead always return "OTHER". The -e flag tells identd to
- always return "UNKNOWN-ERROR" instead of the "NO-USER" or "INVALID-PORT"
- errors. The -n flag tells identd to always return user numbers instead of
- user names, if you wish to keep the user names a secret. The -N flag
- makes identd check for the file .noident in the user's home directory for
- which the daemon is about to return a user name. It that file exists then
- the daemon will give the error "HIDDEN-USER" instead of the normal
- "USERID" response.
-
- * Mail server (MTA's like sendmail, qmail, etc) - Often a fully functional
- mail server like sendmail is installed by default. The only time that
- this is actually required is if you are hosting a domain, and receiving
- incoming mail directly. Or possibly, for exchanging mail on a LAN, in
- which case it does not need Internet exposure and can be safely
- firewalled. For your ISP's POP mail access, you don't need it even though
- this is a common configuration. One alternative here is to use fetchmail
- for POP mail retrieval with the -m option to specify a local delivery
- agent: fetchmail -m procmail for instance works with no sendmail daemon
- running at all. Sendmail, can be handy to have running, but the point is,
- it is not required in many situations, and can be disabled, or firewalled
- safely.
-
- * BIND (named) - This often is installed by default, but is only really
- needed if you are an authoritative name server for a domain. If you are
- not sure what this means, then you definitely don't need it. BIND is
- probably the number one crack target on the Internet. BIND is often used
- though in a "caching" only mode. This can be quite useful, but does not
- require full exposure to the Internet. In other words, it should be
- restricted or firewalled. See special handling of individual applications
- below.
-
-
------------------------------------------------------------------------------
-3.5. Summary and Conclusions for Step 1
-
-In this section we learned how to identify which services are running on our
-system, and were given some tips on how to determine which services may be
-necessary. Then we learned how to find where the services were being started,
-and how to stop them. If this has not made sense, now is a good time to
-re-read the above.
-
-Hopefully you've already taken the above steps. Be sure to test your results
-with netstat again, just to verify the desired end has been achieved, and
-only the services that are really required are running.
-
-It would also be wise to do this after the next reboot, anytime you upgrade a
-package (to make sure a new configuration does not sneak in), and after every
-system upgrade or new install.
------------------------------------------------------------------------------
-
-4. Step 2: Updating
-
-OK, this section should be comparatively short, simple and straightforward
-compared to the above, but no less important.
-
-The very first thing after a new install you should check your distribution's
-updates and security notices and apply all patches . Only a year old you say?
-That's a long time actually, and not current enough to be safe. Only a few
-months or few weeks? Check anyway. A day or two? Better safe than sorry. It
-is quite possible that security updates have been released during the
-pre-release phase of the development and release cycle. If you can't take
-this step, disable any publicly accessible services until you can.
-
-Linux distributions are not static entities. They are updated with new,
-patched packages as the need arises. The updates are just as important as the
-original installation. Even more so, since they are fixes. Sometimes these
-updates are bug fixes, but quite often they are security fixes because some
-hole has been discovered. Such "holes" are immediately known to the cracker
-community, and they are quick to exploit them on a large scale. Once the hole
-is known, it is quite simple to get in through it, and there will be many out
-there looking for it. And Linux developers are also equally quick to provide
-fixes. Sometimes the same day as the hole has become known!
-
-Keeping all installed packages current with your release is one of the most
-important steps you can take in maintaining a secure system. It can not be
-emphasized enough that all installed packages should be kept updated -- not
-just the ones you use. If this is burdensome, consider uninstalling any
-unused packages. Actually this is a good idea anyway.
-
-But where to get this information in a timely fashion? There are a number of
-web sites that offer the latest security news. There are also a number of
-mailing lists dedicated to this topic. In fact, your vendor most likely has
-such a list where vulnerabilities and the corresponding fix is announced.
-This is an excellent way to stay abreast of issues effecting your release,
-and is highly recommended. [http://linuxsecurity.com] http://
-linuxsecurity.com is a good site for Linux only issues. They also have weekly
-newsletters available: [http://www.linuxsecurity.com/general/newsletter.html]
-http://www.linuxsecurity.com/general/newsletter.html.
-
-Also, many distributions have utilities that will automatically update your
-installed packages via ftp. This can be run as a cron job on a regular basis
-and is a painless way to go if you have ready Internet access.
-
-This is not a one time process -- it is ongoing. It is important to stay
-current. So watch those security notices. And subscribe to your vendor's
-security mailing list today! If you have cable modem, DSL, or other full time
-connection, there is no excuse not to do this religiously. All distributions
-make this easy enough!
-
-One last note: any time a new package is installed, there is also a chance
-that a new or revised configuration has been installed as well. Which means
-that if this package is a server of some kind, it may be enabled as a result
-of the update. This is bad manners, but it can happen, so be sure to run
-netstat or comparable to verify your system is where you want it after any
-updates or system changes. In fact, do it periodically even if there are no
-such changes.
------------------------------------------------------------------------------
-
-4.1. Summary and Conclusions for Step 2
-
-It is very simple: make sure your Linux installation is current. Check with
-your vendor for what updated packages may be available. There is nothing
-wrong with running an older release, just so the packages in it are updated
-according to what your vendor has made available since the initial release.
-At least as long as your vendor is still supporting the release and updates
-are still being provided.
------------------------------------------------------------------------------
-
-5. Step 3: Firewalls and Setting Access Policies
-
-So what is a "firewall"? It's a vague term that can mean anything that acts
-as a protective barrier between us and the outside world. This can be a
-dedicated system, or a specific application that provides this functionality.
-Or it can be a combination of components, including various combinations of
-hardware and software. Firewalls are built from "rules" that are used to
-define what is allowed to enter and exit a given system or network. Let's
-look at some of the possible components that are readily available for Linux,
-and how we might implement a reasonably safe firewalling strategy.
-
-In Step 1 above, we have turned off all services we don't need. In our
-example, there were a few we still needed to have running. In this section,
-we will take the next step here and decide which we need to leave open to the
-world. And which we might be able to restrict in some way. If we can block
-them all, so much the better, but this is not always practical.
------------------------------------------------------------------------------
-
-5.1. Strategy
-
-What we want to do now is restrict connections and traffic so that we only
-allow the minimum necessary for whatever our particular situation is. In some
-cases we may want to block all incoming "new" connection attempts. Example:
-we want to run X, but don't want anyone from outside to access it, so we'll
-block it completely from outside connections. In other situations, we may
-want to limit, or restrict, incoming connections to trusted sources only. The
-more restrictive, the better. Example: we want to ssh into our system from
-outside, but we only ever do this from our workplace. So we'll limit sshd
-connections to our workplace address range. There are various ways to do
-this, and we'll look at the most common ones.
-
-We also will not want to limit our firewall to any one application. There is
-nothing wrong with a "layered" defense-in-depth approach. Our front line
-protection will be a packet filter -- either ipchains or iptables (see
-below). Then we can use additional tools and mechanisms to reinforce our
-firewall.
-
-We will include some brief examples. Our rule of thumb will be to deny
-everything as the default policy, then open up just what we need. We'll try
-to keep this as simple as possible since it can be an involved and complex
-topic, and just stick to some of the most basic concepts. See the Links
-section for further reading on this topic.
------------------------------------------------------------------------------
-
-5.2. Packet Filters -- Ipchains and Iptables
-
-"Packet filters" (like ipchains) have the ability to look at individual
-packets, and make decisions based on what they find. These can be used for
-many purposes. One common purpose is to implement a firewall.
-
-Common packet filters on Linux are ipchains which is standard with 2.2
-kernels, and iptables which is available with the more recent 2.4 kernels.
-iptables has more advanced packet filtering capabilities and is recommended
-for anyone running a 2.4 kernel. But either can be effective for our
-purposes. ipfwadm is a similar utility for 2.0 kernels (not discussed here).
-
-If constructing your own ipchains or iptables firewall rules seems a bit
-daunting, there are various sites that can automate the process. See the
-Links section. Also the included examples may be used as a starting point.
-And your distribution may be including a utility of some kind for generating
-a firewall script. This may be adequate, but it is still recommended to know
-the proper syntax and how the various mechanisms work as such tools rarely do
-more than a few very simple rules.
-
-Note Various examples are given below. These are presented for illustrative
- purposes to demonstrate some of the concepts being discussed here. While
- they might also be useful as a starting point for your own script,
- please note that they are not meant to be all encompassing. You are
- strongly encouraged to understand how the scripts work, so you can
- create something even more tailored for your own situation.
-
- The example scripts are just protecting inbound connections to one
- interface (the one connected to the Internet). This may be adequate for
- many simple home type situations, but, conversely, this approach is not
- adequate for all situations!
------------------------------------------------------------------------------
-
-5.2.1. ipchains
-
-ipchains can be used with either 2.2 or 2.4 kernels. When ipchains is in
-place, it checks every packet that moves through the system. The packets move
-across different "chains", depending where they originate and where they are
-going. Think of "chains" as rule sets. In advanced configurations, we could
-define our own custom chains. The three default built-in chains are input,
-which is incoming traffic, output, which is outgoing traffic, and forward,
-which is traffic being forwarded from one interface to another (typically
-used for "masquerading"). Chains can be manipulated in various ways to
-control the flow of traffic in and out of our system. Rules can be added at
-our discretion to achieve the desired result.
-
-At the end of every "chain" is a "target". The target is specified with the
--j option to the command. The target is what decides the fate of the packet
-and essentially terminates that particular chain. The most common targets are
-mostly self-explanatory: ACCEPT, DENY, REJECT, and MASQ. MASQ is for
-"ipmasquerading". DENY and REJECT essentially do the same thing, though in
-different ways. Is one better than the other? That is the subject of much
-debate, and depends on other factors that are beyond the scope of this
-document. For our purposes, either should suffice.
-
-ipchains has a very flexible configuration. Port (or port ranges),
-interfaces, destination address, source address can be specified, as well as
-various other options. The man page explains these details well enough that
-we won't get into specifics here.
-
-Traffic entering our system from the Internet, enters via the input chain.
-This is the one that we need as tight as we can make it.
-
-Below is a brief example script for a hypothetical system. We'll let the
-comments explain what this script does. Anything starting with a "#" is a
-comment. ipchains rules are generally incorporated into shell scripts, using
-shell variables to help implement the firewalling logic.
-
-#!/bin/sh
-#
-# ipchains.sh
-#
-# An example of a simple ipchains configuration.
-#
-# This script allows ALL outbound traffic, and denies
-# ALL inbound connection attempts from the outside.
-#
-###################################################################
-# Begin variable declarations and user configuration options ######
-#
-IPCHAINS=/sbin/ipchains
-# This is the WAN interface, that is our link to the outside world.
-# For pppd and pppoe users.
-# WAN_IFACE="ppp0"
-WAN_IFACE="eth0"
-
-## end user configuration options #################################
-###################################################################
-
-# The high ports used mostly for connections we initiate and return
-# traffic.
-LOCAL_PORTS=`cat /proc/sys/net/ipv4/ip_local_port_range |cut -f1`:\
-`cat /proc/sys/net/ipv4/ip_local_port_range |cut -f2`
-
-# Any and all addresses from anywhere.
-ANYWHERE="0/0"
-
-# Let's start clean and flush all chains to an empty state.
-$IPCHAINS -F
-
-# Set the default policies of the built-in chains. If no match for any
-# of the rules below, these will be the defaults that ipchains uses.
-$IPCHAINS -P forward DENY
-$IPCHAINS -P output ACCEPT
-$IPCHAINS -P input DENY
-
-# Accept localhost/loopback traffic.
-$IPCHAINS -A input -i lo -j ACCEPT
-
-# Get our dynamic IP now from the Inet interface. WAN_IP will be our
-# IP address we are protecting from the outside world. Put this
-# here, so default policy gets set, even if interface is not up
-# yet.
-WAN_IP=`ifconfig $WAN_IFACE |grep inet |cut -d : -f 2 |cut -d \ -f 1`
-
-# Bail out with error message if no IP available! Default policy is
-# already set, so all is not lost here.
-[ -z "$WAN_IP" ] && echo "$WAN_IFACE not configured, aborting." && exit 1
-
-# Accept non-SYN TCP, and UDP connections to LOCAL_PORTS. These are
-# the high, unprivileged ports (1024 to 4999 by default). This will
-# allow return connection traffic for connections that we initiate
-# to outside sources. TCP connections are opened with 'SYN' packets.
-$IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS ! -y -j ACCEPT
-
-# We can't be so selective with UDP since that protocol does not
-# know about SYNs.
-$IPCHAINS -A input -p udp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS -j ACCEPT
-
-## ICMP (ping)
-#
-# ICMP rules, allow the bare essential types of ICMP only. Ping
-# request is blocked, ie we won't respond to someone else's pings,
-# but can still ping out.
-$IPCHAINS -A input -p icmp --icmp-type echo-reply \
- -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
-$IPCHAINS -A input -p icmp --icmp-type destination-unreachable \
- -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
-$IPCHAINS -A input -p icmp --icmp-type time-exceeded \
- -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
-
-###################################################################
-# Set the catchall, default rule to DENY, and log it all. All other
-# traffic not allowed by the rules above, winds up here, where it is
-# blocked and logged. This is the default policy for this chain
-# anyway, so we are just adding the logging ability here with '-l'.
-# Outgoing traffic is allowed as the default policy for the 'output'
-# chain. There are no restrictions on that.
-
-$IPCHAINS -A input -l -j DENY
-
-echo "Ipchains firewall is up `date`."
-
-##-- eof ipchains.sh
-
-
-
-To use the above script would require that it is executable (i.e. chmod +x
-ipchains.sh), and run by root to build the chains, and hence the firewall.
-
-To summarize what this example did was to start by setting some shell
-variables in the top section, to be used later in the script. Then we set the
-default rules (ipchains calls these "policies") of denying all inbound and
-forwarded traffic, and of allowing all our own outbound traffic. We had to
-open some holes in the high, unprivileged ports so that we could have return
-traffic from connections that bigcat initiates to outside addresses. If we
-connect to someone's web server, we want that HTML data to be able to get
-back to us, for instance. The same applies to other network traffic. We then
-allowed a few specific types of the ICMP protocol (most are still blocked).
-We are also logging any inbound traffic that violates any of our rules so we
-know who is doing what. Notice that we are only using IP address here, not
-hostnames of any kind. This is so that our firewall works, even in situation
-where there may be DNS failures. Also, to prevent any kind of DNS spoofing.
-
-See the ipchains man page for a full explanation of syntax. The important
-ones we used here are:
-
-
- -A input: Adds a rule to the "input" chain. The default chains are
- input, output, and forward.
-
- -p udp: This rule only applies to the "UDP" "protocol". The -p option
- can be used with tcp, udp or icmp protocols.
-
- -i $WAN_IFACE: This rule applies to the specified interface only, and
- applies to whatever chain is referenced (input, output, or forward).
-
- -s [port]: This rule only applies to the source address as
- specified. It can optionally have a port (e.g. 22) immediately afterward,
- or port range, e.g. 1023:4999.
-
- -d [port]: This rule only applies to the destination
- address as specified. Also, it may include port or port range.
-
- -l : Any packet that hits a rule with this option is logged (lower case
- "L").
-
- -j ACCEPT: Jumps to the "ACCEPT" "target". This effectively terminates
- this chain and decides the ultimate fate for this particular packet,
- which in this example is to "ACCEPT" it. The same is true for other -j
- targets like DENY.
-
-
-By and large, the order in which command line options are specified is not
-significant. The chain name (e.g. input) must come first though.
-
-Remember in Step 1 when we ran netstat, we had both X and print servers
-running among other things. We don't want these exposed to the Internet, even
-in a limited way. These are still happily running on bigcat, but are now safe
-and sound behind our ipchains based firewall. You probably have other
-services that fall in this category as well.
-
-The above example is a simplistic all or none approach. We allow all our own
-outbound traffic (not necessarily a good idea), and block all inbound
-connection attempts from outside. It is only protecting one interface, and
-really just the inbound side of that interface. It would more than likely
-require a bit of fine tuning to make it work for you. For a more advanced set
-of rules, see the Appendix. And you might want to read [http://tldp.org/HOWTO
-/IPCHAINS-HOWTO.html] http://tldp.org/HOWTO/IPCHAINS-HOWTO.html.
-
-Whenever you have made changes to your firewall, you should verify its
-integrity. One step to make sure your rules seem to be doing what you
-intended, is to see how ipchains has interpreted your script. You can do this
-by opening your xterm very wide, and issuing the following command:
-
-+---------------------------------------------------------------------------+
-| # ipchains -L -n -v | less |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-The output is grouped according to chain. You should also find a way to scan
-yourself (see the Verifying section below). And then keep an eye on your logs
-to make sure you are blocking what is intended.
------------------------------------------------------------------------------
-
-5.2.2. iptables
-
-iptables is the next generation packet filter for Linux, and requires a 2.4
-kernel. It can do everything ipchains can, but has a number of noteworthy
-enhancements. The syntax is similar to ipchains in many respects. See the man
-page for details.
-
-The most noteworthy enhancement is "connection tracking", also known as
-"stateful inspection". This gives iptables more knowledge of the state of
-each packet. Not only does it know if the packet is a TCP or UDP packet, or
-whether it has the SYN or ACK flags set, but also if it is part of an
-existing connection, or related somehow to an existing connection. The
-implications for firewalling should be obvious.
-
-The bottom line is that it is easier to get a tight firewall with iptables,
-than with ipchains. So this is the recommended way to go.
-
-Here is the same script as above, revised for iptables:
-
-#!/bin/sh
-#
-# iptables.sh
-#
-# An example of a simple iptables configuration.
-#
-# This script allows ALL outbound traffic, and denies
-# ALL inbound connection attempts from the Internet interface only.
-#
-###################################################################
-# Begin variable declarations and user configuration options ######
-#
-IPTABLES=/sbin/iptables
-# Local Interfaces
-# This is the WAN interface that is our link to the outside world.
-# For pppd and pppoe users.
-# WAN_IFACE="ppp0"
-WAN_IFACE="eth0"
-#
-
-## end user configuration options #################################
-###################################################################
-
-# Any and all addresses from anywhere.
-ANYWHERE="0/0"
-
-# This module may need to be loaded:
-modprobe ip_conntrack_ftp
-
-# Start building chains and rules #################################
-#
-# Let's start clean and flush all chains to an empty state.
-$IPTABLES -F
-
-# Set the default policies of the built-in chains. If no match for any
-# of the rules below, these will be the defaults that IPTABLES uses.
-$IPTABLES -P FORWARD DROP
-$IPTABLES -P OUTPUT ACCEPT
-$IPTABLES -P INPUT DROP
-
-# Accept localhost/loopback traffic.
-$IPTABLES -A INPUT -i lo -j ACCEPT
-
-## ICMP (ping)
-#
-# ICMP rules, allow the bare essential types of ICMP only. Ping
-# request is blocked, ie we won't respond to someone else's pings,
-# but can still ping out.
-$IPTABLES -A INPUT -p icmp --icmp-type echo-reply \
- -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
-$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable \
- -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
-$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
- -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
-
-###################################################################
-# Set the catchall, default rule to DENY, and log it all. All other
-# traffic not allowed by the rules above, winds up here, where it is
-# blocked and logged. This is the default policy for this chain
-# anyway, so we are just adding the logging ability here with '-j
-# LOG'. Outgoing traffic is allowed as the default policy for the
-# 'output' chain. There are no restrictions on that.
-
-$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-$IPTABLES -A INPUT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT
-$IPTABLES -A INPUT -j LOG -m limit --limit 30/minute --log-prefix "Dropping: "
-
-echo "Iptables firewall is up `date`."
-
-##-- eof iptables.sh
-
-
-
-The same script logic is used here, and thus this does pretty much the same
-exact thing as the ipchains script in the previous section. There are some
-subtle differences as to syntax. Note the case difference in the chain names
-for one (e.g. INPUT vs input). Logging is handled differently too. It has its
-own "target" now (-j LOG), and is much more flexible.
-
-There are some very fundamental differences as well, that might not be so
-obvious. Remember this section from the ipchains script:
-
-# Accept non-SYN TCP, and UDP connections to LOCAL_PORTS. These are the high,
-# unprivileged ports (1024 to 4999 by default). This will allow return
-# connection traffic for connections that we initiate to outside sources.
-# TCP connections are opened with 'SYN' packets. We have already opened
-# those services that need to accept SYNs for, so other SYNs are excluded here
-# for everything else.
-$IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS ! -y -j ACCEPT
-
-# We can't be so selective with UDP since that protocol does not know
-# about SYNs.
-$IPCHAINS -A input -p udp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS -j ACCEPT
-
-
-
-We jumped through hoops here with ipchains so that we could restrict
-unwanted, incoming connections as much as possible. A bit of a kludge,
-actually.
-
-That section is missing from the iptables version. It is not needed as
-connection tracking handles this quite nicely, and then some. This is due to
-the "statefulness" of iptables. It knows more about each packet than ipchains
-. For instance, it knows whether the packet is part of a "new" connection, or
-an "established" connection, or a "related" connection. This is the so-called
-"stateful inspection" of connection tracking.
-
-There are many, many features of iptables that are not touched on here. For
-more reading on the Netfilter project and iptables, see [http://
-netfilter.samba.org] http://netfilter.samba.org. And for a more advanced set
-of rules, see the Appendix.
------------------------------------------------------------------------------
-
-5.3. Tcpwrappers (libwrap)
-
-Tcpwrappers provides much the same desired results as ipchains and iptables
-above, though works quite differently. Tcpwrappers actually intercepts the
-connection attempt, then examines its configurations files, and decides
-whether to accept or reject the request. Tcpwrappers controls access at the
-application level, rather than the socket level like iptables and ipchains.
-This can be quite effective, and is a standard component on most Linux
-systems.
-
-Tcpwrappers consists of the configuration files /etc/hosts.allow and /etc/
-hosts.deny. The functionality is provided by the libwrap library.
-
-Tcpwrappers first looks to see if access is permitted in /etc/hosts.allow,
-and if so, access is granted. If not in /etc/hosts.allow, the file /etc/
-hosts.deny is then checked to see if access is not allowed. If so, access is
-denied. Else, access is granted. For this reason, /etc/hosts.deny should
-contain only one uncommented line, and that is: ALL: ALL. Access should then
-be permitted through entries in /etc/hosts.allow, where specific services are
-listed, along with the specific host addresses allowed to access these
-services. While hostnames can be used here, use of hostnames opens the
-limited possibility for name spoofing.
-
-Tcpwrappers is commonly used to protect services that are started via inetd
-(or xinetd). But also any program that has been compiled with libwrap
-support, can take advantage of it. Just don't assume that all programs have
-built in libwrap support -- they do not. In fact, most probably don't. So we
-will only use it in our examples here to protect services start via inetd.
-And then rely on our packet filtering firewall, or other mechanism, to
-protect non-(x)inetd services.
-
-Below is a small snippet from a typical inetd.conf file:
-
-+---------------------------------------------------------------------------+
-| # Pop and imap mail services et al |
-| # |
-| #pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d |
-| #pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d |
-| #imap stream tcp nowait root /usr/sbin/tcpd imapd |
-| # |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-The second to last column is the tcpwrappers daemon -- /usr/sbin/tcpd.
-Immediately after is the daemon it is protecting. In this case, POP and IMAP
-mail servers. Your distro probably has already done this part for you. For
-the few applications that have built-in support for tcpwrappers via the
-libwrap library, specifying the daemon as above is not necessary.
-
-We will use the same principles here: default policy is to deny everything,
-then open holes to allow the minimal amount of traffic necessary.
-
-So now with your text editor, su to root and open /etc/hosts.deny. If it does
-not exist, then create it. It is just a plain text file. We want the
-following line:
-
-+---------------------------------------------------------------------------+
-| ALL: ALL |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-If it is there already, fine. If not, add it in and then save and close file.
-Easy enough. "ALL" is one of the keywords that tcpwrappers understands. The
-format is $SERVICE_NAME : $WHO, so we are denying all connections to all
-services here. At least all services that are using tcpwrappers. Remember,
-this will primarily be inetd services. See man 5 hosts_access for details on
-the syntax of these files. Note the "5" there!
-
-Now let's open up just the services we need, as restrictively as we can, with
-a brief example:
-
-+---------------------------------------------------------------------------+
-| ALL: 127.0.0.1 |
-| sshd,ipop3d: 192.168.1. |
-| sshd: .myworkplace.com, hostess.mymomshouse.com |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-The first line allows all "localhost" connections. You will need this. The
-second allows connections to the sshd and ipop3d services from IP addresses
-that start with 192.168.1., in this case the private address range for our
-hypothetical home LAN. Note the trailing ".". It's important. The third line
-allows connections to only our sshd daemon from any host associated with
-.myworkplace.com. Note the leading "." in this example. And then also, the
-single host hostess.mymomshouse.com. In summary, localhost and all our LAN
-connections have access to any and all tcpwrappered services on bigcat. But
-only our workplace addresses, and our mother can use sshd on bigcat from
-outside connections. Everybody else is denied by the default policy in /etc/
-hosts.deny.
-
-The types of wild cards above (.myworkplace.com and 192.168.1.) are not
-supported by ipchains and iptables, or most other Linux applications for that
-matter. Also, tcpwrappers can use hostnames in place of IP addresses which is
-quite handy in some situations. This does not work with ipchains and iptables
-.
-
-You can test your tcpwrappers configuration with the included tcpdchk utility
-(see the man page). Note that at this time this does not work with xinetd,
-and may not even be included in this case.
-
-There is nothing wrong with using both tcpwrappers and a packet filtering
-firewall like ipchains. In fact, it is recommended to use a "layered"
-approach. This helps guard against accidental misconfigurations. In this
-case, each connection will be tested by the packet filter rules first, then
-tcpwrappers.
-
-Remember to make backup copies before editing system configuration files,
-restart the daemon afterward, and then check the logs for error messages.
------------------------------------------------------------------------------
-
-5.3.1. xinetd
-
-As mentioned, [http://www.xinetd.org] xinetd is an enhanced inetd . It has
-much of the same functionality, with some notable enhancements. One is that
-tcpwrappers support can be compiled in, eliminating the need for explicit
-references to tcpd. Which means /etc/hosts.allow and /etc/hosts.deny are
-automatically in effect. Don't assume this is the case though. A little
-testing, then viewing the logs should be able to tell you whether tcpwrappers
-support is automatic or not.
-
-Some of xinetd's other enhancements: specify IP address to listen on, which
-is a very effective method of access control; limit the rate of incoming
-connections and the total number of simultaneous connections; limit services
-to specific times of day. See the xinetd and xinetd.conf man pages for more
-details.
-
-The syntax is quite different though. An example from /etc/xinetd.d/tftp:
-
-+---------------------------------------------------------------------------+
-| service tftp |
-| { |
-| socket_type = dgram |
-| bind = 192.168.1.1 |
-| instances = 2 |
-| protocol = udp |
-| wait = yes |
-| user = nobody |
-| only_from = 192.168.1.0 |
-| server = /usr/sbin/in.tftpd |
-| server_args = /tftpboot |
-| disable = no |
-| } |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-Notice the bind statement. We are only listening on, or "binding" to, the
-private, LAN interface here. No outside connections can be made since the
-outside port is not even opened. We are also only accepting connections from
-192.168.1.0, our LAN. For xinetd's purposes, this denotes any IP address
-beginning with "192.168.1". Note that the syntax is different from inetd. The
-server statement in this case is the tftp daemon, in.tftpd. Again, this
-assumes that libwrap/tcpwrappers support is compiled into xinetd. The user
-running the daemon will be "nobody". Yes, there is a user account called
-"nobody", and it is wise to run such daemons as non-root users whenever
-possible. Lastly, the disable statement is xinetd's way of turning services
-on or off. In this case, it is "on". This is on here only as an example. Do
-NOT run tftp as a public service as it is unsafe.
------------------------------------------------------------------------------
-
-5.4. PortSentry
-
-[http://www.psionic.org/products/portsentry.html] Portsentry works quite
-differently than the other tools discussed so far. Portsentry does what its
-name implies -- it guards ports. Portsentry is configured with the /etc/
-portsentry/portsentry.conf file.
-
-Unlike the other applications discussed above, it does this by actually
-becoming the listening server on those ports. Kind of like baiting a trap.
-Running netstat -taup as root while portsentry is running, will show
-portsentry as the LISTENER on whatever ports portsentry is configured for. If
-portsentry senses a connection attempt, it blocks it completely. And then
-goes a step further and blocks the route to that host to stop all further
-traffic. Alternately, ipchains or iptables can be used to block the host
-completely. So it makes an excellent tool to stop port scanning of a range of
-ports.
-
-But portsentry has limited flexibility as to whether it allows a given
-connection. It is pretty much all or nothing. You can define specific IP
-addresses that it will ignore in /etc/portsentry/portsentry.ignore. But you
-cannot allow selective access to individual ports. This is because only one
-server can bind to a particular port at the same time, and in this case that
-is portsentry itself. So it has limited usefulness as a stand-alone firewall.
-As part of an overall firewall strategy, yes, it can be quite useful. For
-most of us, it should not be our first line of defense, and we should only
-use it in conjunction with other tools.
-
-Suggestion on when portsentry might be useful:
-
- * As a second layer of defense, behind either ipchains or iptables. Packet
- filtering will catch the packets first, so that anything that gets to
- portsentry would indicate a misconfiguration. Do not use in conjunction
- with inetd services -- it won't work. They will butt heads.
-
- * As a way to catch full range ports scans. Open a pinhole or two in the
- packet filter, and let portsentry catch these and re-act accordingly.
-
- * If you are very sure you have no exposed public servers at all, and you
- just want to know who is up to what. But do not assume anything about
- what portsentry is protecting. By default it does not watch all ports,
- and may even leave some very commonly probed ports open. So make sure you
- configure it accordingly. And make sure you have tested and verified your
- set up first, and that nothing is exposed.
-
-
-All in all, the packet filters make for a better firewall.
------------------------------------------------------------------------------
-
-5.5. Proxies
-
-The dictionary defines "proxy" as "the authority or power to act on behalf of
-another". This pretty well describes software proxies as well. It is an
-intermediary in the connection path. As an example, if we were using a web
-proxy like "squid" ([http://www.squid-cache.org/] http://www.squid-cache.org
-/), every time we browse to a web site, we would actually be connecting to
-our locally running squid server. Squid in turn, would relay our request to
-the ultimate, real destination. And then squid would relay the web pages back
-to us. It is a go-between. Like "firewalls", a "proxy" can refer to either a
-specific application, or a dedicated server which runs a proxy application.
-
-Proxies can perform various duties, not all of which have much to do with
-security. But the fact that they are an intermediary, makes them a good place
-to enforce access control policies, limit direct connections through a
-firewall, and control how the network behind the proxy looks to the Internet.
-So this makes them strong candidates to be part of an overall firewall
-strategy. And, in fact, are sometimes used instead of packet filtering
-firewalls. Proxy based firewalls probably make more sense where many users
-are behind the same firewall. And it probably is not high on the list of
-components necessary for home based systems.
-
-Configuring and administering proxies can be complex, and is beyond the scope
-of this document. The Firewall and Proxy Server HOWTO, [http://tldp.org/HOWTO
-/Firewall-HOWTO.html ] http://tldp.org/HOWTO/Firewall-HOWTO.html, has
-examples of setting up proxy firewalls. Squid usage is discussed at [http://
-squid-docs.sourceforge.net/latest/html/book1.htm] http://
-squid-docs.sourceforge.net/latest/html/book1.htm
------------------------------------------------------------------------------
-
-5.6. Individual Applications
-
-Some servers may have their own access control features. You should check
-this for each server application you run. We'll only look at a few of the
-common ones in this section. Man pages, and other application specific
-documentation, is your friend here. This should be done whether you have
-confidence in your firewall or not. Again, layers of protection is always
-best.
-
- * BIND - a very common package that provides name server functionality. The
- daemon itself is "named". This only requires full exposure to the
- Internet if you are providing DNS look ups for one or more domains to the
- rest of the world. If you are not sure what this means, you do not need,
- or want, it exposed. For the overwhelming majority of us this is the
- case. It is a very common crack target.
-
- But it may be installed, and can be useful in a caching only mode. This
- does not require full exposure to the Internet. Limit the interfaces on
- which it "listens" by editing /etc/named.conf (random example shown):
-
- +---------------------------------------------------------------+
- | |
- | options { |
- | directory "/var/named"; |
- | listen-on { 127.0.0.1; 192.168.1.1; }; |
- | version "N/A"; |
- | }; |
- | |
- | |
- +---------------------------------------------------------------+
-
- The "listen-on" statement is what limits where named listens for DNS
- queries. In this example, only on localhost and bigcat's LAN interface.
- There is no port open for the rest of the world. It just is not there.
- Restart named after making changes.
-
- * X11 can be told not to allow TCP connections by using the -nolisten tcp
- command line option. If using startx, you can make this automatic by
- placing alias startx="startx -- -nolisten tcp" in your ~/.bashrc, or the
- system-wide file, /etc/bashrc, with your text editor. If using xdm (or
- variants such as gdm, kdm, etc), this option would be specified in /etc/
- X11/xdm/Xservers (or comparable) as :0 local /usr/bin/X11/X -nolisten
- tcp. gdm actually uses /etc/X11/gdm/gdm.conf.
-
- If using xdm (or comparable) to start X automatically at boot, /etc/
- inittab can be modified as: xdm -udpPort 0, to further restrict
- connections. This is typically near the bottom of /etc/inittab.
-
- * Recent versions of sendmail can be told to listen only on specified
- addresses:
-
- +---------------------------------------------------------------+
- | # SMTP daemon options |
- | O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA |
- | |
- | |
- +---------------------------------------------------------------+
-
- The above excerpt is from /etc/sendmail.cf which can be carefully added
- with your text editor. The sendmail.mc directive is:
-
- +---------------------------------------------------------------------------+
- | |
- | dnl This changes sendmail to only listen on the loopback device 127.0.0.1 |
- | dnl and not on any other network devices. |
- | DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') |
- | |
- | |
- +---------------------------------------------------------------------------+
-
- In case you would prefer to build a new sendmail.cf, rather than edit the
- existing one. Other mail server daemons likely have similar configuration
- options. Check your local documentation.
-
- * SAMBA connections can be restricted in smb.conf:
-
- +---------------------------------------------------------------+
- | bind interfaces = true |
- | interfaces = 192.168.1. 127. |
- | hosts allow = 192.168.1. 127. |
- | |
- | |
- +---------------------------------------------------------------+
-
- This will only open, and allow, connections from localhost (127.0.0.1),
- and the local LAN address range. Adjust the LAN address as needed.
-
- * The CUPS print daemon can be told where to listen for connections. Add to
- /etc/cups/cupsd.conf:
-
- +---------------------------------------------------------------+
- | Listen 192.168.1.1:631 |
- | |
- | |
- +---------------------------------------------------------------+
-
- This will only open a port at the specified address and port number.
-
- * xinetd can force daemons to listen only on a specified address with its
- "bind" configuration directive. For instance, an internal LAN interface
- address. See man xinetd.conf for this and other syntax. There are various
- other control mechanisms as well.
-
-
-As always, anytime you make system changes, backup the configuration file
-first, restart the appropriate daemon afterward, and then check the
-appropriate logs for error messages.
------------------------------------------------------------------------------
-
-5.7. Verifying
-
-The final step after getting your firewall in place, is to verify that it is
-doing what you intended. You would be wise to do this anytime you make even
-minor changes to your system configuration.
-
-So how to do this? There are several things you can do.
-
-For our packet filters like ipchains and iptables, we can list all our rules,
-chains, and associated activity with iptables -nvL | less (substitute
-ipchains if appropriate). Open your xterm as wide as possible to avoid
-wrapping long lines.
-
-This should give you an idea if your chains are doing what you think they
-should. You may want to perform some of the on-line tasks you normally do
-first: open a few web pages, send and retrieve mail, etc. This will, of
-course, not give you any information on tcpwrappers or portsentry. tcpdchk
-can be used to verify tcpwrappers configuration (except with xinetd).
-
-And then, scan yourself. nmap is the scanning tool of choice and may be
-available via your distribution , or from [http://www.insecure.org/nmap/
-nmap_download.html] http://www.insecure.org/nmap/nmap_download.html. nmap is
-very flexible, and essentially is a "port prober". In other words, it looks
-for open ports, among other things. See the nmap man page for details.
-
-If you do run nmap against yourself (e.g. nmap localhost), this should tell
-you what ports are open -- and visible locally only! Which hopefully by now,
-is quite different from what can be seen from the outside. So, scan yourself,
-and then find a trusted friend, or site (see the Links section), to scan you
-from the outside. Make sure you are not violating your ISPs Terms of Service
-by port scanning. It may not be allowed, even if the intentions are
-honorable. Scanning from outside is the best way to know how the rest of the
-world sees you. This should tell you how well that firewall is working. See
-the nmap section in the Appendix for some examples on nmap usage.
-
-One caveat on this: some ISPs may filter some ports, and you will not know
-for sure how well your firewall is working. Conversely, they make it look
-like certain ports are open by using web, or other, proxies. The scanner may
-see the web proxy at port 80 and mis-report it as an open port on your
-system.
-
-Another option is to find a website that offers full range testing. [http://
-www.hackerwhacker.com] http://www.hackerwhacker.com is one such site. Make
-sure that any such site is not just scanning a relatively few well known
-ports.
-
-Repeat this procedure with every firewall change, every system upgrade or new
-install, and when any key components of your system changes.
-
-You may also want to enable logging all the denied traffic. At least
-temporarily. Once the firewall is verified to be doing what you think it
-should, and if the logs are hopelessly overwhelming, you may want to disable
-logging.
-
-If relying on portsentry at all, please read the documentation. Depending on
-your configuration it will either drop the route to the scanner, or implement
-a ipchains/iptables rule doing the same thing. Also, since it "listens" on
-the specified ports, all those ports will show as "open". A false alarm in
-this case.
------------------------------------------------------------------------------
-
-5.8. Logging
-
-Linux does a lot of logging. Usually to more than one file. It is not always
-obvious what to make of all these entries -- good, bad or indifferent?
-Firewall logs tend to generate a fair amount of each. Of course, you are
-wanting to stop only the "bad", but you will undoubtedly catch some harmless
-traffic as well. The 'net has a lot of background noise.
-
-In many cases, knowing the intentions of an incoming packet are almost
-impossible. Attempted intrusion? Misbehaved protocol? Mis-typed IP address?
-Conclusions can be drawn based on factors such as destination port, source
-port, protocol, and many other variables. But there is no substitute for
-experience in interpreting firewall logs. It is a black art in many cases.
-
-So do we really need to log? And how much should we be trying to log? Logging
-is good in that it tells us that the firewall is functional. Even if we don't
-understand much of it, we know it is doing "something". And if we have to, we
-can dig into those logs and find whatever data might be called for.
-
-On the other hand, logging can be bad if it is so excessive, it is difficult
-to find pertinent data, or worse, fills up a partition. Or if we over re-act
-and take every last entry as an all out assault. Some perspective is a great
-benefit, but something that new users lack almost by definition. Again, once
-your firewall is verified, and you are perplexed or overwhelmed, home desktop
-users may want to disable as much logging as possible. Anyone with greater
-responsibilities should log, and then find ways to extract the pertinent data
-from the logs by filtering out extraneous information.
-
-Not sure where to look for log data? This could conceivably be many places
-depending on how your distribution configured the various daemons and syslogd
-. Most logging is done in /var/log/*. Check that directory with ls -l /var/
-log/ and see if you can tell the most active logs by size and timestamp.
-Also, look at /etc/syslog.conf to see where the default logs are. /var/log/
-messages is a good place to look for starters.
-
-Portsentry and tcpwrappers do a certain amount of logging that is not
-adjustable. xinetd has logging enhancements that can be turned on. Both
-ipchains and iptables, on the other hand, are very flexible as to what is
-logged.
-
-For ipchains the -l option can be added to any rule. iptables uses the -j LOG
-target, and requires its own, separate rule instead. iptables goes a few
-steps further and allows customized log entries, and rate limiting. See the
-man page. Presumably, we are more interested in logging blocked traffic, so
-we'd confine logging to only our DENY and REJECT rules.
-
-So whether you log, and how much you log, and what you do with the logs, is
-an individual decision, and probably will require some trial and error so
-that it is manageable. A few auditing and analytical tools can be quite
-helpful:
-
-Some tools that will monitor your logs for you and notify you when necessary.
-These likely will require some configuration, and trial and error, to make
-the most out of them:
-
- * A nice log entry analyzer for ipchains and iptables from Manfred Bartz:
- [http://www.logi.cc/linux/NetfilterLogAnalyzer.php3] http://www.logi.cc/
- linux/NetfilterLogAnalyzer.php3. What does all that stuff mean anyway?
-
- * LogSentry (formerly logcheck) is available from [http://www.psionic.org/
- products/logsentry.html] http://www.psionic.org/products/logsentry.html,
- the same group that is responsible for portsentry. LogSentry is an all
- purpose log monitoring tool with a flexible configuration, that handles
- multiple logs.
-
- * [http://freshmeat.net/projects/firelogd/] http://freshmeat.net/projects/
- firelogd/, the Firewall Log Daemon from Ian Jones, is designed to watch,
- and send alerts on iptables or ipchains logs data.
-
- * [http://freshmeat.net/projects/fwlogwatch/] http://freshmeat.net/projects
- /fwlogwatch/ by Boris Wesslowski, is a similar idea, but supports more
- log formats.
-
-
------------------------------------------------------------------------------
-5.9. Where to Start
-
-Let's take a quick look at where to run our firewall scripts from.
-
-Portsentry can be run as an init process, like other system services. It is
-not so important when this is done. Tcpwrappers will be automatically be
-invoked by inetd or xinetd, so not to worry there either.
-
-But the packet filtering scripts will have to be started somewhere. And many
-scripts will have logic that uses the local IP address. This will mean that
-the script must be started after the interface has come up and been assigned
-an IP address. Ideally, this should be immediately after the interface is up.
-So this depends on how you connect to the Internet. Also, for protocols like
-PPP or DHCP that may be dynamic, and get different IP's on each re-connect,
-it is best to have the scripts run by the appropriate daemon.
-
-For PPP, you probably have an /etc/ppp/ip-up file. This will be executed
-every time there is a connect or re-connect. You should put the full path to
-your firewall script here. Check the local documentation for the correct
-location. Debian use files in /etc/ppp/ip-up.d/, so either put the script
-itself there, or a symlink to it. Red Hat uses /etc/ppp/ip-up.local for any
-user defined, local PPP configuration.
-
-For DHCP, it depends on which client. dhcpcd will execute /etc/dhcpcd/dhcpcd-
-.exe (e.g. dhcpcd-eth0.exe) whenever a lease is obtained or
-renewed. So this is where to put a reference to your firewall script. For
-pump, the main configuration file is /etc/pump.conf. Pump will run whatever
-script is defined by the "script" statement any time there is a new or
-renewed lease:
-
- script /usr/local/bin/ipchains.sh
-
-
-
-If you have a static IP address (i.e. it never changes), the placement is not
-so important and should be before the interface comes up!
------------------------------------------------------------------------------
-
-5.10. Summary and Conclusions for Step 3
-
-In this section we looked at various components that might be used to
-construct a "firewall". And learned that a firewall is as much a strategy and
-combination of components, as it is any one particular application or
-component. We looked at a few of the most commonly available applications
-that can be found on most, if not all, Linux systems. This is not a
-definitive list.
-
-This is a lot of information to digest at all at one time and expect anyone
-to understand it all. Hopefully this can used as a starting point, and used
-for future reference as well. The packet filter firewall examples can be used
-as starting points as well. Just use your text editor, cut and paste into a
-file with an appropriate name, and then run chmod +x against it to make it
-executable. Some minor editing of the variables may be necessary. Also look
-at the Links section for sites and utilities that can be used to generate a
-custom script. This may be a little less daunting.
-
-Now we are done with Steps 1, 2 and 3. Hopefully by now you have already
-instituted some basic measures to protect your system(s) from the various and
-sundry threats that lurk on networks. If you haven't implemented any of the
-above steps yet, now is a good time to take a break, go back to the top, and
-have at it. The most important steps are the ones above.
-
-A few quick conclusions...
-
-"What is best iptables, ipchains, tcpwrappers, or portsentry?" The quick
-answer is that iptables can do more than any of the others. So if you are
-using a 2.4 kernel, use iptables. Then, ipchains if using a 2.2 kernel. The
-long answer is "it just depends on what you are doing and what the objective
-is". Sorry. The other tools all have some merit in any given situation, and
-all can be effective in the right situation.
-
-"Do I really need all these packages?" No, but please combine more than one
-approach, and please follow all the above recommendations. iptables by itself
-is good, but in conjunction with some of the other approaches, we are even
-stronger. Do not rely on any single mechanism to provide a security blanket.
-"Layers" of protection is always best. As is sound administrative practices.
-The best iptables script in the world is but one piece of the puzzle, and
-should not be used to hide other system weaknesses.
-
-"If I have a small home LAN, do I need to have a firewall on each computer?"
-No, not necessary as long as the LAN gateway has a properly configured
-firewall. Unwanted traffic should be stopped at that point. And as long as
-this is working as intended, there should be no unwanted traffic on the LAN.
-But, by the same token, doing this certainly does no harm. And on larger LANs
-that might be mixed platform, or with untrusted users, it would be advisable.
------------------------------------------------------------------------------
-
-6. Intrusion Detection
-
-This section will deal with how to get early warning, how to be alerted after
-the fact, and how to clean up from intrusion attempts.
------------------------------------------------------------------------------
-
-6.1. Intrusion Detection Systems (IDS)
-
-Intrusion Detection Systems (IDS for short) are designed to catch what might
-have gotten past the firewall. They can either be designed to catch an active
-break-in attempt in progress, or to detect a successful break-in after the
-fact. In the latter case, it is too late to prevent any damage, but at least
-we have early awareness of a problem. There are two basic types of IDS: those
-protecting networks, and those protecting individual hosts.
-
-For host based IDS, this is done with utilities that monitor the filesystem
-for changes. System files that have changed in some way, but should not
-change -- unless we did it -- are a dead give away that something is amiss.
-Anyone who gets in, and gets root, will presumably make changes to the system
-somewhere. This is usually the very first thing done. Either so he can get
-back in through a backdoor, or to launch an attack against someone else. In
-which case, he has to change or add files to the system.
-
-This is where tools like tripwire ([http://www.tripwire.org] http://
-www.tripwire.org) play a role. Such tools monitor various aspects of the
-filesystem, and compare them against a stored database. And can be configured
-to send an alert if any changes are detected. Such tools should only be
-installed on a known "clean" system.
-
-For home desktops and home LANs, this is probably not an absolutely necessary
-component of an overall security strategy. But it does give peace of mind,
-and certainly does have its place. So as to priorities, make sure the Steps
-1, 2 and 3 above are implemented and verified to be sound, before delving
-into this.
-
-RPM users can get somewhat the same results with rpm -Va, which will verify
-all packages, but without all the same functionality. For instance, it will
-not notice new files added to most directories. Nor will it detect files that
-have had the extended attributes changed (e.g. chattr +i, man chattr and man
-lsattr). For this to be helpful, it needs to be done after a clean install,
-and then each time any packages are upgraded or added. Example:
-
-+---------------------------------------------------------------------------+
-| |
-| # rpm -Va > /root/system.checked |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-Then we have a stored system snapshot that we can refer back to.
-
-Debian users have a similar tool with debsums.
-
-+---------------------------------------------------------------------------+
-| |
-| # debsums -s > /root/system.checked |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-Another idea is to run chkrootkit ([http://www.chkrootkit.org/] http://
-www.chkrootkit.org/) as a weekly cron job. This will detect common "rootkits"
-.
------------------------------------------------------------------------------
-
-6.2. Have I Been Hacked?
-
-Maybe you are reading this because you've noticed something "odd" about your
-system, and are suspicious that someone was gotten in? This can be a clue.
-
-The first thing an intruder typically does is install a "rootkit". There are
-many prepackaged rootkits available on the Internet. The rootkit is
-essentially a script, or set of scripts, that makes quick work of modifying
-the system so the intruder is in control, and he is well hidden. He does this
-by installing modified binaries of common system utilities and tampering with
-log files. Or by using special kernel modules that achieve similar results.
-So common commands like ls may be modified so as to not show where he has his
-files stored. Clever!
-
-A well designed rootkit can be quite effective. Nothing on the system can
-really be trusted to provide accurate feedback. Nothing! But sometimes the
-modifications are not as smooth as intended and give hints that something is
-not right. Some things that might be warning signs:
-
- * Login acts weird. Maybe no one can login. Or only root can login. Any
- login weirdness at all should be suspicious. Similarly, any weirdness
- with adding or changing passwords.
-
- Wierdness with other system commands (e.g. top or ps) should be cause for
- concern as well.
-
- * System utilities are slower, or awkward, or show strange and unexpected
- results. Common utilities that might be modified are: ls, find, who, w,
- last, netstat, login, ps, top. This is not a definitive list!
-
- * Files or directories named "..." or ".. " (dot dot space). A sure bet in
- this case. Files with haxor looking names like "r00t-something".
-
- * Unexplained bandwidth usage, or connections. Script kiddies have a
- fondness for IRC, so such connections should raise a red flag.
-
- * Logs that are missing completely, or missing large sections. Or a sudden
- change in syslog behavior.
-
- * Mysterious open ports, or processes.
-
- * Files that cannot be deleted or moved. Some rootkits use chattr to make
- files "immutable", or not changable. This kind of change will not show up
- with ls, or rpm -V, so the files look normal at first glance. See the man
- pages for chattr and lsattr on how to reverse this. Then see the next
- section below on restoring your system as the jig is up at this point.
-
- This is becoming a more and more common script kiddie trick. In fact, one
- quick test to run on a suspected system (as root):
- +---------------------------------------------------------------+
- | /usr/bin/lsattr `echo $PATH | tr ':' ' '` | grep i-- |
- | |
- +---------------------------------------------------------------+
-
- This will look for any "immutable" files in root's PATH, which is almost
- surely a sign of trouble since no standard distributions ship files in
- this state. If the above command turns up anything at all, then plan on
- completely restoring the system (see below). A quick sanity check:
- +---------------------------------------------------------------+
- | # chattr +i /bin/ps |
- | # /usr/bin/lsattr `echo $PATH | tr ':' ' '` | grep "i--" |
- | ---i---------- /bin/ps |
- | # chattr -i /bin/ps |
- | |
- +---------------------------------------------------------------+
-
- This is just to verify the system is not tampered with to the point that
- lsattr is completely unreliable. The third line is exactly what you
- should see.
-
- * Indications of a "sniffer", such as log messages of an interface entering
- "promiscuous" mode.
-
- * Modifications to /etc/inetd.conf, rc.local, rc.sysint or /etc/passwd.
- Especially, any additions. Try using cat or tail to view these files.
- Additions will most likely be appended to the end. Remember though such
- changes may not be "visible" to any system tools.
-
-
-Sometimes the intruder is not so smart and forgets about root's
-.bash_history, or cleaning up log entries, or even leaves strange, leftover
-files in /tmp. So these should always be checked too. Just don't necessarily
-expect them to be accurate. Often such left behind files, or log entries,
-will have obvious script kiddie sounding names, e.g. "r00t.sh".
-
-Packet sniffers, like tcpdump ([http://www.tcpdump.org] http://
-www.tcpdump.org), might be useful in finding any uninvited traffic.
-Interpreting sniffer output is probably beyond the grasp of the average new
-user. snort ([http://www.snort.org] http://www.snort.org), and ethereal
-([http://www.ethereal.com] http://www.ethereal.com), are also good. Ethereal
-has a GUI.
-
-As mentioned, a compromised system will undoubtedly have altered system
-binaries, and the output of system utilities is not to be trusted. Nothing on
-the system can be relied upon to be telling you the whole truth.
-Re-installing individual packages may or may not help since it could be
-system libraries or kernel modules that are doing the dirty work. The point
-here is that there is no way to know with absolute certainty exactly what
-components have been altered.
-
-RPM users can use rpm -Va |less to attempt to verify the integrity all
-packages. But again there is no assurance that rpm itself has not been
-tampered with, or the system components that RPM relies on.
-
-If you have pstree on your system, try this instead of the standard ps.
-Sometimes the script kiddies forget about this one. No guarantees though that
-this is accurate either.
-
-You can also try querying the /proc filesystem, which contains everything the
-kernel knows about processes that are running:
-
-+---------------------------------------------------------------------------+
-| |
-| # cat /proc/*/stat | awk '{print $1,$2}' |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-This will provide a list of all processes and PID numbers (assuming a
-malicious kernel module is not hiding this).
-
-Another approach is to visit [http://www.chkrootkit.org] http://
-www.chkrootkit.org, download their rootkit checker, and see what it says.
-
-Some interesting discussions on issues surrounding forensics can be found at
-[http://www.fish.com/security/] http://www.fish.com/security/. There is also
-a collection of tools available, aptly called "The Coroner's Toolkit" (TCT).
-
-Read below for steps on recovering from an intrusion.
------------------------------------------------------------------------------
-
-6.3. Reclaiming a Compromised System
-
-So now you've confirmed a break-in, and know that someone else has root
-access, and quite likely one or more hidden backdoors to your system. You've
-lost control. How to clean up and regain control?
-
-There is no sure fire way of doing this short of a complete re-install. There
-is no way to find with assurance all the modified files and backdoors that
-may have been left. Trying to patch up a compromised system risks a false
-sense of security and may actually aggravate an already bad situation.
-
-The steps to take, in this order:
-
- * Pull the plug and disconnect the machine. You may be unwittingly
- participating in criminal activity, and doing to others what has been
- done to you.
-
- * Depending on the needs of the situation and time available to restore the
- system, it is advantageous to learn as much as you can about how the
- attacker got in, and what was done in order to plug the hole and avoid a
- recurrence. This could conceivably be time consuming, and is not always
- feasible. And it may require more expertise than the typical user
- possesses.
-
- * Backup important data. Do not include any system files in the backup, and
- system configuration files like inetd.conf. Limit the backup to personal
- data files only! You don't want to backup, then restore something that
- might open a backdoor or other hole.
-
- * Re-install from scratch, and reformat the drive during the installation (
- mke2fs) to make sure no remnants are hiding. Actually, replacing the
- drive is not a bad idea. Especially, if you want to keep the compromised
- data available for further analysis.
-
- * Restore from backups. After a clean install is the best time to install
- an IDS (Intrusion Detection System) such as tripwire ([http://
- www.tripwire.org] http://www.tripewire.org).
-
- * Apply all updates or patches for your distribution. Check your vendor's
- web site for security related notices.
-
- * Re-examine your system for unnecessary services. Re-examine your firewall
- and access policies, and tighten all holes. Use new passwords, as these
- were stolen in all likelihood.
-
- * Re-connect system ;-)
-
-
-At this time, any rootkit cleanup tools that may be available on-line are not
-recommended. They probably do work just fine most of the time. But again, how
-to be absolutely sure that all is well and all vestiges of the intrusion are
-gone?
------------------------------------------------------------------------------
-
-7. General Tips
-
-This section will quickly address some general concepts for maintaining a
-more secure and reliable system or network. Let's emphasize "maintaining"
-here since computer systems change daily, as does the environment around
-them. As mentioned before, there isn't any one thing that makes a system
-secure. There are too many variables. Security is an approach and an attitude
-more than it is a reliance on any particular product, application or specific
-policy.
-
- * Do not allow remote root logins. This may be controlled by a
- configuration file such as /etc/securetty. Remove any lines that begin
- "pts". This is one big security hole.
-
- * In fact, don't log in as root at all. Period. Log in on your user account
- and su to root when needed. Whether the login is remote or local. Or use
- sudo, which can run individual commands with root privileges. (There
- should be a sudo package available from your vendor.) This takes some
- getting used to, but it is the "right" way to do things. And the safest.
- And will become more a more natural way of doing this as time goes on.
-
- I know someone is saying right now "but that is so much trouble, I am
- root, and it is my system". True, but root is a specialized account that
- was not ever meant to be used as a regular user account. Root has access
- to everything, even hardware devices. The system "trusts" root. It
- believes that you know what you are doing. If you make a mistook, it
- assumes that you meant that, and will do it's best to do what you told it
- to do...even if that destroys the system!
-
- As an example, let's say you start X as root, open Netscape, and visit a
- web site. The web page has badly behaved java script. And conceivably now
- that badly written java script might have access to much more of your
- system than if you had done it the "right" way.
-
- * Take passwords seriously. Don't give them out to anyone. Don't use the
- same one for everything. Don't use root's password for anything else --
- except root's password! Never sign up or register on line, using any of
- your system passwords. Passwords should be a combination of mixed case
- letters, numbers and/or punctuation and a reasonable length (eight
- characters or longer). Don't use so-called "dictionary" words that are
- easy to guess like "cat" or "dog". Don't incorporate personal information
- like names or dates or hostnames. Don't write down system passwords --
- memorize them.
-
- Use the more secure "shadow" passwords. This should be the default for
- any recent Linux distribution now. If the file /etc/shadow exists, then
- it is enabled already. The commands pwconv and grpconv, can be used to
- convert password and group files to shadow format if available.
-
- * Avoid using programs that require clear text logins over untrusted
- networks like the Internet. Telnet is a prime example. ssh is much
- better. If there is any support for SSL (Secure Socket Layers), use it.
- For instance, does your ISP offer POP or IMAP mail via SSL? Recent
- distributions should include [http://www.openssl.org/] openssl, and many
- Linux applications can use SSL where support is available.
-
- * Set resource limits. There are various ways to do this. The need for this
- probably increases with the number of users accessing a given system. Not
- only does setting limits on such things as disk space prevent intentional
- mischief, it can also help with unintentionally misbehaved applications
- or processes. quota (man quota) can be used to set disk space limits.
- Bash includes the ulimit command (man ulimit or man bash), that can limit
- various functions on a per user basis.
-
- Also, not discussed here at any length, but PAM (Pluggable Authentication
- Modules) has a very sophisticated approach to controlling various system
- functions and resources. See man pam to get started. PAM is configured
- via either /etc/pam.conf or /etc/pam.d/*. Also files in /etc/security/*,
- including /etc/security/limits.conf, where again various sane limits can
- be imposed. An in depth look at PAM is beyond the scope of this document.
- The User-Authentication HOWTO ([http://tldp.org/HOWTO/
- User-Authentication-HOWTO/index.html] http://tldp.org/HOWTO/
- User-Authentication-HOWTO/index.html) has more on this.
-
- * Make sure someone with a clue is getting root's mail. This can be done
- with an "alias". Typically, the mail server will have a file such as /etc
- /aliases where this can defined. This can conceivably be an account on
- another machine if need be:
-
- +---------------------------------------------------------------+
- | |
- | # Person who should get root's mail. This alias |
- | # must exist. |
- | # CHANGE THIS LINE to an account of a HUMAN |
- | root: hal@bigcat |
- | |
- | |
- +---------------------------------------------------------------+
-
- Remember to run newaliases (or equivalent) afterward.
-
- * Be careful where you get software. Use trusted sources. How well do you
- trust complete strangers? Check your vendor first if looking for a
- specific package. It will probably be best suited for your system any
- way. Or, the original package's project site is good as well. Installing
- from raw source (either tarball or src.rpm) at least gives you the
- ability to examine the code. Even if you don't understand it ;-) While
- this does not seem to be a wide spread problem with Linux software sites,
- it is very trivial for someone to add a very few lines of code, turning
- that harmless looking binary into a "Trojan horse" that opens a backdoor
- to your system. Then the jig is up.
-
- * So someone has scanned you, probed you, or otherwise seems to want into
- your system? Don't retaliate. There is a good chance that the source IP
- address is a compromised system, and the owner is a victim already. Also,
- you may be violating someone's Terms of Service, and have trouble with
- your own ISP. The best you can do is to send your logs to the abuse
- department of the source IP's ISP, or owner. This is often something like
- "abuse@someisp.com". Just don't expect to hear much back. Generally
- speaking, such activity is not legally criminal, unless an actual
- break-in has taken place. Furthermore, even if criminal, it will never be
- prosecuted unless significant damage (read: big dollars) can be shown.
-
- * Red Hat,Mandrake and Debian users can install the "Bastille Hardening
- System", [http://www.bastille-linux.org/] http://www.bastille-linux.org/.
- This is a multi-purpose system for "hardening" Red Hat and Mandrake
- system security. It has a GUI interface which can be used to construct
- firewall scripts from scratch and configure PAM among many other things.
- Debian support is new.
-
- * So you have a full-time Internet connection via cable-modem or DSL. But
- do you always use it, or always need it? There's an old saying that "the
- only truly secure system, is a disconnected system". Well, that's
- certainly one option. So take that interface down, or stop the
- controlling daemon (dhcpcd, pppoed, etc). Or possibly even set up cron
- jobs to bring your connection up and down according to your normal
- schedule and usage.
-
- * What about cable and DSL routers that are often promoted as "firewalls"?
- The lower priced units are mostly equating NAT (Network Address
- Translation), together with the ability to open holes for ports through
- it, as a firewall. While NAT itself does provide a fair degree of
- security for the systems behind the NAT gateway, this does not constitute
- anything but a very rudimentary firewall. And if holes are opened, there
- is still exposure. Also, you are relying on the router's firmware and
- implementation not to be flawed. It is wise to have some kind of
- additional protection behind such routers.
-
- * What about wireless network cards and hubs? Insecure, despite what the
- manufacturers may claim. Treat these connections just as you would an
- Internet connection. Use secure protocols like ssh only! Even if it is
- just one LAN box to another.
-
- * If you find you need to run a particular service, and it is for just you,
- or maybe a relatively small number of people, use a non-standard port.
- Most server daemons support this. For instance, sshd runs on port 22 by
- default. All worms and script kiddies will expect it there, and look for
- it there. So, run it on another port! See the sshd man page.
-
- * What about firewalls that block Internet connections according to the
- application (like ZoneAlarm from Windowsdom)? These were designed with
- this feature primarily because of the plethora of virii and trojans that
- are so common with MS operating systems. This is really not a problem on
- Linux. So, really no such application exists on Linux at this time. And
- there does not seem to be enough demand for it that someone has taken the
- time to implement it. A better firewall can be had on Linux, by following
- the other suggestions in this document.
-
- * Lastly, know your system! Let's face it, if you are new to Linux, you
- can't already know something you have never used. Understood. But in the
- process of learning, learn how to do things the right way, not the
- easiest way. There is several decades of history behind "the right way"
- of doing things. This has stood the test of time. What may seem
- unnecessary or burdensome now, will make sense in due time.
-
- Be familiar with whatever services you are running, and the implications
- these services might have to the overall health of your system if
- something does go wrong. Read what you can, and ask questions. Don't run
- something as a service "just because I can", or because the installer put
- it there. You can't start out being an experienced System Administrator
- clearly. But you can work to learn enough about your own system, that you
- are in control. This is one thing that separates *nix from MS systems: we
- can never be in complete control with MS, but we can with *nix.
- Conversely, if something bad happens, we often have no one else to blame.
-
-
------------------------------------------------------------------------------
-8. Appendix
-
-8.1. Servers, Ports, and Packets
-
-Let's take a quick, non-technical look at some networking concepts, and how
-they can potentially impact our own security. We don't need to know much
-about networking, but a general idea of how things work is certainly going to
-help us with firewalls and other related issues.
-
-As you may have noticed Linux is a very network oriented Operating System.
-Much is done by connecting to "servers" of one type or another -- X servers,
-font servers, print servers, etc.
-
-Servers provide "services", which provide various capabilities, both to the
-local system and potentially other remote systems. The same server generally
-provides both functionalities. Some servers work quietly behind the scenes,
-and others are more interactive by nature. We may only be aware of a print
-server when we need to print something, but it is there running, listening,
-and waiting for connection requests whether we ever use it or not (assuming
-of course we have it enabled). A typical Linux installation will have many,
-many types of servers available to it. Default installations often will turn
-some of these "on".
-
-And even if we are not connected to a real network all the time, we are still
-"networked" so to speak. Take our friendly local X server for instance. We
-may tend to think of this as just providing a GUI interface, which is only
-true to a point. It does this by "serving" to client applications, and thus
-is truly a server. But X Windows is also capable of serving remote clients
-over a network -- even large networks like the Internet. Though we probably
-don't really want to be doing this ;-)
-
-And yes, if you are not running a firewall or have not taken other
-precautions, and are connected to the Internet, it is quite possible that
-someone -- anyone -- could connect to your X server. X11 "listens" on TCP
-"port" 6000 by default. This principle applies to most other servers as well
--- they can be easily connected to, unless something is done to restrict or
-prevent connections.
-
-In TCP/IP (Transmission Control Protocol/Internet Protocol) networks like we
-are talking about with Linux and the Internet, every connected computer has a
-unique "IP Address". Think of this like a phone number. You have a phone
-number, and in order to call someone else, you have to know that phone
-number, and then dial it. The phone numbers have to be unique for the system
-to work. IP address are generally expressed as "dotted quad" notation, e.g.
-152.19.254.81.
-
-On this type of network, servers are said to "listen". This means that they
-have a "port" opened, and are awaiting incoming connections to that port.
-Connections may be local, as is typically the case with our X server, or
-remote -- meaning from another computer "somewhere". So servers "listen" on a
-specific "port" for incoming connections. Most servers have a default port,
-such as port 80 for web servers. Or 6000 for X11. See /etc/services for a
-list of common ports and their associated service.
-
-The "port" is actually just an address in the kernel's networking stack, and
-is a method that TCP, and other protocols, use to organize connections and
-the exchange of data between computers. There are total of 65,536 TCP and UDP
-ports available, though usually only a relatively few of these are used at
-any one time. These are classified as "privileged", those ports below 1024,
-and "unprivileged", 1024 and above. Most servers use the privileged ports.
-
-Only one server may listen on, or "bind" to, a port at a time. Though that
-server may well be able to open multiple connections via that one port.
-Computers talk to each other via these "port" connections. One computer will
-open a connection to a "port" on another computer, and thus be able to
-exchange data via the connection that has been established between their
-respective ports.
-
-Getting back to the phone analogy, and stretching it a bit, think of calling
-a large organization with a complex phone system. The organization has many
-"departments": sales, shipping, billing, receiving, customer service, R&D,
-etc. Each department has it's own "extension" number. So the shipping
-department might be extension 21, the sales might be department 80 and so on.
-The main phone number is the IP Address, and the department's extension is
-the port in this analogy. The "department's" number is always the same when
-we call. And generally they can handle many simultaneous incoming calls.
-
-The data itself is contained in "packets", which are small chunks of data,
-generally 1500 bytes or less each. Packets are used to control and organize
-the connection, as well as carry data. There are different types of packets.
-Some are specifically used for controlling the connection, and then some
-packets carry our data as their payload. If there is a lot of data, it will
-be broken up into multiple packets which is almost always how it works. The
-packets will be transmitted one at a time, and then "re-assembled" at the
-other end. One web page for instance, will take many packets to transmit --
-maybe hundreds or even thousands. This all happens very quickly and
-transparently.
-
-We can see a typical connection between two computers in this one line
-excerpt from netstat output:
-
-+---------------------------------------------------------------------------+
-| tcp 30 0 169.254.179.139:1359 18.29.1.67:21 CLOSE_WAIT |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-The interesting part is the IP addresses and ports in the fourth and fifth
-columns. The port is the number just to the right of the colon. The left side
-of the colon is the IP address of each computer. The fourth column is the
-local address, or our end of the connection. In the example, 169.254.179.139
-is the IP address assigned by my ISP. It is connected to port 21 (FTP) on
-18.29.1.67, which is rpmfind.net. This is just after an FTP download from
-rpmfind.net. Note that while I am connected to their FTP server on their port
-21, the port on my end that is used by my FTP client is 1359. This is a
-randomly assigned "unprivileged" port, used for my end of the two-way
-"conversation". The data moves in both directions: me:port#1359 <-> them:port
-#21. The FTP protocol is actually a little more complicated than this, but we
-won't delve into the finer points here. The CLOSE_WAIT is the TCP state of
-the connection at this particular point in time. Eventually the connection
-will close completely on both ends, and netstat will not show anything for
-this.
-
-The "unprivileged" port that is used for my end of the connection, is
-temporary and is not associated with a locally running server. It will be
-closed by the kernel when the connection is terminated. This is quite
-different than the ports that are kept open by "listening" servers, which are
-permanent and remain "open" even after a remote connection is terminated.
-
-So to summarize using the above example, we have client (me) connecting to a
-server (rpmfind.net), and the connection is defined and controlled by the
-respective ports on either end. The data is transmitted and controlled by
-packets. The server is using a "privileged" port (i.e. a port below number
-1024) which stays open listening for connections. The "unprivileged" port
-used on my end by my client application is temporary, is only opened for the
-duration of the connection, and only responds to the server's port at the
-other end of the connection. This type of port is not vulnerable to attacks
-or break-ins generally speaking. The server's port is vulnerable since it
-remains open. The administrator of the FTP server will need to take
-appropriate precautions that his server is secure. Other Internet
-connections, such as to web servers or mail servers, work similar to the
-above example, though the server ports are different. SMTP mail servers use
-port 25, and web servers typically use port 80. See the Ports section for
-other commonly used ports and services.
-
-One more point on ports: ports are only accessible if there is something
-listening on that port. No one can force a port open if there is no service
-or daemon listening there, ready to handle incoming connection requests. A
-closed port is a totally safe port.
-
-And a final point on the distinction between clients and servers. The example
-above did not have a telnet or ftp server in the LISTENER section in the
-netstat example above. In other words, no such servers were running locally.
-You do not need to run a telnet or ftp server daemon in order to connect to
-somebody else's telnet or ftp server. These are only for providing these
-services to others that would be making connections to you. Which you don't
-really want to be doing in most cases. This in no way effects the ability to
-use telnet and ftp client software.
------------------------------------------------------------------------------
-
-8.2. Common Ports
-
-A quick run down of some commonly seen and used ports, with the commonly
-associated service name, and risk factor. All have some risk. It is just that
-some have historically had more exploits than others. That is how they are
-evaluated below, and not necessarily to be interpreted as whether any given
-service is safe or not.
-
-1-19, assorted protocols, many of which are antiquated, and probably none of
-which are needed on a modern system. If you don't know what any of these are,
-then you definitely don't need them. The echo service (port 7) should not be
-confused with the common ping program. Leave all these off.
-
-20 - FTP-DATA. "Active" FTP connections use two ports: 21 is the control
-port, and 20 is where the data comes through. Passive FTP does not use port
-20 at all. Low risk, but see below.
-
-21 - FTP server port, aka File Transfer Protocol. A well entrenched protocol
-for transferring files between systems. Very high risk, and maybe the number
-one crack target.
-
-22 - SSH (Secure Shell), or sometimes PCAnywhere. Low to moderate risk (yes
-there are exploits even against so called "secure" services).
-
-23 - Telnet server. For LAN use only. Use ssh instead in non-secure
-environments. Moderate risk.
-
-25 - SMTP, Simple Mail Transfer Protocol, or mail server port, used for
-sending outgoing mail, and transferring mail from one place to another.
-Moderate risk. This has had a bad history of exploits, but has improved
-lately.
-
-37 - Time service. This is the built-in inetd time service. Low risk. For LAN
-use only.
-
-53 - DNS, or Domain Name Server port. Name servers listen on this port, and
-answer queries for resolving host names to IP addresses. High Risk.
-
-67 (UDP) - BOOTP, or DHCP, server port. Low risk. If using DHCP on your LAN,
-this does not need to be exposed to the Internet.
-
-68 (UDP) - BOOTP, or DHCP, client port. Low risk.
-
-69 - tftp, or Trivial File Transfer Protocol. Extremely insecure. LAN only,
-if really, really needed.
-
-79 - Finger, used to provide information about the system, and logged in
-users. Low risk as a crack target, but gives out way too much information and
-should not be run.
-
-80 - WWW or HTTP standard web server port. The most commonly used service on
-the Internet. Low risk.
-
-98 - Linuxconf web access administrative port. LAN only, if really needed at
-all.
-
-110 - POP3, aka Post Office Protocol, mail server port. POP mail is mail that
-the user retrieves from a remote system. Low risk.
-
-111 - sunrpc (Sun Remote Procedure Call), or portmapper port. Used by NFS
-(Network File System), NIS (Network Information Service), and various related
-services. Sounds dangerous and is high risk. LAN use only. A favorite crack
-target.
-
-113 - identd, or auth, server port. Used, and sometimes required, by some
-older style services (like SMTP and IRC) to validate the connection. Probably
-not needed in most cases. Low risk, but could give an attacker too much
-information about your system.
-
-119 -- nntp or news server port. Low risk.
-
-123 - Network Time Protocol for synchronizing with time servers where a high
-degree of accuracy is required. Low risk, but probably not required for most
-users. rdate makes an easier and more secure way of updating the system
-clock. And then inetd's built in time service for synchronizing LAN systems
-is another option.
-
-137-139 - NetBios (SMB) services. Mostly a Windows thing. Low risk on Linux,
-but LAN use only. 137 is a very commonly seen port attempt. A rather
-obnoxious protocol from Redmond that generates a lot of "noise", much of
-which is harmless.
-
-143 - IMAP, Interim Mail Access Protocol. Another mail retrieval protocol.
-Low to moderate risk.
-
-161 - SNMP, Simple Network Management Protocol. More commonly used in routers
-and switches to monitor statistics and vital signs. Not needed for most of
-us, and low risk.
-
-177 - XDMCP, the X Display Management Control Protocol for remote connections
-to X servers. Low risk, but LAN only is recommended.
-
-443 - HTTPS, a secure HTTP (WWW) protocol in fairly wide use. Low risk.
-
-465 - SMTP over SSL, secure mail server protocol. Low risk.
-
-512 (TCP) - exec is how it shows in netstat. Actually the proper name is
-rexec, for Remote Execution. Sounds dangerous, and is. High risk, LAN only if
-at all.
-
-512 (UDP) - biff, a mail notification protocol. Low risk, LAN only.
-
-513 - login, actually rlogin, aka Remote Login. No relation to the standard /
-bin/login that we use every time we log in. Sounds dangerous, and is. High
-risk, and LAN only if really needed.
-
-514 (TCP) - shell is the nickname, and how netstat shows it. Actually, rsh is
-the application for "Remote Shell". Like all the "r" commands, this is a
-throw back to kindler, gentler times. Very insecure, so high risk, and LAN
-only usage, if at all.
-
-514 (UDP) - syslog daemon port, only used for remote logging purposes. The
-average user does not need this. Probably low risk, but definitely LAN only
-if really required.
-
-515 - lp or print server port. High risk, and LAN only of course. Someone on
-the other side of the world does not want to use your printer for it's
-intended purpose!
-
-587 - MSA, or "submission", the Mail Submission Agent protocol. A new mail
-handling protocol supported by most MTA's (mail servers). Low risk.
-
-631 - the CUPS (print daemon) web management port. LAN only, low risk.
-
-635 - mountd, part of NFS. LAN use only.
-
-901 - SWAT, Samba Web Administration Tool port. LAN only.
-
-993 - IMAP over SSL, secure IMAP mail service. Very low risk.
-
-995 - POP over SSL, secure POP mail service. Very low risk.
-
-1024 - This is the first "unprivileged" port, which is dynamically assigned
-by the kernel to whatever application requests it. This can be almost
-anything. Ditto for ports just above this.
-
-1080 - Socks Proxy server. A favorite crack target.
-
-1243 - SubSeven Trojan. Windows only problem.
-
-1433 - MS SQL server port. A sometimes target. N/A on Linux.
-
-2049 - nfsd, Network File Service Daemon port. High risk, and LAN usage only
-is recommended.
-
-3128 - Squid proxy server port. Low risk, but for most should be LAN only.
-
-3306 - MySQL server port. Low risk, but for most should be LAN only.
-
-5432 - PostgreSQL server port. LAN only, relatively low risk.
-
-5631 (TCP), 5632 (UDP) - PCAnywhere ports. Windows only. PCAnywhere can be
-quite "noisy", and broadcast wide address ranges.
-
-6000 - X11 TCP port for remote connections. Low to moderate risk, but again,
-this should be LAN only. Actually, this can include ports 6000-6009 since X
-can support multiple displays and each display would have its own port. ssh's
-X11Forwarding will start using ports at 6010.
-
-6346 - gnutella.
-
-6667 - ircd, Internet Relay Chat Daemon.
-
-6699 - napster.
-
-7100-7101 - Some font servers use these ports. Low risk, but LAN only.
-
-8000 and 8080 - common web cache and proxy server ports. LAN only.
-
-10000 - webmin, a web based system administration utility. Low risk at this
-point.
-
-27374 - SubSeven, a commonly probed for Windows only Trojan. Also, 1243.
-
-31337 - Back Orifice, another commonly probed for Windows only Trojan.
-
-More services and corresponding port numbers can be found in /etc/services.
-Also, the "official" list is [http://www.iana.org/assignments/port-numbers]
-http://www.iana.org/assignments/port-numbers.
-
-A great analysis of what probes to these and other ports might mean from
-Robert Graham: [http://www.linuxsecurity.com/resource_files/firewalls/
-firewall-seen.html] http://www.linuxsecurity.com/resource_files/firewalls/
-firewall-seen.html. A very good reference.
-
-Another point here, these are the standard port designations. There is no law
-that says any service has to run on a specific port. Usually they do, but
-certainly they don't always have to.
-
-Just a reminder that when you see these types of ports in your firewall logs,
-it is not anything to go off the deep end about. Not if you have followed
-Steps 1-3 above, and verified your firewall works. You are fairly safe. Much
-of this traffic may be "stray bullets" too -- Internet background noise,
-misconfigured clients or routers, noisy Windows stuff, etc.
------------------------------------------------------------------------------
-
-8.3. Netstat Tutorial
-
-8.3.1. Overview
-
-netstat is a very useful utility for viewing the current state of your
-network status -- what servers are listening for incoming connections, what
-interfaces they listen on, who is connected to us, who we are connect to, and
-so on. Take a look at the man page for some of the many command line options.
-We'll just use a relative few options here.
-
-As an example, let's check all currently listening servers and active
-connections for both TCP and UDP on our hypothetical host, bigcat. bigcat is
-a home desktop installation, with a DSL Internet connection in this example.
-bigcat has two ethernet cards: one for the external connection to the ISP,
-and one for a small LAN with an address of 192.168.1.1.
-
-+--------------------------------------------------------------------------------+
-| |
-|$ netstat -tua |
-|Active Internet connections (servers and established) |
-|Proto Recv-Q Send-Q Local Address Foreign Address State |
-|tcp 0 0 *:printer *:* LISTEN |
-|tcp 0 0 bigcat:8000 *:* LISTEN |
-|tcp 0 0 *:time *:* LISTEN |
-|tcp 0 0 *:x11 *:* LISTEN |
-|tcp 0 0 *:http *:* LISTEN |
-|tcp 0 0 bigcat:domain *:* LISTEN |
-|tcp 0 0 bigcat:domain *:* LISTEN |
-|tcp 0 0 *:ssh *:* LISTEN |
-|tcp 0 0 *:631 *:* LISTEN |
-|tcp 0 0 *:smtp *:* LISTEN |
-|tcp 0 1 dsl-78-199-139.s:1174 64.152.100.93:nntp SYN_SENT |
-|tcp 0 1 dsl-78-199-139.s:1175 64.152.100.93:nntp SYN_SENT |
-|tcp 0 1 dsl-78-199-139.s:1173 64.152.100.93:nntp SYN_SENT |
-|tcp 0 0 dsl-78-199-139.s:1172 207.153.203.114:http ESTABLISHED |
-|tcp 1 0 dsl-78-199-139.s:1199 www.xodiax.com:http CLOSE_WAIT |
-|tcp 0 0 dsl-78-199-139.sd:http 63.236.92.144:34197 TIME_WAIT |
-|tcp 400 0 bigcat:1152 bigcat:8000 CLOSE_WAIT |
-|tcp 6648 0 bigcat:1162 bigcat:8000 CLOSE_WAIT |
-|tcp 553 0 bigcat:1164 bigcat:8000 CLOSE_WAIT |
-|udp 0 0 *:32768 *:* |
-|udp 0 0 bigcat:domain *:* |
-|udp 0 0 bigcat:domain *:* |
-|udp 0 0 *:631 *:* |
-| |
-| |
-+--------------------------------------------------------------------------------+
-
-This output probably looks very different from what you get on your own
-system. Notice the distinction between "Local Address" and "Foreign Address",
-and how each includes a corresponding port number (or service name if
-available) after the colon. "Local Address" is our end of the connection. The
-first group with LISTEN in the far right hand column are services that are
-running on this system. These are servers that are running in the background
-on bigcat, and "listen" for incoming connections. So they have a port opened,
-and this is where they "listen". These connections might come from the local
-system (i.e. bigcat itself), or remote systems. This is very important
-information to have! The others just below this are connections that have
-been established from this system to other systems. The respective
-connections are in varying states as indicated by the key words in the last
-column. Those with no key word in the last column at the end are servers
-responding to UDP connections. UDP is a different protocol from TCP
-altogether, but is used for some types of low priority network traffic.
-
-Now, the same thing with the "-n" flag to suppress converting to "names" so
-we can actually see the port numbers:
-
-+-----------------------------------------------------------------------------+
-|$ netstat -taun |
-|Active Internet connections (servers and established) |
-|Proto Recv-Q Send-Q Local Address Foreign Address State |
-|tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN |
-|tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN |
-|tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN |
-|tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN |
-|tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN |
-|tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN |
-|tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN |
-|tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN |
-|tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN |
-|tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN |
-|tcp 0 1 169.254.179.139:1174 64.152.100.93:119 SYN_SENT |
-|tcp 0 1 169.254.179.139:1175 64.152.100.93:119 SYN_SENT |
-|tcp 0 1 169.254.179.139:1173 64.152.100.93:119 SYN_SENT |
-|tcp 0 0 169.254.179.139:1172 207.153.203.114:80 ESTABLISHED |
-|tcp 1 0 169.254.179.139:1199 216.26.129.136:80 CLOSE_WAIT |
-|tcp 0 0 169.254.179.139:80 63.236.92.144:34197 TIME_WAIT |
-|tcp 400 0 127.0.0.1:1152 127.0.0.1:8000 CLOSE_WAIT |
-|tcp 6648 0 127.0.0.1:1162 127.0.0.1:8000 CLOSE_WAIT |
-|tcp 553 0 127.0.0.1:1164 127.0.0.1:8000 CLOSE_WAIT |
-|udp 0 0 0.0.0.0:32768 0.0.0.0:* |
-|udp 0 0 192.168.1.1:53 0.0.0.0:* |
-|udp 0 0 127.0.0.1:53 0.0.0.0:* |
-|udp 0 0 0.0.0.0:631 0.0.0.0:* |
-| |
-| |
-+-----------------------------------------------------------------------------+
-
-Let's look at the first few lines of this in detail. On line one,
-
-+----------------------------------------------------------------------------+
-| tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN |
-| |
-| |
-+----------------------------------------------------------------------------+
-
-"Local Address" is 0.0.0.0, meaning "all" interfaces that are available. The
-local port is 515, or the standard print server port, usually owned by the
-lpd daemon. You can find a listing of common service names and corresponding
-ports in the file /etc/services.
-
-The fact that it is listening on all interfaces is significant. In this case,
-that would be lo (localhost), eth0, and eth1. Printer connections could
-conceivably be made over any of these interfaces. Should a user on this
-system bring up a PPP connection, then the print daemon would be listening on
-that interface (ppp0) as well. The "Foreign Address" is also 0.0.0.0, meaning
-from "anywhere".
-
-It is also worth noting here, that even though this server is telling the
-kernel to listen on all interfaces, the netstat output does not reflect
-whether there may be a firewall in place that may be filtering incoming
-connections. We just can't tell that at this point. Obviously, for certain
-servers, this is very desirable. Nobody outside your own LAN has any reason
-whatsoever to connect to your print server port for instance.
-
-Line two is a little different:
-
-+----------------------------------------------------------------------------+
-| tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN |
-| |
-| |
-+----------------------------------------------------------------------------+
-
-Notice the "Local Address" this time is localhost's address of 127.0.0.1.
-This is very significant as only connections local to this machine will be
-accepted. So only bigcat can connect to bigcat's TCP port 8000. The security
-implications should be obvious. Not all servers have configuration options
-that allow this kind of restriction, but it is a very useful feature for
-those that do. Port 8000 in this example, is owned by the web proxy
-Junkbuster.
-
-With the next three entries, we are back to listening on all available
-interfaces:
-
-+-----------------------------------------------------------------------------+
-| tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN |
-| tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN |
-| tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN |
-| |
-| |
-+-----------------------------------------------------------------------------+
-
-Looking at /etc/services, we can tell that port 37 is a "time" service, which
-is a time server. 6000 is X11, and 80 is the standard port for HTTP servers
-like Apache. There is nothing really unusual here as these are all readily
-available services on Linux.
-
-The first two above are definitely not the kind of services you'd want just
-anyone to connect to. These should be firewalled so that all outside
-connections are refused. Again, we can't tell from this output whether any
-firewall is in place, much less how effectively implemented it may be.
-
-The web server on port 80 is not a huge security risk by itself. HTTP is a
-protocol that is often open to all comers. For instance, if we wanted to host
-our own home page, Apache can certainly do this for us. It is also possible
-to firewall this off, so that it is for use only to our LAN clients as part
-of an Intranet. Obviously too, if you do not have a good justification for
-running a web server, then it should be disabled completely.
-
-The next two lines are interesting:
-
-+-----------------------------------------------------------------------------+
-| tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN |
-| tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN |
-| |
-| |
-+-----------------------------------------------------------------------------+
-
-Again notice the "Local Address" is not 0.0.0.0. This is good! The port this
-time is 53, or the DNS port used by nameserver daemons like named. But we see
-the nameserver daemon is only listening on the lo interface (localhost), and
-the interface that connects bigcat to the LAN. So the kernel only allows
-connections from localhost, and the LAN. There will be no port 53 available
-to outside connections at all. This is a good example of how individual
-applications can sometimes be securely configured. In this case, we are
-probably looking at a caching DNS server since a real nameserver that is
-responsible for handling DNS queries would have to have port 53 open to the
-world. This is a security risk and requires special handling.
-
-The last three LISTENER entries:
-
-+-----------------------------------------------------------------------------+
-| tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN |
-| tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN |
-| tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN |
-| |
-| |
-+-----------------------------------------------------------------------------+
-
-These are back to listening on all available interfaces. Port 22 is sshd, the
-Secure Shell server daemon. This is a good sign! Notice that the service for
-port 631 does not have a service name if we look at the output in the first
-example. This might be a clue that something unusual is going on here. (See
-the next section for the answer to this riddle.) And lastly, port 25, the
-standard port for the SMTP mail daemon. Most Linux installations probably
-will have an SMTP daemon running, so this is not necessarily unusual. But is
-it necessary?
-
-The next grouping is established connections. For our purposes the state of
-the connection as indicated by the last column is not so important. This is
-well explained in the man page.
-
-+-------------------------------------------------------------------------------+
-| tcp 0 1 169.254.179.139:1174 64.152.100.93:119 SYN_SENT |
-| tcp 0 1 169.254.179.139:1175 64.152.100.93:119 SYN_SENT |
-| tcp 0 1 169.254.179.139:1173 64.152.100.93:119 SYN_SENT |
-| tcp 0 0 169.254.179.139:1172 207.153.203.114:80 ESTABLISHED |
-| tcp 1 0 169.254.179.139:1199 216.26.129.136:80 CLOSE_WAIT |
-| tcp 0 0 169.254.179.139:80 63.236.92.144:34197 TIME_WAIT |
-| tcp 400 0 127.0.0.1:1152 127.0.0.1:8000 CLOSE_WAIT |
-| tcp 6648 0 127.0.0.1:1162 127.0.0.1:8000 CLOSE_WAIT |
-| tcp 553 0 127.0.0.1:1164 127.0.0.1:8000 CLOSE_WAIT |
-| |
-| |
-+-------------------------------------------------------------------------------+
-
-There are nine total connections here. The first three is our external
-interface connecting to a remote host on their port 119, the standard NNTP
-(News) port. There are three connections here to the same news server.
-Apparently the application is multi-threaded, as it is trying to open
-multiple connections to the news server. The next two entries are connections
-to a remote web server as indicated by the port 80 after the colon in the
-fifth column. Probably a pretty common looking entry for most of us. But the
-one just after is reversed and has the port 80 in the fourth column, so this
-is someone that has connected to bigcat's web server via its external,
-Internet-side interface. The last three entries are all connections from
-localhost to localhost. So we are connecting to ourselves here. Remembering
-from above that port 8000 is bigcat's web proxy, this is a web browser that
-is connected to the locally running proxy. The proxy then will open an
-external connection of its own, which probably is what is going on with lines
-four and five.
-
-Since we gave netstat both the -t and -u options, we are getting both the TCP
-and UDP listening servers. The last few lines are the UDP ones:
-
-+----------------------------------------------------------------------------+
-| udp 0 0 0.0.0.0:32768 0.0.0.0:* |
-| udp 0 0 192.168.1.1:53 0.0.0.0:* |
-| udp 0 0 127.0.0.1:53 0.0.0.0:* |
-| udp 0 0 0.0.0.0:631 0.0.0.0:* |
-| |
-| |
-+----------------------------------------------------------------------------+
-
-The last three entries have ports that are familiar from the above
-discussion. These are servers that are listening for both TCP and UDP
-connections. Same servers in this case, just using two different protocols.
-The first one on local port 32768 is new, and does not have a service name
-available to it in /etc/services. So at first glance this should be
-suspicious and pique our curiosity. See the next section for the explanation.
-
-Can we draw any conclusions from this hypothetical situation? For the most
-part, these look to be pretty normal looking network services and connections
-for Linux. There does not seem to be an unduly high number of servers running
-here, but that by itself does not mean much since we don't know if all these
-servers are really required or not. We know that netstat can not tell us if
-any of these are effectively firewalled, so there is no way to say how secure
-all this might be. We also don't really know if all the listening services
-are really required by the owner here. That is something that varies widely
-from installation to installation. Does bigcat even have a printer attached
-for instance? Presumably it does, or this is a completely unnecessary risk.
------------------------------------------------------------------------------
-
-8.3.2. Port and Process Owners
-
-We've learned a lot about what is going on with bigcat's networking from the
-above section. But suppose we see something we don't recognize and want to
-know what started that particular service? Or we want to stop a particular
-server and it is not obvious from the above output?
-
-The -p option should give us the process's PID and the program name that
-started the process in the last column. Let's look at the TCP servers again
-(with first three columns cropped for spacing). We'll have to run this as
-root to get all the available information:
-
-+----------------------------------------------------------------------------+
-|# netstat -tap |
-|Active Internet connections (servers and established) |
-| Local Address Foreign Address State PID/Program name |
-| *:printer *:* LISTEN 988/inetd |
-| bigcat:8000 *:* LISTEN 1064/junkbuster |
-| *:time *:* LISTEN 988/inetd |
-| *:x11 *:* LISTEN 1462/X |
-| *:http *:* LISTEN 1078/httpd |
-| bigcat:domain *:* LISTEN 956/named |
-| bigcat:domain *:* LISTEN 956/named |
-| *:ssh *:* LISTEN 972/sshd |
-| *:631 *:* LISTEN 1315/cupsd |
-| *:smtp *:* LISTEN 1051/master |
-| |
-| |
-+----------------------------------------------------------------------------+
-
-Some of these we already know about. But we see now that the printer daemon
-on port 515 is being started via inetd with a PID of "988". inetd is a
-special situation. inetd is often called the "super server", since it's main
-role is to spawn sub-services. If we look at the first line, inetd is
-listening on port 515 for printer services. If a connection comes for this
-port, inetd intercepts it, and then will spawn the appropriate daemon, i.e.
-the print daemon in this case. The configuration of how inetd handles this is
-typically done in /etc/inetd.conf. This should tell us that if we want to
-stop an inetd controlled server on a permanent basis, then we will have to
-dig into the inetd (or perhaps xinetd) configuration. Also the time service
-above is started via inetd as well. This should also tell us that these two
-services can be further protected by tcpwrappers (discussed in Step 3 above).
-This is one benefit of using inetd to control certain system services.
-
-We weren't sure about the service on port 631 above since it did not have a
-standard service name, which means it is something maybe unusual or off the
-beaten path. Now we see it is owned by cupsd , which is one of several print
-daemons available under Linux. This happens to be the web interface for
-controlling the printer service. Something cupsd does that is indeed a little
-different than other print servers.
-
-The last entry above is the SMTP mail server on bigcat. Often, this is
-sendmail with many distributions. But not in this case. The command is
-"master", which may not ring any bells. Armed with the program name we could
-go searching the filesystem with tools like the locate or find commands.
-After we found it, we could then probably discern what package it belonged
-to. But with the PID available now, we can look at ps output, and see if that
-helps us any:
-
-+---------------------------------------------------------------------------+
-| $ /bin/ps ax |grep 1051 |grep -v grep |
-| 1051 ? S 0:24 /usr/libexec/postfix/master |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-We took a shortcut here by combining ps with grep. It looks like that this
-file belongs to postfix, which is indeed a mail server package comparable to
-sendmail.
-
-Running ps with the --forest flag (-f for short) can be helpful in
-determining what processes are parent or child process or another process. An
-edited example:
-
-+---------------------------------------------------------------------------+
-| $ /bin/ps -axf |
-| 956 ? S 0:00 named -u named |
-| 957 ? S 0:00 \_ named -u named |
-| 958 ? S 0:46 \_ named -u named |
-| 959 ? S 0:47 \_ named -u named |
-| 960 ? S 0:00 \_ named -u named |
-| 961 ? S 0:11 \_ named -u named |
-| 1051 ? S 0:30 /usr/libexec/postfix/master |
-| 1703 ? S 0:00 \_ tlsmgr -l -t fifo -u -c |
-| 1704 ? S 0:00 \_ qmgr -l -t fifo -u -c |
-| 1955 ? S 0:00 \_ pickup -l -t fifo -c |
-| 1863 ? S 0:00 \_ trivial-rewrite -n rewrite -t unix -u -c |
-| 2043 ? S 0:00 \_ cleanup -t unix -u -c |
-| 2049 ? S 0:00 \_ local -t unix |
-| 2062 ? S 0:00 \_ smtpd -n smtp -t inet -u -c |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-A couple of things to note here. We have two by now familiar daemons here:
-named and postfix (smtpd). Both are spawning sub-processes. In the case of
-named, what we are seeing is threads, various sub-processes that it always
-spawns. Postfix is also spawning sub-processes, but not as "threads". Each
-sub-process has its own specific task. It is worth noting that child
-processes are dependent on the parent process. So killing the parent PID,
-will in turn kill all child processes.
-
-If all this has not shed any light, we might also try locate:
-
-+---------------------------------------------------------------------------+
-| $ locate /master |
-| /etc/postfix/master.cf |
-| /var/spool/postfix/pid/master.pid |
-| /usr/libexec/postfix/master |
-| /usr/share/vim/syntax/master.vim |
-| /usr/share/vim/vim60z/syntax/master.vim |
-| /usr/share/doc/postfix-20010202/html/master.8.html |
-| /usr/share/doc/postfix-20010202/master.cf |
-| /usr/share/man/man8/master.8.gz |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-find is perhaps the most flexible file finding utility, but doesn't use a
-database the way locate does, so is much slower:
-
-+---------------------------------------------------------------------------+
-| $ find / -name master |
-| /usr/libexec/postfix/master |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-If lsof is installed, it is another command that is useful for finding who
-owns processes or ports:
-
-+---------------------------------------------------------------------------+
-| # lsof -i :631 |
-| COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME |
-| cupsd 1315 root 0u IPv4 3734 TCP *:631 (LISTEN) |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-This is again telling us that the cupsd print daemon is the owner of port
-631. Just a different way of getting at it. Yet one more way to get at this
-is with fuser, which should be installed:
-
-+---------------------------------------------------------------------------+
-| # fuser -v -n tcp 631 |
-| |
-| USER PID ACCESS COMMAND |
-| 631/tcp root 1315 f.... cupsd |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-See the man pages for fuser and lsof command syntax.
-
-Another place to look for where a service is started, is in the init.d
-directory, where the actual init scripts live (for SysVinit systems).
-Something like ls -l /etc/init.d/, should give us a list of these. Often the
-script name itself gives a hint as to which service(s) it starts, though it
-may not necessarily exactly match the "Program Name" as provided by netstat.
-Or we can use grep to search inside files and match a search pattern. Need to
-find where rpc.statd is being started, and we don't see a script by this
-name?
-
-+---------------------------------------------------------------------------+
-| # grep rpc.statd /etc/init.d/* |
-| /etc/init.d/nfslock: [ -x /sbin/rpc.statd ] || exit 0 |
-| /etc/init.d/nfslock: daemon rpc.statd |
-| /etc/init.d/nfslock: killproc rpc.statd |
-| /etc/init.d/nfslock: status rpc.statd |
-| /etc/init.d/nfslock: /sbin/pidof rpc.statd >/dev/null 2>&1; STATD="$?" |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-We didn't really need all that information, but at least we see now exactly
-which script is starting it. Remember too that not all services are started
-this way. Some may be started via inetd, or xinetd.
-
-The /proc filesystem also keeps everything we want to know about processes
-that are running. We can query this to find out more information about each
-process. Do you need to know the full path of the command that started a
-process?
-
-+-----------------------------------------------------------------------------+
-| # ls -l /proc/1315/exe |
-| lrwxrwxrwx 1 root root 0 July 4 19:41 /proc/1315/exe -> /usr/sbin/cupsd |
-| |
-| |
-+-----------------------------------------------------------------------------+
-
-Finally, we had a loose end or two in the UDP listening services. Remember we
-had a strange looking port number 32768, that also had no service name
-associated with it:
-
-+------------------------------------------------------------------------------------+
-| # netstat -aup |
-| Active Internet connections (servers and established) |
-| Local Address Foreign Address State PID/Program name |
-| *:32768 *:* 956/named |
-| bigcat:domain *:* 956/named |
-| bigcat:domain *:* 956/named |
-| *:631 *:* 1315/cupsd |
-| |
-| |
-+------------------------------------------------------------------------------------+
-
-Now by including the "PID/Program name" option with the -p flag, we see this
-also belongs to named, the nameserver daemon. Recent versions of BIND use an
-unprivileged port for some types of traffic. In this case, this is BIND 9.x.
-So no real alarms here either. The unprivileged port here is the one named
-uses to to talk to other nameservers for name and address lookups, and should
-not be firewalled.
-
-So we found no big surprises in this hypothetical situation.
-
-If all else fails, and you can't find a process owner for an open port,
-suspect that it may be an RPC (Remote Procedure Call) service of some kind.
-These use randomly assigned ports without any seeming logic or consistency,
-and are typically controlled by the portmap daemon. In some cases, these may
-not reveal the process owner to netstat or lsof. Try stopping portmap, and
-then see if the mystery service goes away. Or you can use rpcinfo -p
-localhost to see what RPC services may be running (portmap must be running
-for this to work).
-
-Warning If you suspect you have been broken into, do not trust netstat or ps
- output. There is a good chance that they, and other system
- components, has been tampered with in such a way that the output is
- not reliable.
------------------------------------------------------------------------------
-
-8.4. Attacks and Threats
-
-In this section, we will take a quick look at some of the common threats and
-techniques that are out there, and attempt to put them into some perspective.
-
-The corporate world, government agencies and high profile Internet sites have
-to be concerned with a much more diverse and challenging set of threats than
-the typical home desktop user. There are many reasons someone may want to
-break in to someone else's computer. It may be just for kicks, or any number
-of malicious reasons. They may just want a base from which to attack someone
-else. This is a very common motivation.
-
-The most common "attack" for most of us is from already compromised systems.
-The Internet is littered with computers that have been broken into, and are
-now doing their master's bidding blindly, in zombie-like fashion. They are
-programmed to scan massively large address ranges, probing each individual IP
-address as they go. Looking for one or more open ports, and then probing for
-known weaknesses if they get the chance. Very impersonal. Very methodical.
-And very effective. We are all in the path of such robotic scans. All because
-those responsible for these systems fail to do what you are doing now -
-taking steps to protect their system(s), and avoid being r00ted.
-
-These scans do not look at login banners that may be presented on connection.
-It will do little good to change your /etc/issue.net to pretend that you are
-running some obscure operating system. If they find something listening, they
-will try all of the exploits appropriate to that port, without regard to any
-indications your system may give. If it works, they are in -- if not, they
-will move on.
------------------------------------------------------------------------------
-
-8.4.1. Port Scans and Probes
-
-First, let's define "scan" and "probe" since these terms come up quite a bit.
-A "probe" implies testing if a given port is open or closed, and possibly
-what might be listening on that port. A "scan" implies either "probing"
-multiple ports on one or more systems. Or individual ports on multiple
-systems. So you might "scan" all ports on your own system for instance. Or a
-cracker might "scan" the 216.78.*.* address range to see who has port 111
-open.
-
-Black hats can use scan and probe information to know what services are
-running on a given system, and then they might know what exploits to try.
-They may even be able to tell what Operating System is running, and even
-kernel version, and thus get even more information. "Worms", on the other
-hand, are automated and scan blindly, generally just looking for open ports,
-and then a susceptible victim. They are not trying to "learn" anything, the
-way a cracker might.
-
-The distinction between "scan" and "probe"is often blurred. Both can used in
-good ways, or in bad ways, depending on who is doing it, and why. You might
-ask a friend to scan you, for instance, to see how well your firewall is
-working. This is a legitimate use of scanning tools such as nmap. But what if
-someone you don't know does this? What is their intent? If it's your ISP,
-they may be trying to enforce their Terms of Service Agreement. Or maybe, it
-is someone just playing, and seeing who is "out there". But more than likely
-it is someone or something with not such good intentions.
-
-Full range port scans (meaning probing of many ports on the same machine)
-seem to be a not so common threat for home based networks. But certainly,
-scanning individual ports across numerous systems is a very, very common
-occurrence.
------------------------------------------------------------------------------
-
-8.4.2. Rootkits
-
-A "rootkit" is the script kiddie's stock in trade. When a successful
-intrusion takes place, the first thing that is often done, is to download and
-install such "rootkits". The rootkit is a set of scripts designed to take
-control of the system, and then hide the intrusion. Rootkits are readily
-available on the web for various Operating Systems.
-
-A rootkit will typically replace critical system files such as ls, ps,
-netstat, login and others. Passwords may be added, hidden daemons started,
-logs tampered with, and surely one of more backdoors are opened. The hidden
-backdoors allow easy access any time the attacker wants back in. And often
-the vulnerability itself may even be fixed so that the new "owner" has the
-system all to himself. The entire process is scripted so it happens very
-quickly. The rightful owners of these compromised systems generally have no
-idea what is going on, and are victims themselves. A well designed rootkit
-can be very difficult to detect.
------------------------------------------------------------------------------
-
-8.4.3. Worms and Zombies
-
-A "worm" is a self replicating exploit. It infects a system, then attempts to
-spread itself typically via the same vulnerability. Various "worms" are
-weaving their way through the entire Internet address space constantly,
-spreading themselves as they go.
-
-But somewhere behind the zombie, there is a controller. Someone launched the
-worm, and they will be informed after a successful intrusion. It is then up
-to them how the system will be used.
-
-Many of these are Linux systems, looking for other Linux systems to "infect"
-via a number of exploits. But most Operating Systems share in this threat.
-Once a vulnerable system is found, the actual entry and take over is quick,
-and may be difficult to detect after the fact. The first thing an intruder
-(whether human or "worm") will do is attempt to cover their tracks. A
-"rootkit" is downloaded and installed. This trend has been exacerbated by the
-growing popularity of cable modems and DSL. The number of full time Internet
-connections is growing rapidly, and this makes fertile ground for such
-exploits since often these aren't as well secured as larger sites.
-
-While this may sound ominous, a few simple precautions can effectively deter
-this type of attack. With so many easy victims out there, why waste much
-effort breaking into your system? There is no incentive to really try very
-hard. Just scan, look, try, move on if unsuccessful. There is always more IPs
-to be scanned. If your firewall is effectively bouncing this kind of thing,
-it is no threat to you at all. Take comfort in that, and don't over re-act.
-
-It is worth noting, that these worms cannot "force" their way in. They need
-an open and accessible port, and a known vulnerability. If you remember the
-"Iptables Weekly Log Summary" in the opening section above, many of those may
-have all been the result of this type of scan. If you've followed the steps
-in this HOWTO, you should be reasonably safe here. This one is easy enough to
-deflect.
------------------------------------------------------------------------------
-
-8.4.4. Script Kiddies
-
-A "script kiddie" is a "cracker" wanna be who doesn't know enough to come up
-with his/her own exploits, but instead relies on "scripts" and exploits that
-have been developed by others. Like "worms", they are looking for easy
-victims, and may similarly scan large address ranges looking for specific
-ports with known vulnerabilities. Often, the actual scanning is done from
-already comprised systems so that it is difficult to trace it back to them.
-
-The script kiddie has a bag of ready made tricks at his disposal, including
-an arsenal of "rootkits" for various Operating Systems. Finding susceptible
-victims is not so hard, given enough time and address space to probe. The
-motives are a mixed bag as well. Simple mischief, defacement of web sites,
-stolen credit card numbers, and the latest craze, "Denial of Service" attacks
-(see below). They collect zombies like trophies and use them to carry out
-whatever their objective is.
-
-Again, the key here is that they are following a "script", and looking for
-easy prey. Like the worm threat above, a functional firewall and a few very
-basic precautions, should be sufficient to deflect any threat here. By now,
-you should be relatively safe from this nuisance.
------------------------------------------------------------------------------
-
-8.4.5. Spoofed IPs
-
-How easy is it to spoof an IP address? With the right tools, very easy. How
-much of a threat is this? Not much, for most of us, and is over-hyped as a
-threat.
-
-Because of the way TCP/IP works, each packet must carry both the source and
-destination IP addresses. Any return traffic is based on this information. So
-a spoofed IP can never return any useful information to an attacker who is
-sending out spoofed packets. The traffic would go back to wherever that
-spoofed IP address was pointed. The attacker gets nothing back at all.
-
-This does have potential for "DoS" attacks (see below) where learning
-something about the targeted system is not important. And may be used for
-some general mischief making as well.
------------------------------------------------------------------------------
-
-8.4.6. Targeted Attacks
-
-The worm and wide ranging address type scans, are impersonal. They are just
-looking for any vulnerable system. It makes no difference whether it is a top
-secret government facility, or your mother's Window's box. But there are
-"black hats" that will spend a great deal of effort to get into a system or
-network. We'll call these "targeted" attacks since there has been a
-deliberate decision made to break in to a specific system or network.
-
-In this case, the attacker will look the system over for weaknesses. And
-possibly make many different kinds of attempts, until he finds a crack to
-wiggle through. Or gives up. This is more difficult to defend against. The
-attacker is armed and dangerous, so to speak, and is stalking his prey.
-
-Again, this scenario is very unlikely for a typical home system. There just
-generally isn't any incentive to take the time and effort when there are
-bigger fish to fry. For those who may be targets, the best defense here
-includes many of things we've discussed. Vigilance is probably more important
-than ever. Good logging practices and an IDS (Intrusion Detection System)
-should be in place. And subscribing to one or more security related mailing
-lists like BUGTRAQ. And of course, reading those alerts daily, and taking the
-appropriate actions, etc.
------------------------------------------------------------------------------
-
-8.4.7. Denial of Service (DoS)
-
-"DoS" is another type of "attack" in which the intention is to disrupt or
-overwhelm the targeted system or network in such a way that it cannot
-function normally. DoS can take many forms. On the Internet, this often means
-overwhelming the victim's bandwidth or TCP/IP stack, by sending floods of
-packets and thus effectively disabling the connection. We are talking about
-many, many packets per second. Thousands in some cases. Or perhaps, the
-objective is to crash a server.
-
-This is much more likely to be targeted at organizations or high profile
-sites, than home users. And can be quite challenging to stop depending on the
-technique. And it generally requires the co-operation of networks between the
-source(s) and the target, so that the floods are stopped, or minimized,
-before they reach the targeted destination. Once they hit the destination,
-there is no good way to completely ignore them.
-
-"DDoS", Distributed Denial of Service, is where multiple sources are used to
-maximize the impact. Again, not likely to be directly targeted at home users.
-These are "slaves" that are "owned" by a cracker, or script kiddie, that are
-woken up and are targeted at the victim. There may be many computers involved
-in the attack.
-
-If you are home user, and with a dynamic IP address, you might find
-disconnecting, then re-connecting to get a new IP, an effective way out if
-you are the target. Maybe.
------------------------------------------------------------------------------
-
-8.4.8. Brute Force
-
-"Brute force" attacks are where the attacker makes repetitive attempts at the
-same perceived weakness(es). Like a battering ram. A classic example would be
-where someone tries to access a telnet server simply by continually throwing
-passwords at it, hoping that one will eventually work. Or maybe crash the
-server. This doesn't require much imagination, and is not a commonly used
-tactic against home systems.
-
-By the way, this is one good argument against allowing remote root logins.
-The root account exists on all systems. It is probably the only one that this
-is true of. You'd like to make a potential attacker guess both the login name
-and password. But if root is allowed remote logins, then the attacker only
-needs to guess the password!
------------------------------------------------------------------------------
-
-8.4.9. Viruses
-
-And now something not to worry about. Viruses seem to be primarily a
-Microsoft problem. For various reasons, viruses are not a significant threat
-to Linux users. This is not to say that it will always be this way, but the
-current virus explosion that plagues Microsoft systems, can not spread to
-Linux (or Unix) based systems. In fact, the various methods and practices
-that enable this phenomena, are not exploitable on Linux. So Anti-Virus
-software is not recommended as part of our arsenal. At least for the time
-being with Linux only networks.
------------------------------------------------------------------------------
-
-8.5. Links
-
-Some references for further reading are listed below. Not listed is your
-distribution's site, security page or ftp download site. You will have to
-find these on your own. Then you should bookmark them!
-
- * Other relevant documents available from the Linux Documentation Project:
-
- Security HOWTO: [http://tldp.org/HOWTO/Security-HOWTO.html ] http://
- tldp.org/HOWTO/Security-HOWTO.html
-
- Firewall HOWTO: [http://tldp.org/HOWTO/Firewall-HOWTO.html] http://
- tldp.org/HOWTO/Firewall-HOWTO.html
-
- Ipchains HOWTO: [http://tldp.org/HOWTO/IPCHAINS-HOWTO.html ] http://
- tldp.org/HOWTO/IPCHAINS-HOWTO.html
-
- User Authentication: [http://tldp.org/HOWTO/User-Authentication-HOWTO/
- index.html] http://tldp.org/HOWTO/User-Authentication-HOWTO/index.html,
- includes a nice discussion on PAM.
-
- VPN (Virtual Private Network): [http://tldp.org/HOWTO/VPN-HOWTO.html]
- http://tldp.org/HOWTO/VPN-HOWTO.html and [http://tldp.org/HOWTO/
- VPN-Masquerade-HOWTO.html] http://tldp.org/HOWTO/
- VPN-Masquerade-HOWTO.html
-
- The Remote X Apps Mini HOWTO, [http://www.tldp.org/HOWTO/mini/
- Remote-X-Apps.html] http://www.tldp.org/HOWTO/mini/Remote-X-Apps.html,
- includes excellent discussions on the security implications of running X
- Windows.
-
- The Linux Network Administrators Guide: [http://tldp.org/LDP/nag2/
- index.html] http://tldp.org/LDP/nag2/index.html, includes a good overview
- of networking and TCP/IP, and firewalling.
-
- The Linux Administrator's Security Guide: [http://www.seifried.org/lasg/]
- http://www.seifried.org/lasg/, includes many obvious topics of interest,
- including firewalling, passwords and authentication, PAM, and more.
-
- Securing Red Hat: [http://tldp.org/LDP/solrhe/
- Securing-Optimizing-Linux-RH-Edition-v1.3/index.html] http://tldp.org/LDP
- /solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/index.html
-
-
- * Tools for creating custom ipchains and iptables firewall scripts:
-
- Firestarter: [http://firestarter.sourceforge.net] http://
- firestarter.sourceforge.net
-
- Two related projects: [http://seawall.sourceforge.net/] http://
- seawall.sourceforge.net/ for ipchains, and [http://
- shorewall.sourceforge.net/] http://shorewall.sourceforge.net/ for
- iptables.
-
-
- * Netfilter and iptables documentation from the netfilter developers
- (available in many other languages as well):
-
- FAQ: [http://netfilter.samba.org/documentation/FAQ/netfilter-faq.html]
- http://netfilter.samba.org/documentation/FAQ/netfilter-faq.html
- Packet filtering: [http://netfilter.samba.org/documentation/HOWTO/
- packet-filtering-HOWTO.html] http://netfilter.samba.org/documentation/
- HOWTO/packet-filtering-HOWTO.html
- Networking: [http://netfilter.samba.org/documentation/HOWTO/
- networking-concepts-HOWTO.html] http://netfilter.samba.org/documentation/
- HOWTO/networking-concepts-HOWTO.html
- NAT/masquerading: [http://netfilter.samba.org/documentation/HOWTO/
- NAT-HOWTO.html] http://netfilter.samba.org/documentation/HOWTO/
- NAT-HOWTO.html
-
-
- * Port number assignments, and what that scanner may be scanning for:
-
- [http://www.linuxsecurity.com/resource_files/firewalls/
- firewall-seen.html] http://www.linuxsecurity.com/resource_files/firewalls
- /firewall-seen.html
-
- [http://www.sans.org/newlook/resources/IDFAQ/oddports.htm] http://
- www.sans.org/newlook/resources/IDFAQ/oddports.htm
-
- [http://www.iana.org/assignments/port-numbers] http://www.iana.org/
- assignments/port-numbers, the official assignments.
-
-
- * General security sites. These all have areas on documentation, alerts,
- newsletters, mailing lists, and other resources.
-
- Linux Security.com: [http://www.linuxsecurity.com] http://
- www.linuxsecurity.com, loaded with good info, and Linux specific. Lots of
- good docs: [http://www.linuxsecurity.com/docs/] http://
- www.linuxsecurity.com/docs/
-
- CERT, [http://www.cert.org] http://www.cert.org
-
- The SANS Institute: [http://www.sans.org/] http://www.sans.org/
-
- The Coroner's Toolkit (TCT): [http://www.fish.com/security/] http://
- www.fish.com/security/, discussions and tools for dealing with post
- break-in issues (and preventing them in the first place).
-
-
- * Privacy:
-
- Junkbuster: [http://www.junkbuster.com] http://www.junkbuster.com, a web
- proxy and cookie manager.
-
- PGP: [http://www.gnupg.org/] http://www.gnupg.org/
-
-
- * Other documentation and reference sites:
-
- Linux Security.com: [http://www.linuxsecurity.com/docs/] http://
- www.linuxsecurity.com/docs/
-
- Linux Newbie: [http://www.linuxnewbie.org/nhf/intel/security/index.html]
- http://www.linuxnewbie.org/nhf/intel/security/index.html
-
- The comp.os.linux.security FAQ: [http://www.linuxsecurity.com/docs/
- colsfaq.html] http://www.linuxsecurity.com/docs/colsfaq.html
-
- The Internet Firewall FAQ: [http://www.interhack.net/pubs/fwfaq/] http://
- www.interhack.net/pubs/fwfaq/
-
- The Site Security Handbook RFC: [http://www.ietf.org/rfc/rfc2196.txt]
- http://www.ietf.org/rfc/rfc2196.txt
-
-
- * Miscellaneous sites of interest:
-
- [http://www.bastille-linux.org] http://www.bastille-linux.org, for
- Mandrake and Red Hat only.
-
- SAINT: [http://www.wwdsi.com/saint/] http://www.wwdsi.com/saint/, system
- security analysis.
-
- SSL: [http://www.openssl.org/] http://www.openssl.org/
-
- SSH: [http://www.openssh.org/] http://www.openssh.org/
-
- Scan yourself: [http://www.hackerwhacker.com] http://
- www.hackerwhacker.com
-
- PAM: [http://www.kernel.org/pub/linux/libs/pam/index.html] http://
- www.kernel.org/pub/linux/libs/pam/index.html
-
- Detecting Trojaned Linux Kernel Modules: [http://members.prestige.net/
- tmiller12/papers/lkm.htm] http://members.prestige.net/tmiller12/papers/
- lkm.htm
-
- Rootkit checker: [http://www.chkrootkit.org] http://www.chkrootkit.org
-
- Port scanning tool nmap's home page: [http://www.insecure.org] http://
- www.insecure.org
-
- Nessus, more than just a port scanner: [http://www.nessus.org] http://
- www.nessus.org
-
- Tripwire, intrusion detection: [http://www.tripwire.org] http://
- www.tripwire.org
-
- Snort, sniffer and more: [http://www.snort.org] http://www.snort.org
-
- [http://www.mynetwatchman.com] http://www.mynetwatchman.com and [http://
- dshield.org] http://dshield.org are "Distributed Intrusion Detection
- Systems". They collect log data from subscribing "agents", and collate
- the data to find and report malicious activity. If you want to fight
- back, check these out.
-
-
-
------------------------------------------------------------------------------
-8.6. Editing Text Files
-
-By Bill Staehle
-
-All the world is a file.
-
-There are a great many types of files, but I'm going to stretch it here, and
-class them into two really broad families:
-
-
-
- Text files are just that.
- Binary files are not.
-
-
-
-Binary files are meant to be read by machines, text files can be easily
-edited, and are generally read by people. But text files can be (and
-frequently are) read by machines. Examples of this would be configuration
-files, and scripts.
-
-There are a number of different text editors available in *nix. A few are
-found on every system. That would be '/bin/ed' and '/bin/vi'. 'vi' is almost
-always a clone such as 'vim' due to license problems. The problem with 'vi'
-and 'ed' is that they are terribly user unfriendly. Another common editor
-that is not always installed by default is 'emacs'. It has a lot more
-features and capability, and is not easy to learn either.
-
-As to 'user friendly' editors, 'mcedit' and 'pico' are good choices to start
-with. These are often much easier for those new to *nix.
-
-The first things to learn are how to exit an editing session, how to save
-changes to the file, and then how to avoid breaking long lines that should
-not be broken (wrapped).
-
-The 'vi' editor
-
-'vi' is one of the most common text editors in the Unix world, and it's
-nearly always found on any *nix system. Actually, due to license problems,
-the '/bin/vi' on a Linux system is always a 'clone', such as 'elvis', 'nvi',
-or 'vim' (there are others). These clones can act exactly like the original
-'vi', but usually have additional features that make it slightly less
-impossible to use.
-
-So, if it's so terrible, why learn about it? Two reasons. First, as noted,
-it's almost guaranteed to be installed, and other (more user friendly)
-editors may not be installed by default. Second, many of the 'commands' work
-in other applications (such as the pager 'less' which is also used to view
-man pages). In 'less', accidentally pressing the 'v' key starts 'vi' in most
-installations.
-
-'vi' has two modes. The first is 'command mode', and keystrokes are
-interpreted as commands. The other mode is 'insert' mode, where nearly all
-keystrokes are interpreted as text to be inserted.
-
-==> Emergency exit from 'vi' 1. press the key up to three times, until
-the computer beeps, or the screen flashes. 2. press the keys :q!
-
-That is: colon, the letter Q, and then the exclamation point, followed by the
-Enter key.
-
-'vi' commands are as follows. All of these are in 'command' mode:
-
-
-a Enter insertion mode after the cursor.
-A Enter insertion mode at the end of the current line.
-i Enter insertion mode before the cursor.
-o Enter insertion mode opening a new line BELOW current line.
-O Enter insertion mode opening a new line ABOVE current line.
-h move cursor left one character.
-l move cursor right one character.
-j move cursor down one line.
-k move cursor up one line.
-/mumble move cursor forward to next occurrence of 'mumble' in
- the text
-?mumble move cursor backward to next occurrence of 'mumble'
- in the text
-n repeat last search (? or / without 'mumble' to search for
- will do the same thing)
-u undo last change made
-
-^B Scroll back one window.
-^F Scroll forward one window.
-^U Scroll up one half window.
-^D Scroll down one half window.
-
-:w Write to file.
-:wq Write to file, and quit.
-:q quit.
-:q! Quit without saving.
-
- Leave insertion mode.
-
-
-
-NOTE: The four 'arrow' keys almost always work in 'command' or 'insert' mode.
-
-The 'ed' editor.
-
-The 'ed' editor is a line editor. Other than the fact that it is virtually
-guaranteed to be on any *nix computer, it has no socially redeeming features,
-although some applications may need it. A _lot_ of things have been offered
-to replace this 'thing' from 1975.
-
-==> Emergency exit from 'ed'
-
-1. type a period on a line by itself, and press This gets you to the
-command mode or prints a line of text if you were in command mode. 2. type q
-and press . If there were no changes to the file, this action quits
-ed. If you then see a '?' this means that the file had changed, and 'ed' is
-asking if you want to save the changes. Press q and a second time to
-confirm that you want out.
-
-The 'pico' editor.
-
-'pico' is a part of the Pine mail/news package from the University of
-Washington (state, USA). It is a very friendly editor, with one minor
-failing. It silently inserts a line feed character and wraps the line when it
-exceeds (generally) 74 characters. While this is fine while creating mail,
-news articles, and text notes, it is often fatal when editing system files.
-The solution to this problem is simple. Call the program with the -w option,
-like this:
-
-pico -w file_2_edit
-
-Pico is so user friendly, no further instructions are needed. It _should_ be
-obvious (look at the bottom of the screen for commands). There is an
-extensive help function. Pico is available with nearly all distributions,
-although it _may_ not be installed by default.
-
-==> Emergency exit from 'pico'
-
-Press and hold the key, and press the letter x. If no changes had been
-made to the file, this will quit pico. If changes had been made, it will ask
-if you want to save the changes. Pressing n will then exit.
-
-The 'mcedit' editor.
-
-'mcedit' is part of the Midnight Commander shell program, a full featured
-visual shell for Unix-like systems. It can be accessed directly from the
-command line ( mcedit file_2_edit ) or as part of 'mc' (use the arrow keys to
-highlight the file to be edited, then press the F4 key).
-
-mcedit is probably the most intuitive editor available, and comes with
-extensive help. "commands" are accessed through the F* keys. Midnight
-Commander is available with nearly all distributions, although it _may_ not
-be installed by default.
-
-==> Emergency exit from 'mcedit'
-
-Press the F10 key. If no changes have been made to the file, this will quit
-mcedit. If changes had been made, it will ask if you want to Cancel this
-action. Pressing n will then exit.
------------------------------------------------------------------------------
-
-8.7. nmap
-
-Let's look at a few quick examples of what nmap scans look like. The intent
-here is to show how to use nmap to verify our firewalling, and system
-integrity. nmap has other uses that we don't need to get into. Do NOT use
-nmap on systems other than your own, unless you have permission from the
-owner, and you know it is not a violation of anyone's Terms of Service. This
-kind of thing will be taken as hostile by most people.
-
-As mentioned previously, nmap is a sophisticated port scanning tool. It tries
-to see if a host is "there", and what ports might be open. Barring that, what
-states those ports might be in. nmap has a complex command line and can do
-many types of "scans". See the man page for all the nitty gritty.
-
-A couple of words of warning first. If using portsentry, turn it off. It will
-drop the route to wherever the scan is coming from. You might want to turn
-off any logging also, or at least be aware that you might get copious logs if
-doing multiple scans.
-
-A simple, default scan of "localhost":
-
-+---------------------------------------------------------------------------+
-| # nmap localhost |
-| |
-| Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) |
-| Interesting ports on bigcat (127.0.0.1): |
-| (The 1507 ports scanned but not shown below are in state: closed) |
-| |
-| Port State Service |
-| 22/tcp open ssh |
-| 25/tcp open smtp |
-| 37/tcp open time |
-| 53/tcp open domain |
-| 80/tcp open http |
-| 3000/tcp open ppp |
-| |
-| Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-If you've read most of this document, you should be familiar with these
-services by now. These are some of the same ports we've seen in other
-examples. Some things to note on this scan: it only did 1500+ "interesting"
-ports -- not all ports. This can be configured differently if more is
-desirable (see man page). It only did TCP ports too. Again, configurable. It
-only picks up "listening" services, unlike netstat that shows all open ports
--- listening or otherwise. Note the last "open" port here is 3000 is
-identified as "PPP". Wrong! That is just an educated guess by nmap based on
-what is contained in /etc/services for this port number. Actually in this
-case it is ntop (a network traffic monitor). Take the service names with a
-grain of salt. There is no way for nmap to really know what is on that port.
-Matching port numbers with service names can at times be risky. Many do have
-standard ports, but there is nothing to say they have to use the commonly
-associated port numbers.
-
-Notice that in all our netstat examples, we had two classes of open ports:
-listening servers, and then established connections that we initiated to
-other remote hosts (e.g. a web server somewhere). nmap only sees the first
-group -- the listening servers! The other ports connecting us to remote
-servers are not visible, and thus not vulnerable. These ports are "private"
-to that single connection, and will be closed when the connection is
-terminated.
-
-So we have open and closed ports here. Simple enough, and gives a pretty good
-idea what is running on bigcat -- but not necessarily what we look like to
-the outside world since this was done from localhost, and wouldn't reflect
-any firewalling or other access control mechanisms.
-
-Let's do a little more intensive scan. Let's check all ports -- TCP and UDP.
-
-+---------------------------------------------------------------------------+
-| # nmap -sT -sU -p 1-65535 localhost |
-| |
-| Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) |
-| Interesting ports on bigcat (127.0.0.1): |
-| (The 131050 ports scanned but not shown below are in state: closed) |
-| |
-| Port State Service |
-| 22/tcp open ssh |
-| 25/tcp open smtp |
-| 37/tcp open time |
-| 53/tcp open domain |
-| 53/udp open domain |
-| 80/tcp open http |
-| 3000/tcp open ppp |
-| 8000/tcp open unknown |
-| 32768/udp open unknown |
-| |
-| Nmap run completed -- 1 IP address (1 host up) scanned in 385 seconds |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-This is more than just "interesting" ports -- it is everything. We picked up
-a couple of new ones in the process too. We've seen these before with netstat
-, so we know what they are. That is the Junkbuster web proxy on port 8000/tcp
-and named on 32768/udp. This scan takes much, much longer, but it is the only
-way to see all ports.
-
-So now we have a pretty good idea of what is open on bigcat. Since we are
-scanning localhost from localhost, everything should be visible. We still
-don't know how the outside world sees us though. Now I'll ssh to another host
-on the same LAN, and try again.
-
-+---------------------------------------------------------------------------+
-| # nmap bigcat |
-| |
-| Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) |
-| Interesting ports on bigcat (192.168.1.1): |
-| (The 1520 ports scanned but not shown below are in state: closed) |
-| |
-| Port State Service |
-| 22/tcp open ssh |
-| 3000/tcp open ppp |
-| |
-| Nmap run completed -- 1 IP address (1 host up) scanned in 1 second |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-I confess to tampering with the iptables rules here to make a point. Only two
-visible ports on this scan. Everything else is "closed". So says nmap. Once
-again:
-
-+----------------------------------------------------------------------------------+
-| # nmap bigcat |
-| |
-| Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) |
-| Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 |
-| |
-| Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds |
-| |
-| |
-+----------------------------------------------------------------------------------+
-
-Oops, I blocked ICMP (ping) while I was at it this time. One more time:
-
-+---------------------------------------------------------------------------+
-| # nmap -P0 bigcat |
-| |
-| Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) |
-| All 1523 scanned ports on bigcat (192.168.1.1) are: filtered |
-| |
-| Nmap run completed -- 1 IP address (1 host up) scanned in 1643 seconds |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-That's it. Notice how long that took. Notice ports are now "filtered" instead
-of "closed". How does nmap know that? Well for one, "closed" means bigcat
-sent a packet back saying "nothing running here", i.e. port is closed. In
-this last example, the iptables rules were changed to not allow ICMP (ping),
-and to "DROP" all incoming packets. In other words, no response at all. A
-subtle difference since nmap seems to still know there was a host there, even
-though no response was given. One lesson here, is if you want to slow a
-scanner down, "DROP" (or "DENY") the packets. This forces a TCP time out for
-the remote end on each port probe. Anyway, if your scans look like this, that
-is probably as well as can be expected, and your firewall is doing its job.
-
-A brief note on UDP: nmap can not accurately determine the status of these
-ports if they are "filtered". You probably will get a false-positive "open"
-condition. This has to do with UDP being a connectionless protocol. If nmap
-gets no answer (e.g. due to a "DROP"), it assumes the packets reached the
-target, and thus the port will be reported as "open". This is "normal" for
-nmap.
-
-We can play with firewall rules in a LAN set up to try to simulate how the
-outside world sees us, and if we are smart, and know what we are doing, and
-don't have a brain fart, we probably will have a pretty good picture. But it
-is still best to try to find a way to do it from outside if possible. Again,
-make sure you are not violating any ISP rules of conduct. Do you have a
-friend on the same ISP?
------------------------------------------------------------------------------
-
-8.8. Sysctl Options
-
-The "sysctl" options are kernel parameters that can be configured via the /
-proc filesystem. These can be dynamically adjusted at run-time. Typically
-these options are off if set to "0", and on if set to "1".
-
-Some of these have security implications, and thus is why we are here ;-)
-We'll just list the ones we think are relevant. Feel free to cut and paste
-these into a firewall script, or other file that is run during boot (like /
-etc/rc.local). Or your distribution may have their own way of tuning this.
-You can read up on what these mean in /usr/src/linux/Documentation/sysctl/
-README and other files in the kernel Documentation directories.
-
-#!/bin/sh
-#
-# Configure kernel sysctl run-time options.
-#
-###################################################################
-
-# Anti-spoofing blocks
-for i in /proc/sys/net/ipv4/conf/*/rp_filter;
-do
- echo 1 > $i
-done
-
-# Ensure source routing is OFF
-for i in /proc/sys/net/ipv4/conf/*/accept_source_route;
- do
- echo 0 > $i
- done
-
-# Ensure TCP SYN cookies protection is enabled
-[ -e /proc/sys/net/ipv4/tcp_syncookies ] &&\
- echo 1 > /proc/sys/net/ipv4/tcp_syncookies
-
-# Ensure ICMP redirects are disabled
-for i in /proc/sys/net/ipv4/conf/*/accept_redirects;
- do
- echo 0 > $i
- done
-
-# Ensure oddball addresses are logged
-[ -e /proc/sys/net/ipv4/conf/all/log_martians ] &&\
- echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
-
-[ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ] &&\
- echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
-
-[ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ] &&\
- echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
-
-## Optional from here on down, depending on your situation. ############
-
-# Ensure ip-forwarding is enabled if
-# we want to do forwarding or masquerading.
-[ -e /proc/sys/net/ipv4/ip_forward ] &&\
- echo 1 > /proc/sys/net/ipv4/ip_forward
-
-# On if your IP is dynamic (or you don't know).
-[ -e /proc/sys/net/ipv4/ip_dynaddr ] &&\
- echo 1 > /proc/sys/net/ipv4/ip_dynaddr
-
-# eof
-
-
------------------------------------------------------------------------------
-
-8.9. Secure Alternatives
-
-This section will give a brief run down on secure alternatives to potentially
-insecure methods. This will be a hodge podge of clients and servers.
-
- * telnet, rsh - ssh
-
- * ftp, rcp - scp or sftp. Both are part of ssh packages. Also, files can
- easily be transfered via HTTP if Apache is already running anyway. Apache
- can be buttoned down even more by using SSL (HTTPS).
-
- * sendmail - postfix, qmail. Not to imply that current versions of sendmail
- are insecure. Just that there is some bad history there, and just because
- it is so widely used that it makes an inviting crack target.
-
- As noted above, Linux installations often include a fully functional mail
- server. While this may have some advantages, it is not necessary in many
- cases for simply sending mail, or retrieving mail. This can all be done
- without a "mail server daemon" running locally.
-
- * POP3 - SPOP3, POP3 over SSL. If you really need to run your own POP
- server, this is the way to do it. If retrieving your mail from your ISP's
- server, then you are at their mercy as to what they provide.
-
- * IMAP - IMAPS, same as above.
-
- * If you find you need a particular service, and it is for just you or a
- few friends, consider running it on a non-standard port. Most server
- daemons support this, and is not a problem as long as those who will be
- connecting, know about it. For instance, the standard port for sshd is
- 22. Any worm or scan will probe for this port number. So run it on a
- randomly chosen port. See the sshd man page.
-
-
------------------------------------------------------------------------------
-8.10. Ipchains and Iptables Redux
-
-This section offers a little more advanced look at some of things that
-ipchains and iptables can do. These are basically the same scripts as in Step
-3 above, just with some more advanced configuration options added. These will
-provide "masquerading", "port forwarding", allow access to some user
-definable services, and a few other things. Read the comments for
-explanations.
------------------------------------------------------------------------------
-
-8.10.1. ipchains II
-
-#!/bin/sh
-#
-# ipchains.sh
-#
-# An example of a simple ipchains configuration. This script
-# can enable 'masquerading' and will open user definable ports.
-#
-###################################################################
-# Begin variable declarations and user configuration options ######
-#
-# Set the location of ipchains (default).
-IPCHAINS=/sbin/ipchains
-
-# Local Interfaces
-#
-# This is the WAN interface, that is our link to the outside world.
-# For pppd and pppoe users.
-# WAN_IFACE="ppp0"
-WAN_IFACE="eth0"
-#
-# Local Area Network (LAN) interface.
-#LAN_IFACE="eth0"
-LAN_IFACE="eth1"
-
-# Our private LAN address(es), for masquerading.
-LAN_NET="192.168.1.0/24"
-
-# For static IP, set it here!
-#WAN_IP="1.2.3.4"
-
-# Set a list of public server port numbers here...not too many!
-# These will be open to the world, so use caution. The example is
-# sshd, and HTTP (www). Any services included here should be the
-# latest version available from your vendor. Comment out to disable
-# all PUBLIC services.
-#PUBLIC_PORTS="22 80 443"
-PUBLIC_PORTS="22"
-
-# If we want to do port forwarding, this is the host
-# that will be forwarded to.
-#FORWARD_HOST="192.168.1.3"
-
-# A list of ports that are to be forwarded.
-#FORWARD_PORTS="25 80"
-
-# If you get your public IP address via DHCP, set this.
-DHCP_SERVER=66.21.184.66
-
-# If you need identd for a mail server, set this.
-MAIL_SERVER=
-
-# A list of unwelcome hosts or nets. These will be denied access
-# to everything, even our 'PUBLIC' services. Provide your own list.
-#BLACKLIST="11.22.33.44 55.66.77.88"
-
-# A list of "trusted" hosts and/or nets. These will have access to
-# ALL protocols, and ALL open ports. Be selective here.
-#TRUSTED="1.2.3.4/8 5.6.7.8"
-
-## end user configuration options #################################
-###################################################################
-
-# The high ports used mostly for connections we initiate and return
-# traffic.
-LOCAL_PORTS=`cat /proc/sys/net/ipv4/ip_local_port_range |cut -f1`:\
-`cat /proc/sys/net/ipv4/ip_local_port_range |cut -f2`
-
-# Any and all addresses from anywhere.
-ANYWHERE="0/0"
-
-# Start building chains and rules #################################
-#
-# Let's start clean and flush all chains to an empty state.
-$IPCHAINS -F
-
-# Set the default policies of the built-in chains. If no match for any
-# of the rules below, these will be the defaults that ipchains uses.
-$IPCHAINS -P forward DENY
-$IPCHAINS -P output ACCEPT
-$IPCHAINS -P input DENY
-
-# Accept localhost/loopback traffic.
-$IPCHAINS -A input -i lo -j ACCEPT
-
-# Get our dynamic IP now from the Inet interface. WAN_IP will be our
-# IP address we are protecting from the outside world. Put this
-# here, so default policy gets set, even if interface is not up
-# yet.
-[ -z "$WAN_IP" ] &&\
- WAN_IP=`ifconfig $WAN_IFACE |grep inet |cut -d : -f 2 |cut -d \ -f 1`
-
-# Bail out with error message if no IP available! Default policy is
-# already set, so all is not lost here.
-[ -z "$WAN_IP" ] && echo "$WAN_IFACE not configured, aborting." && exit 1
-
-WAN_MASK=`ifconfig $WAN_IFACE | grep Mask | cut -d : -f 4`
-WAN_NET="$WAN_IP/$WAN_MASK"
-
-## Reserved IPs:
-#
-# We should never see these private addresses coming in from outside
-# to our external interface.
-$IPCHAINS -A input -l -i $WAN_IFACE -s 10.0.0.0/8 -j DENY
-$IPCHAINS -A input -l -i $WAN_IFACE -s 172.16.0.0/12 -j DENY
-$IPCHAINS -A input -l -i $WAN_IFACE -s 192.168.0.0/16 -j DENY
-$IPCHAINS -A input -l -i $WAN_IFACE -s 127.0.0.0/8 -j DENY
-$IPCHAINS -A input -l -i $WAN_IFACE -s 169.254.0.0/16 -j DENY
-$IPCHAINS -A input -l -i $WAN_IFACE -s 224.0.0.0/4 -j DENY
-$IPCHAINS -A input -l -i $WAN_IFACE -s 240.0.0.0/5 -j DENY
-# Bogus routing
-$IPCHAINS -A input -l -s 255.255.255.255 -d $ANYWHERE -j DENY
-
-## LAN access and masquerading
-#
-# Allow connections from our own LAN's private IP addresses via the LAN
-# interface and set up forwarding for masqueraders if we have a LAN_NET
-# defined above.
-if [ -n "$LAN_NET" ]; then
- echo 1 > /proc/sys/net/ipv4/ip_forward
- $IPCHAINS -A input -i $LAN_IFACE -j ACCEPT
- $IPCHAINS -A forward -s $LAN_NET -d $LAN_NET -j ACCEPT
- $IPCHAINS -A forward -s $LAN_NET -d ! $LAN_NET -j MASQ
-fi
-
-## Blacklist hosts/nets
-#
-# Get the blacklisted hosts/nets out of the way, before we start opening
-# up any services. These will have no access to us at all, and will be
-# logged.
-for i in $BLACKLIST; do
- $IPCHAINS -A input -l -s $i -j DENY
-done
-
-## Trusted hosts/nets
-#
-# This is our trusted host list. These have access to everything.
-for i in $TRUSTED; do
- $IPCHAINS -A input -s $i -j ACCEPT
-done
-
-# Port Forwarding
-#
-# Which ports get forwarded to which host. This is one to one
-# port mapping (ie 80 -> 80) in this case.
-# NOTE: ipmasqadm is a separate package from ipchains and needs
-# to be installed also. Check first!
-[ -n "$FORWARD_HOST" ] && ipmasqadm portfw -f &&\
- for i in $FORWARD_PORTS; do
- ipmasqadm portfw -a -P tcp -L $WAN_IP $i -R $FORWARD_HOST $i
- done
-
-## Open, but Restricted Access ports/services
-#
-# Allow DHCP server (their port 67) to client (to our port 68) UDP traffic
-# from outside source.
-[ -n "$DHCP_SERVER" ] &&\
- $IPCHAINS -A input -p udp -s $DHCP_SERVER 67 -d $ANYWHERE 68 -j ACCEPT
-
-# Allow 'identd' (to our TCP port 113) from mail server only.
-[ -n "$MAIL_SERVER" ] &&\
- $IPCHAINS -A input -p tcp -s $MAIL_SERVER -d $WAN_IP 113 -j ACCEPT
-
-# Open up PUBLIC server ports here (available to the world):
-for i in $PUBLIC_PORTS; do
- $IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP $i -j ACCEPT
-done
-
-# So I can check my home POP3 mailbox from work. Also, so I can ssh
-# in to home system. Only allow connections from my workplace's
-# various IPs. Everything else is blocked.
-$IPCHAINS -A input -p tcp -s 255.10.9.8/29 -d $WAN_IP 110 -j ACCEPT
-
-# Uncomment to allow ftp data back (active ftp). Not required for 'passive'
-# ftp connections.
-#$IPCHAINS -A input -p tcp -s $ANYWHERE 20 -d $WAN_IP $LOCAL_PORTS -y -j ACCEPT
-
-# Accept non-SYN TCP, and UDP connections to LOCAL_PORTS. These are
-# the high, unprivileged ports (1024 to 4999 by default). This will
-# allow return connection traffic for connections that we initiate
-# to outside sources. TCP connections are opened with 'SYN' packets.
-# We have already opened those services that need to accept SYNs
-# for, so other SYNs are excluded here for everything else.
-$IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS ! -y -j ACCEPT
-
-# We can't be so selective with UDP since that protocol does not know
-# about SYNs.
-$IPCHAINS -A input -p udp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS -j ACCEPT
-
-# Allow access to the masquerading ports conditionally. Masquerading
-# uses it's own port range -- on 2.2 kernels ONLY! 2.4 kernels, do not
-# use these ports, so comment out!
-[ -n "$LAN_NET" ] &&\
- $IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP 61000: ! -y -j ACCEPT &&\
- $IPCHAINS -A input -p udp -s $ANYWHERE -d $WAN_IP 61000: -j ACCEPT
-
-## ICMP (ping)
-#
-# ICMP rules, allow the bare essential types of ICMP only. Ping
-# request is blocked, ie we won't respond to someone else's pings,
-# but can still ping out.
-$IPCHAINS -A input -p icmp --icmp-type echo-reply \
- -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
-$IPCHAINS -A input -p icmp --icmp-type destination-unreachable \
- -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
-$IPCHAINS -A input -p icmp --icmp-type time-exceeded \
- -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
-
-#######################################################################
-# Set the catchall, default rule to DENY, and log it all. All other
-# traffic not allowed by the rules above, winds up here, where it is
-# blocked and logged. This is the default policy for this chain
-# anyway, so we are just adding the logging ability here with '-l'.
-# Outgoing traffic is allowed as the default policy for the 'output'
-# chain. There are no restrictions on that.
-
-$IPCHAINS -A input -l -j DENY
-
-echo "Ipchains firewall is up `date`."
-
-##-- eof ipchains.sh
-
-
------------------------------------------------------------------------------
-
-8.10.2. iptables II
-
-#!/bin/sh
-#
-# iptables.sh
-#
-# An example of a simple iptables configuration. This script
-# can enable 'masquerading' and will open user definable ports.
-#
-###################################################################
-# Begin variable declarations and user configuration options ######
-#
-# Set the location of iptables (default).
-IPTABLES=/sbin/iptables
-
-# Local Interfaces
-# This is the WAN interface that is our link to the outside world.
-# For pppd and pppoe users.
-# WAN_IFACE="ppp0"
-WAN_IFACE="eth0"
-#
-# Local Area Network (LAN) interface.
-#LAN_IFACE="eth0"
-LAN_IFACE="eth1"
-
-# Our private LAN address(es), for masquerading.
-LAN_NET="192.168.1.0/24"
-
-# For static IP, set it here!
-#WAN_IP="1.2.3.4"
-
-# Set a list of public server port numbers here...not too many!
-# These will be open to the world, so use caution. The example is
-# sshd, and HTTP (www). Any services included here should be the
-# latest version available from your vendor. Comment out to disable
-# all Public services. Do not put any ports to be forwarded here,
-# this only direct access.
-#PUBLIC_PORTS="22 80 443"
-PUBLIC_PORTS="22"
-
-# If we want to do port forwarding, this is the host
-# that will be forwarded to.
-#FORWARD_HOST="192.168.1.3"
-
-# A list of ports that are to be forwarded.
-#FORWARD_PORTS="25 80"
-
-# If you get your public IP address via DHCP, set this.
-DHCP_SERVER=66.21.184.66
-
-# If you need identd for a mail server, set this.
-MAIL_SERVER=
-
-# A list of unwelcome hosts or nets. These will be denied access
-# to everything, even our 'Public' services. Provide your own list.
-#BLACKLIST="11.22.33.44 55.66.77.88"
-
-# A list of "trusted" hosts and/or nets. These will have access to
-# ALL protocols, and ALL open ports. Be selective here.
-#TRUSTED="1.2.3.4/8 5.6.7.8"
-
-## end user configuration options #################################
-###################################################################
-
-# Any and all addresses from anywhere.
-ANYWHERE="0/0"
-
-# These modules may need to be loaded:
-modprobe ip_conntrack_ftp
-modprobe ip_nat_ftp
-
-# Start building chains and rules #################################
-#
-# Let's start clean and flush all chains to an empty state.
-$IPTABLES -F
-$IPTABLES -X
-
-
-# Set the default policies of the built-in chains. If no match for any
-# of the rules below, these will be the defaults that IPTABLES uses.
-$IPTABLES -P FORWARD DROP
-$IPTABLES -P OUTPUT ACCEPT
-$IPTABLES -P INPUT DROP
-
-# Accept localhost/loopback traffic.
-$IPTABLES -A INPUT -i lo -j ACCEPT
-
-# Get our dynamic IP now from the Inet interface. WAN_IP will be the
-# address we are protecting from outside addresses.
-[ -z "$WAN_IP" ] &&\
- WAN_IP=`ifconfig $WAN_IFACE |grep inet |cut -d : -f 2 |cut -d \ -f 1`
-
-# Bail out with error message if no IP available! Default policy is
-# already set, so all is not lost here.
-[ -z "$WAN_IP" ] && echo "$WAN_IFACE not configured, aborting." && exit 1
-
-WAN_MASK=`ifconfig $WAN_IFACE |grep Mask |cut -d : -f 4`
-WAN_NET="$WAN_IP/$WAN_MASK"
-
-## Reserved IPs:
-#
-# We should never see these private addresses coming in from outside
-# to our external interface.
-$IPTABLES -A INPUT -i $WAN_IFACE -s 10.0.0.0/8 -j DROP
-$IPTABLES -A INPUT -i $WAN_IFACE -s 172.16.0.0/12 -j DROP
-$IPTABLES -A INPUT -i $WAN_IFACE -s 192.168.0.0/16 -j DROP
-$IPTABLES -A INPUT -i $WAN_IFACE -s 127.0.0.0/8 -j DROP
-$IPTABLES -A INPUT -i $WAN_IFACE -s 169.254.0.0/16 -j DROP
-$IPTABLES -A INPUT -i $WAN_IFACE -s 224.0.0.0/4 -j DROP
-$IPTABLES -A INPUT -i $WAN_IFACE -s 240.0.0.0/5 -j DROP
-# Bogus routing
-$IPTABLES -A INPUT -s 255.255.255.255 -d $ANYWHERE -j DROP
-
-# Unclean
-$IPTABLES -A INPUT -i $WAN_IFACE -m unclean -m limit \
- --limit 15/minute -j LOG --log-prefix "Unclean: "
-$IPTABLES -A INPUT -i $WAN_IFACE -m unclean -j DROP
-
-## LAN access and masquerading
-#
-# Allow connections from our own LAN's private IP addresses via the LAN
-# interface and set up forwarding for masqueraders if we have a LAN_NET
-# defined above.
-if [ -n "$LAN_NET" ]; then
- echo 1 > /proc/sys/net/ipv4/ip_forward
- $IPTABLES -A INPUT -i $LAN_IFACE -j ACCEPT
-# $IPTABLES -A INPUT -i $LAN_IFACE -s $LAN_NET -d $LAN_NET -j ACCEPT
- $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -o $WAN_IFACE -j MASQUERADE
-fi
-
-## Blacklist
-#
-# Get the blacklisted hosts/nets out of the way, before we start opening
-# up any services. These will have no access to us at all, and will
-# be logged.
-for i in $BLACKLIST; do
- $IPTABLES -A INPUT -s $i -m limit --limit 5/minute \
- -j LOG --log-prefix "Blacklisted: "
- $IPTABLES -A INPUT -s $i -j DROP
-done
-
-## Trusted hosts/nets
-#
-# This is our trusted host list. These have access to everything.
-for i in $TRUSTED; do
- $IPTABLES -A INPUT -s $i -j ACCEPT
-done
-
-# Port Forwarding
-#
-# Which ports get forwarded to which host. This is one to one
-# port mapping (ie 80 -> 80) in this case.
-[ -n "$FORWARD_HOST" ] &&\
- for i in $FORWARD_PORTS; do
- $IPTABLES -A FORWARD -p tcp -s $ANYWHERE -d $FORWARD_HOST \
- --dport $i -j ACCEPT
- $IPTABLES -t nat -A PREROUTING -p tcp -d $WAN_IP --dport $i \
- -j DNAT --to $FORWARD_HOST:$i
- done
-
-## Open, but Restricted Access ports
-#
-# Allow DHCP server (their port 67) to client (to our port 68) UDP
-# traffic from outside source.
-[ -n "$DHCP_SERVER" ] &&\
- $IPTABLES -A INPUT -p udp -s $DHCP_SERVER --sport 67 \
- -d $ANYWHERE --dport 68 -j ACCEPT
-
-# Allow 'identd' (to our TCP port 113) from mail server only.
-[ -n "$MAIL_SERVER" ] &&\
- $IPTABLES -A INPUT -p tcp -s $MAIL_SERVER -d $WAN_IP --dport 113 -j ACCEPT
-
-# Open up Public server ports here (available to the world):
-for i in $PUBLIC_PORTS; do
- $IPTABLES -A INPUT -p tcp -s $ANYWHERE -d $WAN_IP --dport $i -j ACCEPT
-done
-
-# So I can check my home POP3 mailbox from work. Also, so I can ssh
-# in to home system. Only allow connections from my workplace's
-# various IPs. Everything else is blocked.
-$IPTABLES -A INPUT -p tcp -s 255.10.9.8/29 -d $WAN_IP --dport 110 -j ACCEPT
-
-## ICMP (ping)
-#
-# ICMP rules, allow the bare essential types of ICMP only. Ping
-# request is blocked, ie we won't respond to someone else's pings,
-# but can still ping out.
-$IPTABLES -A INPUT -p icmp --icmp-type echo-reply \
- -s $ANYWHERE -d $WAN_IP -j ACCEPT
-$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable \
- -s $ANYWHERE -d $WAN_IP -j ACCEPT
-$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
- -s $ANYWHERE -d $WAN_IP -j ACCEPT
-
-# Identd Reject
-#
-# Special rule to reject (with rst) any identd/auth/port 113
-# connections. This will speed up some services that ask for this,
-# but don't require it. Be careful, some servers may require this
-# one (IRC for instance).
-#$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
-
-###################################################################
-# Build a custom chain here, and set the default to DROP. All
-# other traffic not allowed by the rules above, ultimately will
-# wind up here, where it is blocked and logged, unless it passes
-# our stateful rules for ESTABLISHED and RELATED connections. Let
-# connection tracking do most of the worrying! We add the logging
-# ability here with the '-j LOG' target. Outgoing traffic is
-# allowed as that is the default policy for the 'output' chain.
-# There are no restrictions placed on that in this script.
-
-# New chain...
-$IPTABLES -N DEFAULT
-# Use the 'state' module to allow only certain connections based
-# on their 'state'.
-$IPTABLES -A DEFAULT -m state --state ESTABLISHED,RELATED -j ACCEPT
-$IPTABLES -A DEFAULT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT
-# Enable logging for anything that gets this far.
-$IPTABLES -A DEFAULT -j LOG -m limit --limit 30/minute --log-prefix "Dropping: "
-# Now drop it, if it has gotten here.
-$IPTABLES -A DEFAULT -j DROP
-
-# This is the 'bottom line' so to speak. Everything winds up
-# here, where we bounce it to our custom built 'DEFAULT' chain
-# that we defined just above. This is for both the FORWARD and
-# INPUT chains.
-
-$IPTABLES -A FORWARD -j DEFAULT
-$IPTABLES -A INPUT -j DEFAULT
-
-echo "Iptables firewall is up `date`."
-
-##-- eof iptables.sh
-
-
------------------------------------------------------------------------------
-
-8.10.3. Summary
-
-A quick run down of the some highlights...
-
-We added some host based access control rules: "blacklisted", and "trusted".
-We then showed several types of service and port based access rules. For
-instance, we allowed some very restrictive access to bigcat's POP3 server so
-we could connect only from our workplace. We allowed a very narrow rule for
-the ISP's DHCP server. This rule only allows one port on one outside IP
-address to connect to only one of our ports and only via the UDP protocol.
-This is a very specific rule! We are being specific since there is no reason
-to allow any other traffic to these ports or from these addresses. Remember
-our goal is the minimum amount of traffic necessary for our particular
-situation.
-
-So we made those few exceptions mentioned above, and all other services
-running on bigcat should be effectively blocked completely from outside
-connections. These are still happily running on bigcat, but are now safe and
-sound behind our packet filtering firewall. You probably have other services
-that fall in this category as well.
-
-We also have a small, home network in the above example. We did not take any
-steps to block that traffic. So the LAN has access to all services running on
-bigcat. And it is further "masqueraded", so that it has Internet access
-(different HOWTO), by manipulating the "forward" chain. And the LAN is still
-protected by our firewall since it sits behind the firewall. We also didn't
-impose any restrictive rules on the traffic leaving bigcat. In some
-situations, this might be a good idea.
-
-Of course, this is just a hypothetical example. Your individual situation is
-surely different, and would require some changes and likely some additions to
-the rules above. For instance, if your ISP does not use DHCP (most do not),
-then that rule would make no sense. PPP works differently and such rules are
-not needed.
-
-Please don't interpret that running any server as we did in this example is
-necessarily a "safe" thing to do. We shouldn't do it this way unless a) we
-really need to and b) we are running the current, safe version, and c) we are
-able to keep abreast of security related issues that might effect these
-services. Vigilance and caution are part of our responsibilities here too.
------------------------------------------------------------------------------
-
-8.10.4. iptables mini-me
-
-Just to demonstrate how succinctly iptables can be configured in a minimalist
-situation, the below is from the Netfilter team's Rusty's Really Quick Guide
-To Packet Filtering:
-
-
- "Most people just have a single PPP connection to the Internet, and don't
- want anyone coming back into their network, or the firewall:"
-
- ## Insert connection-tracking modules (not needed if built into kernel).
- insmod ip_conntrack
- insmod ip_conntrack_ftp
-
- ## Create chain which blocks new connections, except if coming from inside.
- iptables -N block
- iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
- iptables -A block -j DROP
-
- ## Jump to that chain from INPUT and FORWARD chains.
- iptables -A INPUT -j block
- iptables -A FORWARD -j block
-
-
-
-This simple script will allow all outbound connections that we initiate, i.e.
-any NEW connections (since the default policy of ACCEPT is not changed). Then
-any connections that are "ESTABLISHED" and "RELATED" to these are also
-allowed. And, any connections that are not incoming from our WAN side
-interface, ppp0, are also allowed. This would be lo or possibly a LAN
-interface like eth1. So we can do whatever we want, but no unwanted, incoming
-connection attempts are allowed from the Internet. None.
-
-This script also demonstrates the creation of a custom chain, defined here as
-"block", which is used both for the INPUT and FORWARD chains.
-
-Security Quick-Start HOWTO for Red Hat Linux
-
-Hal Burgiss
-
- hal@foobox.net
-
-
-v. 1.2, 2002-07-21
-Revision History
-Revision v. 1.2 2002-07-21 Revised by: hb
-A few small additions, and fix the usual broken links.
-Revision v. 1.1 2002-02-06 Revised by: hb
-A few fixes, some additions and many touch-ups from the original.
-Revision v. 1.0 2001-11-07 Revised by: hb
-Initial Release.
-
-
-This document is a an overview of the basic steps required to secure a Linux
-installation from intrusion. It is intended to be an introduction. This is a
-Red Hat specific version of this document.
-
------------------------------------------------------------------------------
-Table of Contents
-1. Introduction
- 1.1. Why me?
- 1.2. Notes
- 1.3. Copyright
- 1.4. Credits
- 1.5. Disclaimer
- 1.6. New Versions and Changelog
- 1.7. Feedback
-
-
-2. Foreword
- 2.1. The Optimum Configuration
- 2.2. Before We Start
-
-
-3. Step 1: Which services do we really need?
- 3.1. System Audit
- 3.2. The Danger Zone (or r00t m3 pl34s3)
- 3.3. Stopping Services
- 3.4. Exceptions
- 3.5. Summary and Conclusions for Step 1
-
-
-4. Step 2: Updating
- 4.1. Summary and Conclusions for Step 2
-
-
-5. Step 3: Firewalls and Setting Access Policies
- 5.1. Strategy
- 5.2. Packet Filters -- Ipchains and Iptables
- 5.3. Tcpwrappers (libwrap)
- 5.4. PortSentry
- 5.5. Proxies
- 5.6. Individual Applications
- 5.7. Verifying
- 5.8. Logging
- 5.9. Where to Start
- 5.10. Summary and Conclusions for Step 3
-
-
-6. Intrusion Detection
- 6.1. Intrusion Detection Systems (IDS)
- 6.2. Have I Been Hacked?
- 6.3. Reclaiming a Compromised System
-
-
-7. General Tips
-8. Appendix
- 8.1. Servers, Ports, and Packets
- 8.2. Common Ports
- 8.3. Netstat Tutorial
- 8.4. Attacks and Threats
- 8.5. Links
- 8.6. Editing Text Files
- 8.7. nmap
- 8.8. Sysctl Options
- 8.9. Secure Alternatives
- 8.10. Ipchains and Iptables Redux
-
-
-
-1. Introduction
-
-1.1. Why me?
-
-Who should be reading this document and why should the average Linux user
-care about security? Those new to Linux, or unfamiliar with the inherent
-security issues of connecting a Linux system to large networks like Internet
-should be reading. "Security" is a broad subject with many facets, and is
-covered in much more depth in other documents, books, and on various sites on
-the Web. This document is intended to be an introduction to the most basic
-concepts as they relate to Red Hat Linux, and as a starting point only.
-
-
-Iptables Weekly Log Summary from Jul 15 04:24:13 to Jul 22 04:06:00
-Blocked Connection Attempts:
-
-Rejected tcp packets by destination port
-
-port count
-111 19
-53 12
-21 9
-515 9
-27374 8
-443 6
-1080 2
-1138 1
-
-
-Rejected udp packets by destination port
-
-port count
-137 34
-22 1
-
-
-
-The above is real, live data from a one week period for my home LAN. Much of
-the above would seem to be specifically targeted at Linux systems. Many of
-the targeted "destination" ports are used by well known Linux and Unix
-services, and all may be installed, and possibly even running, on your
-system.
-
-The focus here will be on threats that are shared by all Linux users, whether
-a dual boot home user, or large commercial site. And we will take a few,
-relatively quick and easy steps that will make a typical home Desktop system
-or small office system running Red Hat Linux reasonably safe from the
-majority of outside threats. For those responsible for Linux systems in a
-larger or more complex environment, you'd be well advised to read this, and
-then follow up with additional reading suitable to your particular situation.
-Actually, this is probably good advice for everybody.
-
-We will assume the reader knows little about Linux, networking, TCP/IP, and
-the finer points of running a server Operating System like Linux. We will
-also assume, for the sake of this document, that all local users are
-"trusted" users, and won't address physical or local network security issues
-in any detail. Again, if this is not the case, further reading is strongly
-recommended.
-
-The principles that will guide us in our quest are:
-
- * There is no magic bullet. There is no one single thing we can do to make
- us secure. It is not that simple.
-
- * Security is a process that requires maintenance, not an objective to be
- reached.
-
- * There is no 100% safe program, package or distribution. Just varying
- degrees of insecurity.
-
-
-The steps we will be taking to get there are:
-
- * Step 1: Turn off, and perhaps uninstall, any and all unnecessary
- services.
-
- * Step 2: Make sure that any services that are installed are updated and
- patched to the current, safe version -- and then stay that way. Every
- server application has potential exploits. Some have just not been found
- yet.
-
- * Step 3: Limit connections to us from outside sources by implementing a
- firewall and/or other restrictive policies. The goal is to allow only the
- minimum traffic necessary for whatever our individual situation may be.
-
- * Awareness. Know your system, and how to properly maintain and secure it.
- New vulnerabilities are found, and exploited, all the time. Today's
- secure system may have tomorrow's as yet unfound weaknesses.
-
-
-If you don't have time to read everything, concentrate on Steps 1, 2, and 3.
-This is where the meat of the subject matter is. The Appendix has a lot of
-supporting information, which may be helpful, but may not be necessary for
-all readers.
------------------------------------------------------------------------------
-
-1.2. Notes
-
-This is a Red Hat specific version of this document. The included examples
-are compatible with Red Hat 7.0 and later. Actually, most examples should
-work with earlier versions of Red Hat as well. Also, this document should be
-applicable to other distributions that are Red Hat derivatives, such as
-Mandrake, Conectiva, etc.
-
-Overwhelmingly, the content of this document is not peculiar to Red Hat. The
-same rules and methodologies apply to other Linuxes. And indeed, to other
-Operating Systems as well. But each may have their own way of doing things --
-the file names and locations may differ, as may the system utilities that we
-rely on. It is these differences that make this document a "Red Hat" version.
------------------------------------------------------------------------------
-
-1.3. Copyright
-
-Security-Quickstart HOWTO for Red Hat Linux
-
-Copyright © 2001 Hal Burgiss.
-
-This document is free; you can redistribute it and/or modify it under the
-terms of the GNU General Public License as published by the Free Software
-Foundation; either version 2 of the License, or (at your option) any later
-version.
-
-This document is distributed in the hope that it will be useful, but WITHOUT
-ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
-FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
-details.
-
-You can get a copy of the GNU GPL at at [http://www.gnu.org/copyleft/
-gpl.html] http://www.gnu.org/copyleft/gpl.html.
------------------------------------------------------------------------------
-
-1.4. Credits
-
-Many thanks to those who helped with the production of this document.
-
- * Bill Staehle, who has done a little bit of everything: ideas, editing,
- encouragement, and suggestions, many of which have been incorporated.
- Bill helped greatly with the content of this document.
-
- * Others who have contributed in one way or another: Dave Wreski, Ian
- Jones, Jacco de Leeuw, and Indulis Bernsteins.
-
- * Various posters on comp.os.linux.security, a great place to learn about
- Linux and security.
-
- * The Netfilter Development team for their work on iptables and connection
- tracking, state of the art tools with which to protect our systems.
-
-
------------------------------------------------------------------------------
-1.5. Disclaimer
-
-The author accepts no liability for the contents of this document. Use the
-concepts, examples and other content at your own risk. As this is a new
-document, there may be errors and inaccuracies. Hopefully these are few and
-far between. Corrections and suggestions are welcomed.
-
-This document is intended to give the new user a starting point for securing
-their system while it is connected to the Internet. Please understand that
-there is no intention whatsoever of claiming that the contents of this
-document will necessarily result in an ultimately secure and worry-free
-computing environment. Security is a complex topic. This document just
-addresses some of the most basic issues that inexperienced users should be
-aware of.
-
-The reader is encouraged to read other security related documentation and
-articles. And to stay abreast of security issues as they evolve. Security is
-not an objective, but an ongoing process.
------------------------------------------------------------------------------
-
-1.6. New Versions and Changelog
-
-The current official version can always be found at [http://www.tldp.org/
-HOWTO/Security-Quickstart-Redhat-HOWTO/] http://www.tldp.org/HOWTO/
-Security-Quickstart-Redhat-HOWTO/. Pre-release versions can be found at
-[http://feenix.burgiss.net/ldp/quickstart-rh/] http://feenix.burgiss.net/ldp/
-quickstart-rh/.
-
-Other formats, including PDF, PS, single page HTML, may be found at the Linux
-Documentation HOWTO index page: [http://tldp.org/docs.html#howto] http://
-tldp.org/docs.html#howto.
-
-Changelog:
-
-Version 1.2: Clarifications on example firewall scripts, and small additions
-to 'Have I been Hacked'. Note on Zonealarm type applications. More on the use
-of "chattr" by script kiddies, and how to check for this. Other small
-additions and clarifications.
-
-Version 1.1: Various corrections, amplifications and numerous mostly small
-additions. Too many to list. Oh yea, learn to spell Red Hat correctly ;-)
-
-Version 1.0: This is the initial release of this document. Comments welcomed.
------------------------------------------------------------------------------
-
-1.7. Feedback
-
-Any and all comments on this document are most welcomed. Please make sure you
-have the most current version before submitting corrections or suggestions!
-These can be sent to .
------------------------------------------------------------------------------
-
-2. Foreword
-
-Before getting into specifics, let's try to briefly answer some questions
-about why we need to be concerned about security in the first place.
-
-It is easy to see why an e-commerce site, an on-line bank, or a government
-agency with sensitive documents would be concerned about security. But what
-about the average user? Why should even a Linux home Desktop user worry about
-security?
-
-Anyone connected to the Internet is a target, plain and simple. It makes
-little difference whether you have a part-time dialup connection, or a
-full-time connection, though full-time connections make for bigger targets.
-Larger sites make for bigger targets too, but this does not let small users
-off the hook since the "small user" may be less skilled and thus an easier
-victim. Red Hat, and Red Hat based distributions, tend to make for bigger
-targets as well, since the installed user base is so large.
-
-There are those out there that are scanning just for easy victims all the
-time. If you start logging unwanted connection attempts, you will see this
-soon enough. There is little doubt that many of these attempts are
-maliciously motivated and the attacker, in some cases, is looking for Linux
-boxes to crack. Does someone on the other side of the globe really want to
-borrow my printer?
-
-What do they want? Often, they just may want your computer, your IP address,
-and your bandwidth. Then they use you to either attack others, or possibly
-commit crimes or mischief and are hiding their true identity behind you. This
-is an all too common scenario. Commercial and high-profile sites are targeted
-more directly and have bigger worries, but we all face this type of common
-threat.
-
-With a few reasonable precautions, Red Hat Linux can be very secure, and with
-all the available tools, makes for a fantastically fun and powerful Internet
-connection or server. Most successful break-ins are the result of ignorance
-or carelessness.
-
-The bottom line is:
-
- * Do you want control of your own system or not?
-
- * Do you want to unwittingly participate in criminal activity?
-
- * Do you want to be used by someone else?
-
- * Do you want to risk losing your Internet connection?
-
- * Do you want to have to go through the time consuming steps of reclaiming
- your system?
-
- * Do you want to chance the loss of data on your system?
-
-
-These are all real possibilities, unless we take the appropriate precautions.
-
-Warning If you are reading this because you have already been broken into, or
- suspect that you have, you cannot trust any of your system utilities
- to provide reliable information. And the suggestions made in the next
- several sections will not help you recover your system. Please jump
- straight to the Have I been Hacked? section, and read that first.
------------------------------------------------------------------------------
-
-2.1. The Optimum Configuration
-
-Ideally, we would want one computer as a dedicated firewall and router. This
-would be a bare bones installation, with no servers running, and only the
-required services and components installed. The rest of our systems would
-connect via this dedicated router/firewall system. If we wanted publicly
-accessible servers (web, mail, etc), these would be in a "DMZ"
-(De-militarized Zone). The router/firewall allows connections from outside to
-whatever services are running in the DMZ by "forwarding" these requests, but
-it is segregated from the rest of the internal network (aka LAN) otherwise.
-This leaves the rest of the internal network in fairly secure isolation, and
-relative safety. The "danger zone" is confined to the DMZ.
-
-But not everyone has the hardware to dedicate to this kind of installation.
-This would require a minimum of two computers. Or three, if you would be
-running any publicly available servers (not a good idea initially). Or maybe
-you are just new to Linux, and don't know your way around well enough yet. So
-if we can't do the ideal installation, we will do the next best thing.
------------------------------------------------------------------------------
-
-2.2. Before We Start
-
-Before we get to the actual configuration sections, a couple of notes.
-
-With Linux, there is always more than one way to perform any task. For the
-purposes of our discussion, we will have to use as generic set of tools as we
-can. Unfortunately, GUI tools don't lend themselves to this type of
-documentation. So we will be using text based, command line tools for the
-most part. Red Hat does provide various GUI utilities, feel free to
-substitute those in appropriate places.
-
-The next several sections have been written such that you can perform the
-recommended procedures as you read along. This is the "Quick Start" in the
-document title!
-
-To get ready, what you will need for the configuration sections below:
-
- * A text editor. There are many available. If you use a file manager
- application like gmc or nautilus, it probably has a built in editor. This
- will be fine. pico and mcedit are two relatively easy to use editors if
- you don't already have a favorite. There is a quick guide to Text editors
- in the Appendix that might help you get started. It is always a good idea
- to make a back up copy, before editing system configuration files.
-
- * For non-GUI editors and some of the commands, you will also need a
- terminal window opened. xterm, rxvt, and gnome-terminal all will work, as
- well as others.
-
-
-We'll be using a hypothetical system here for examples with the hostname
-"bigcat". Bigcat is a Linux desktop with a fresh install of the latest/
-greatest Red Hat running. Bigcat has a full-time, direct Internet connection.
-Even if your installation is not so "fresh", don't be deterred. Better late
-than never.
------------------------------------------------------------------------------
-
-3. Step 1: Which services do we really need?
-
-In this section we will see which services are running on our freshly
-installed system, decide which we really need, and do away with the rest. If
-you are not familiar with how servers and TCP connections work, you may want
-to read the section on servers and ports in the Appendix first. If not
-familiar with the netstat utility, you may want to read a quick overview of
-it beforehand. There is also a section in the Appendix on ports, and
-corresponding services. You may want to look that over too.
-
-Our goal is to turn off as many services as possible. If we can turn them all
-off, or at least off to outside connections, so much the better. Some rules
-of thumb we will use to guide us:
-
- * It is perfectly possible to have a fully functional Internet connection
- with no servers running that are accessible to outside connections. Not
- only possible, but desirable in many cases. The principle here is that
- you will never be successfully broken into via a port that is not opened
- because no server is listening on it. No server == no port open == not
- vulnerable. At least to outside connections.
-
- * If you don't recognize a particular service, chances are good you don't
- really need it. We will assume that and so we'll turn it off. This may
- sound dangerous, but is a good rule of thumb to go by.
-
- * Some services are just not intended to be run over the Internet -- even
- if you decide it is something you really do need. We'll flag these as
- dangerous, and address these in later sections, should you decide you do
- really need them, and there is no good alternative.
-
-
------------------------------------------------------------------------------
-3.1. System Audit
-
-So what is really running on our system anyway? Let's not take anything for
-granted about what "should" be running, or what we "think" is running.
-
-Which services get installed and started will vary greatly depending on which
-version of Red Hat, and which installation options were chosen. Earlier
-releases were very much prone to start many services and then let the user
-figure out which ones were needed, and which ones weren't. Recent versions
-are much more cautious. But this makes providing a ready made list of likely
-services impossible. Not to worry, as we shouldn't trust what is supposed to
-be running anyway. What we need to do is list for ourselves all running
-services.
-
-Now open an xterm, and su to root. You'll need to widen the window wide so
-the lines do not wrap. Use this command: netstat -tap |grep LISTEN. This will
-give us a list of all currently running servers as indicated by the keyword
-LISTEN, along with the "PID" and "Program Name" that started each particular
-service.
-
-+----------------------------------------------------------------------------------+
-|# netstat -tap |grep LISTEN |
-| *:exec *:* LISTEN 988/inetd |
-| *:login *:* LISTEN 988/inetd |
-| *:shell *:* LISTEN 988/inetd |
-| *:printer *:* LISTEN 988/inetd |
-| *:time *:* LISTEN 988/inetd |
-| *:x11 *:* LISTEN 1462/X |
-| *:http *:* LISTEN 1078/httpd |
-| bigcat:domain *:* LISTEN 956/named |
-| bigcat:domain *:* LISTEN 956/named |
-| *:ssh *:* LISTEN 972/sshd |
-| *:auth *:* LISTEN 388/in.identd |
-| *:telnet *:* LISTEN 988/inetd |
-| *:finger *:* LISTEN 988/inetd |
-| *:sunrpc *:* LISTEN 1290/portmap |
-| *:ftp *:* LISTEN 988/inetd |
-| *:smtp *:* LISTEN 1738/sendmail: accepting connections |
-| *:1694 *:* LISTEN 1319/rpc.mountd |
-| *:netbios-ssn *:* LISTEN 422/smbd |
-| |
-| |
-+----------------------------------------------------------------------------------+
-
-Red Hat 7.x and Mandrake 8.x and later users will have xinetd in place of
-inetd. Note the first three columns are cropped above for readability. If
-your list is as long as the example, you have some work ahead of you! It is
-highly unlikely that you really need anywhere near this number of servers
-running.
-
-Please be aware that the example above is just one of many, many possible
-system configurations. Yours probably does look very different.
-
-You don't understand what any of this is telling you? Hopefully then, you've
-read the netstat tutorial in the Appendix, and understand how it works.
-Understanding exactly what each server is in the above example, and what it
-does, is beyond the scope of this document. You will have to check your
-system's documentation (e.g. Installation Guide, man pages, etc) if that
-service is important to you. For example, does "exec", "login", and "shell"
-sound important? Yes, but these are not what they may sound like. They are
-actually rexec, rlogin, and rsh, the "r" (for remote) commands. These are
-antiquated, unnecessary, and in fact, are very dangerous if exposed to the
-Internet.
-
-Let's make a few quick assumptions about what is necessary and unnecessary,
-and therefore what goes and what stays on bigcat. Since we are running a
-desktop on bigcat, X11 of course needs to stay. If bigcat were a dedicated
-server of some kind, then X11 would be unnecessary. If there is a printer
-physically attached, the printer (lp) daemon should stay. Otherwise, it goes.
-Print servers may sound harmless, but are potential targets too since they
-can hold ports open. If we plan on logging in to bigcat from other hosts,
-sshd (Secure SHell Daemon) would be necessary. If we have Microsoft hosts on
-our LAN, we probably want Samba, so smbd should stay. Otherwise, it is
-completely unnecessary. Everything else in this example is optional and not
-required for a normally functioning system, and should probably go. See
-anything that you don't recognize? Not sure about? It goes!
-
-To sum up: since bigcat is a desktop with a printer attached, we will need
-"x11", "printer". bigcat is on a LAN with MS hosts, and shares files and
-printing with them, so "netbios-ssn" (smbd) is desired. We will also need
-"ssh" so we can login from other machines. Everything else is unnecessary for
-this particular case.
-
-Nervous about this? If you want, you can make notes of any changes you make
-or save the list of servers you got from netstat, with this command: netstat
--tap |grep LISTEN > ~/services.lst. That will save it your home directory
-with the name of "services.lst" for future reference.
-
-This is to not say that the ones we have decided to keep are inherently safe.
-Just that we probably need these. So we will have to deal with these via
-firewalling or other means (addressed below).
-
-It is worth noting that the telnet and ftp daemons in the above example are
-servers, aka "listeners". These accept incoming connections to you. You do
-not need, or want, these just to use ftp or telnet clients. For instance, you
-can download files from an FTP site with just an ftp client. Running an ftp
-server on your end is not required at all, and has serious security
-implications.
-
-There may be individual situations where it is desirable to make exceptions
-to the conclusions reached above. See below.
------------------------------------------------------------------------------
-
-3.2. The Danger Zone (or r00t m3 pl34s3)
-
-The following is a list of services that should not be run over the Internet.
-Either disable these (see below), uninstall, or if you really do need these
-services running locally, make sure they are the current, patched versions
-and that they are effectively firewalled. And if you don't have a firewall in
-place now, turn them off until it is up and verified to be working properly.
-These are potentially insecure by their very nature, and as such are prime
-cracker targets.
-
- * NFS (Network File System) and related services, including nfsd, lockd,
- mountd, statd, portmapper, etc. NFS is the standard Unix service for
- sharing file systems across a network. Great system for LAN usage, but
- dangerous over the Internet. And its completely unnecessary on a stand
- alone system.
-
- * rpc.* services, Remote Procedure Call.*, typically NFS and NIS related
- (see above).
-
- * Printer services (lpd).
-
- * The so-called r* (for "remote", i.e. Remote SHell) services: rsh, rlogin,
- rexec, rcp etc. Unnecessary, insecure and potentially dangerous, and
- better utilities are available if these capabilities are needed. ssh will
- do everything these command do, and in a much more sane way. See the man
- pages for each if curious. These will probably show in netstat output
- without the "r": rlogin will be just "login", etc.
-
- * telnet server. There is no reason for this anymore. Use sshd instead.
-
- * ftp server. There are better, safer ways for most systems to exchange
- files like scp or via http (see below). ftp is a proper protocol only for
- someone who is running a dedicated ftp server, and who has the time and
- skill to keep it buttoned down. For everyone else, it is potentially big
- trouble.
-
- * BIND (named), DNS server package. With some work, this can be done
- without great risk, but is not necessary in many situations, and requires
- special handling no matter how you do it. See the sections on Exceptions
- and special handling for individual applications.
-
- * Mail Transport Agent, aka "MTA" (sendmail, exim, postfix, qmail). Most
- installations on single computers will not really need this. If you are
- not going to be directly receiving mail from Internet hosts (as a
- designated MX box), but will rather use the POP server of your ISP, then
- it is not needed. You may however need this if you are receiving mail
- directly from other hosts on your LAN, but initially it's safer to
- disable this. Later, you can enable it over the local interface once your
- firewall and access policies have been implemented.
-
-
-This is not necessarily a definitive list. Just some common services that are
-sometimes started on default Red Hat installations. And conversely, this does
-not imply that other services are inherently safe.
------------------------------------------------------------------------------
-
-3.3. Stopping Services
-
-The next step is to find where each server on our kill list is being started.
-If it is not obvious from the netstat output, use ps, find, grep or locate to
-find more information from the "Program name" or "PID" info in the last
-column. There is examples of this in the Process Owner section in the netstat
-Tutorial of the Appendix. If the service name or port number do not look
-familiar to you, you might get a real brief explanation in your /etc/services
-file.
-
-chkconfig is a very useful command for controlling services that are started
-via init scripts (see example below). Also, where xinetd is used, it can
-control those services as well. chkconfig can tell us what services the
-system is configured to run, but not necessarily all services that are indeed
-actually running. Or what services may be started by other means, e.g. from
-rc.local. It is a configuration tool, more than a real time system auditing
-too.
-
-Skeptical that we are going to break your system, and the pieces won't go
-back together again? If so, take this approach: turn off everything listed
-above in "The Danger Zone", and run your system for a while. OK? Try stopping
-one of the ones we found to be "unnecessary" above. Then, run the system for
-a while. Keep repeating this process, until you get to the bare minimum. If
-this works, then make the changes permanent (see below).
-
-The ultimate objective is not just to stop the service now, but to make sure
-it is stopped permanently! So whatever steps you take here, be sure to check
-after your next reboot.
-
-There are various places and ways to start system services. Let's look at the
-most common ways this is done, and is probably how your system works. System
-services are typically either started by "init" scripts, or by inetd (or its
-replacement xinetd) on most distributions.
------------------------------------------------------------------------------
-
-3.3.1. Stopping Init Services
-
-Init services are typically started automatically during the boot process, or
-during a runlevel change. There is a naming scheme that uses symlinks to
-determine which services are to be started, or stopped, at any given
-runlevel. The scripts themselves should be in /etc/init.d/ (or possibly /etc/
-rc.d/init.d/ for older versions of Red Hat).
-
-You can get a listing of these scripts:
-
-+---------------------------------------------------------------------------+
-| # ls -l /etc/rc.d/init.d/ | less |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-To stop a running service now, as root:
-
-+---------------------------------------------------------------------------+
-| # /etc/init.d/<$SERVICE_NAME> stop |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-Where "$SERVICE_NAME" is the name of the init script, which is often, but not
-always, the same as the service name itself. Older Red Hat versions may use
-the path /etc/rc.d/init.d/ instead.
-
-This only stops this particular service now. It will restart again on the
-next reboot, or runlevel change, unless additional steps are taken. So this
-is really a two step process for init type services.
-
-chkconfig can be used to see what services are started at each runlevel, and
-to turn off any unneeded services. To view all services under its control,
-type this command in an xterm:
-
-+---------------------------------------------------------------------------+
-| |
-| # chkconfig --list | less |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-To view only the ones that are "on":
-
-+---------------------------------------------------------------------------+
-| |
-| # chkconfig --list | grep "\bon\b" | less |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-The first column is the service name, and the remaining columns are the
-various runlevels. We need generally only worry about runlevels 3 (boot to
-text console login) and 5 (boot straight to X11 login). xinetd services won't
-have columns, since that aspect would be controlled by xinetd itself.
-
-Examples of commands to turn services "off":
-
-+---------------------------------------------------------------------------+
-| |
-| # chkconfig portmapper off |
-| # chkconfig nfs off |
-| # chkconfig telnet off |
-| # chkconfig rlogin off |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-Note that the last two are xinetd services. A very easy and nifty tool to
-use! Red Hat also includes ntsysv and tksysv (GUI) for runlevel and service
-configuration. See the man pages for additional command line options.
-
-Another option here is to uninstall a package if you know you do not need it.
-This is a pretty sure-fire, permanent fix. This also alleviates the potential
-problem of keeping all installed packages updated and current (Step 2). RPM
-makes it very easy to re-install a package should you change your mind.
-
-To uninstall packages with RPM:
-
-+---------------------------------------------------------------------------+
-| # rpm -ev telnet-server rsh rsh-server |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-The above command would uninstall the "telnet server" package (but not telnet
-client!), "rsh" client and "rsh server" packages in one command. Red Hat also
-includes gnorpm, a GUI RPM management utility which can do this as well.
------------------------------------------------------------------------------
-
-3.3.2. Inetd
-
-Inetd is called a "super-daemon" because it is used to spawn sub-daemons.
-inetd itself will generally be started via init scripts, and will "listen" on
-the various ports as determined by which services are enable in its
-configuration file, /etc/inetd.conf. Any service listed here will be under
-the control of inetd. Likewise, any of the listening servers in netstat
-output that list "inetd" in the last column under "Program Name", will have
-been started by inetd. You will have to adjust the inetd configuration to
-stop these services. xinetd is an enhanced inetd replacement, and is
-configured differently (see next section below).
-
-Below is a partial snippet from a typical inetd.conf. Any service with a "#"
-at the beginning of the line is "commented out", and thus ignored by inetd,
-and consequently disabled.
-
-+---------------------------------------------------------------------------+
-|# |
-|# inetd.conf This file describes the services that will be available |
-|# through the INETD TCP/IP super server. To re-configure |
-|# the running INETD process, edit this file, then send the |
-|# INETD process a SIGHUP signal. |
-|# |
-|# Version: @(#)/etc/inetd.conf 3.10 05/27/93 |
-|# |
-|# Authors: Original taken from BSD UNIX 4.3/TAHOE. |
-|# Fred N. van Kempen, |
-|# |
-|# Modified for Debian Linux by Ian A. Murdock |
-|# |
-|# Echo, discard, daytime, and chargen are used primarily for testing. |
-|# |
-|# To re-read this file after changes, just do a 'killall -HUP inetd' |
-|# |
-|#echo stream tcp nowait root internal |
-|#echo dgram udp wait root internal |
-|#discard stream tcp nowait root internal |
-|#discard dgram udp wait root internal |
-|#daytime stream tcp nowait root internal |
-|#daytime dgram udp wait root internal |
-|#chargen stream tcp nowait root internal |
-|#chargen dgram udp wait root internal |
-|time stream tcp nowait root internal |
-|# |
-|# These are standard services. |
-|# |
-|#ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a |
-|#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd |
-|# |
-|# Shell, login, exec, comsat and talk are BSD protocols. |
-|# |
-|#shell stream tcp nowait root /usr/sbin/tcpd in.rshd |
-|#login stream tcp nowait root /usr/sbin/tcpd in.rlogind |
-|#exec stream tcp nowait root /usr/sbin/tcpd in.rexecd |
-|#comsat dgram udp wait root /usr/sbin/tcpd in.comsat |
-|#talk dgram udp wait root /usr/sbin/tcpd in.talkd |
-|#ntalk dgram udp wait root /usr/sbin/tcpd in.ntalkd |
-|#dtalk stream tcp wait nobody /usr/sbin/tcpd in.dtalkd |
-|# |
-|# Pop and imap mail services et al |
-|# |
-|#pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d |
-|pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d |
-|#imap stream tcp nowait root /usr/sbin/tcpd imapd |
-|# |
-|# The Internet UUCP service. |
-|# |
-|#uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico -l |
-|# |
-| |
-| |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-The above example has two services enabled: time and pop3. To disable these,
-all we need is to open the file with a text editor, comment out the two
-services with a "#", save the file, and then restart inetd (as root):
-
-+---------------------------------------------------------------------------+
-| |
-| # /etc/rc.d/init.d/inetd restart |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-Check your logs for errors, and run netstat again to verify all went well.
-
-A quicker way of getting the same information, using grep:
-
-+---------------------------------------------------------------------------+
-| $ grep -v '^#' /etc/inetd.conf |
-| time stream tcp nowait root internal |
-| pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-Again, do you see anything there that you don't know what it is? Then in all
-likelihood you are not using it, and it should be disabled.
-
-Unlike the init services configuration, this is a lasting change so only the
-one step is required.
-
-Let's expose one myth that gets tossed around: you shouldn't disable a
-service by commenting out, or removing, entries from /etc/services. This may
-have the desired effect in some cases, but is not the right way to do it, and
-may interfere with the normal operation of other system utilities.
------------------------------------------------------------------------------
-
-3.3.3. Xinetd
-
-xinetd is an inetd replacement with enhancements. Red Hat includes xinetd
-with 7.0 and later releases. It essentially serves the same purpose as inetd,
-but the configuration is different. The configuration can be in the file /etc
-/xinetd.conf, or individual files in the directory /etc/xinetd.d/.
-Configuration of individual services will be in the individual files under /
-etc/xinetd.d/*. Turning off xinetd services is done by either deleting the
-corresponding configuration section, or file. Or by using your text editor
-and simply setting disable = yes for the appropriate service. Or by using
-chkconfig. Then, xinetd will need to be restarted. See man xinetd and man
-xinetd.conf for syntax and configuration options. A sample xinetd
-configuration:
-
-+---------------------------------------------------------------------------+
-| # default: on |
-| # description: The wu-ftpd FTP server serves FTP connections. It uses \ |
-| # normal, unencrypted usernames and passwords for authentication. |
-| service ftp |
-| { |
-| disable = no |
-| socket_type = stream |
-| wait = no |
-| user = root |
-| server = /usr/sbin/in.ftpd |
-| server_args = -l -a |
-| log_on_success += DURATION USERID |
-| log_on_failure += USERID |
-| nice = 10 |
-| } |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-You can get a quick list of enabled services:
-
-+---------------------------------------------------------------------------+
-| $ grep disable /etc/xinetd.d/* |grep no |
-| /etc/xinetd.d/finger: disable = no |
-| /etc/xinetd.d/rexec: disable = no |
-| /etc/xinetd.d/rlogin: disable = no |
-| /etc/xinetd.d/rsh: disable = no |
-| /etc/xinetd.d/telnet: disable = no |
-| /etc/xinetd.d/wu-ftpd: disable = no |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-At this point, the above output should raise some red flags. In the
-overwhelming majority of systems, all the above can be disabled without any
-adverse impact. Not sure? Try it without that service. After disabling
-unnecessary services, then restart xinetd:
-
-+---------------------------------------------------------------------------+
-| |
-| # /etc/rc.d/init.d/xinetd restart |
-| |
-| |
-+---------------------------------------------------------------------------+
------------------------------------------------------------------------------
-
-3.3.4. When All Else Fails
-
-OK, if you can't find the "right" way to stop a service, or maybe a service
-is being started and you can't find how or where, you can "kill" the process.
-To do this, you will need to know the PID (Process I.D.). This can be found
-with ps, top, fuser or other system utilities. For top and ps, this will be
-the number in the first column. See the Port and Process Owner section in the
-Appendix for examples.
-
-Example (as root):
-
-+---------------------------------------------------------------------------+
-| # kill 1163 |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-Then run top or ps again to verify that the process is gone. If not, then:
-
-+---------------------------------------------------------------------------+
-| # kill -KILL 1163 |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-Note the second "KILL" in there. This must be done either by the user who
-owns the process, or root. Now go find where and how this process got started
-;-)
-
-The /proc filesystem can also be used to find out more information about each
-process. Armed with the PID, we can find the path to a mysterious process:
-
-+---------------------------------------------------------------------------+
-| $ /bin/ps ax|grep tcpgate |
-| 921 ? S 0:00 tcpgate |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-+----------------------------------------------------------------------------------+
-| # ls -l /proc/921/exe |
-| lrwxrwxrwx 1 root root 0 July 21 12:11 /proc/921/exe -> /usr/local/bin/tcpgate |
-| |
-| |
-+----------------------------------------------------------------------------------+
------------------------------------------------------------------------------
-
-3.4. Exceptions
-
-Above we used the criteria of turning off all unnecessary services. Sometimes
-that is not so obvious. And sometimes what may be required for one person's
-configuration is not the same for another's. Let's look at a few common
-services that fall in this category.
-
-Again, our rule of thumb is if we don't need it, we won't run it. It's that
-simple. If we do need any of these, they are prime candidates for some kind
-of restrictive policies via firewall rules or other mechanisms (see below).
-
- * identd - This is a protocol that has been around for ages, and is often
- installed and running by default. It is used to provide a minimal amount
- of information about who is connecting to a server. But, it is not
- necessary in many cases. Where might you need it? Most IRC servers
- require it. Many mail servers use it, but don't really require it. Try
- your mail setup without it. If identd is going to be a problem, it will
- be because there is a time out before before the server starts sending or
- receiving mail. So mail should work fine without it, but may be slower. A
- few ftp servers may require it. Most don't though. Older versions of Red
- Hat started identd via inetd. Recent versions start this via init
- scripts.
-
- If identd is required, there are some configuration options that can
- greatly reduce the information that is revealed:
-
- +---------------------------------------------------------------+
- | |
- | /usr/sbin/in.identd in.identd -l -e -o -n -N |
- | |
- | |
- +---------------------------------------------------------------+
-
- The -o flag tells identd to not reveal the operating system type it is
- run on and to instead always return "OTHER". The -e flag tells identd to
- always return "UNKNOWN-ERROR" instead of the "NO-USER" or "INVALID-PORT"
- errors. The -n flag tells identd to always return user numbers instead of
- user names, if you wish to keep the user names a secret. The -N flag
- makes identd check for the file .noident in the user's home directory for
- which the daemon is about to return a user name. It that file exists then
- the daemon will give the error "HIDDEN-USER" instead of the normal
- "USERID" response.
-
- * Mail server (MTA's like sendmail, qmail, etc) - Often a fully functional
- mail server like sendmail is installed by default. The only time that
- this is actually required is if you are hosting a domain, and receiving
- incoming mail directly. Or possibly, for exchanging mail on a LAN, in
- which case it does not need Internet exposure and can be safely
- firewalled. For your ISP's POP mail access, you don't need it even though
- this is a common configuration. One alternative here is to use fetchmail
- for POP mail retrieval with the -m option to specify a local delivery
- agent: fetchmail -m procmail for instance works with no sendmail daemon
- running at all. Sendmail, can be handy to have running, but the point is,
- it is not required in many situations, and can be disabled, or firewalled
- safely.
-
- * BIND (named) - This often is installed by default, but is only really
- needed if you are an authoritative name server for a domain. If you are
- not sure what this means, then you definitely don't need it. BIND is
- probably the number one crack target on the Internet. BIND is often used
- though in a "caching" only mode. This can be quite useful, but does not
- require full exposure to the Internet. In other words, it should be
- restricted or firewalled. See special handling of individual applications
- below.
-
-
------------------------------------------------------------------------------
-3.5. Summary and Conclusions for Step 1
-
-In this section we learned how to identify which services are running on our
-system, and were given some tips on how to determine which services may be
-necessary. Then we learned how to find where the services were being started,
-and how to stop them. If this has not made sense, now is a good time to
-re-read the above.
-
-Hopefully you've already taken the above steps. Be sure to test your results
-with netstat again, just to verify the desired end has been achieved, and
-only the services that are really required are running.
-
-It would also be wise to do this after the next reboot, anytime you upgrade a
-package (to make sure a new configuration does not sneak in), and after every
-system upgrade or new install.
------------------------------------------------------------------------------
-
-4. Step 2: Updating
-
-OK, this section should be comparatively short, simple and straightforward
-compared to the above, but no less important.
-
-The very first thing after a new install you should check the errata notices
-at [http://redhat.com/errata/] http://redhat.com/apps/errata/, and apply all
-relevant updates. Only a year old you say? That's a long time actually, and
-not current enough to be safe. Only a few months or few weeks? Check anyway.
-A day or two? Better safe than sorry. It is quite possible that security
-updates have been released during the pre-release phase of the development
-and release cycle. If you can't take this step, disable any publicly
-accessible services until you can.
-
-Linux distributions are not static entities. They are updated with new,
-patched packages as the need arises. The updates are just as important as the
-original installation. Even more so, since they are fixes. Sometimes these
-updates are bug fixes, but quite often they are security fixes because some
-hole has been discovered. Such "holes" are immediately known to the cracker
-community, and they are quick to exploit them on a large scale. Once the hole
-is known, it is quite simple to get in through it, and there will be many out
-there looking for it. And Linux developers are also equally quick to provide
-fixes. Sometimes the same day as the hole has become known!
-
-Keeping all installed packages current with your release is one of the most
-important steps you can take in maintaining a secure system. It can not be
-emphasized enough that all installed packages should be kept updated -- not
-just the ones you use. If this is burdensome, consider uninstalling any
-unused packages. Actually this is a good idea anyway.
-
-But where to get this information in a timely fashion? There are a number of
-web sites that offer the latest security news. There are also a number of
-mailing lists dedicated to this topic. In fact, Red Hat has the "watch" list,
-just for this purpose at [https://listman.redhat.com/mailman/listinfo/
-redhat-watch-list] https://listman.redhat.com/mailman/listinfo/
-redhat-watch-list. This is a very low volume list by the way. This is an
-excellent way to stay abreast of issues effecting your release, and is highly
-recommended. [http://linuxsecurity.com] http://linuxsecurity.com is a good
-site for Linux only issues. They also have weekly newsletters available:
-[http://www.linuxsecurity.com/general/newsletter.html] http://
-www.linuxsecurity.com/general/newsletter.html.
-
-Red Hat also has the up2date utility for automatically keeping your system(s)
-up to date ;-). See the man page for details.
-
-This is not a one time process -- it is ongoing. It is important to stay
-current. So watch those security notices. And subscribe to that security
-mailing list today! If you have cable modem, DSL, or other full time
-connection, there is no excuse not to do this religiously. All distributions
-make this easy enough!
-
-One last note: any time a new package is installed, there is also a chance
-that a new or revised configuration has been installed as well. Which means
-that if this package is a server of some kind, it may be enabled as a result
-of the update. This is bad manners, but it can happen, so be sure to run
-netstat or comparable to verify your system is where you want it after any
-updates or system changes. In fact, do it periodically even if there are no
-such changes.
------------------------------------------------------------------------------
-
-4.1. Summary and Conclusions for Step 2
-
-It is very simple: make sure your Linux installation is current. Check the
-Red Hat errata for what updated packages may be available. There is nothing
-wrong with running an older release, just so the packages in it are updated
-according to what Red Hat has made available since the initial release. At
-least as long as Red Hat is still supporting the release and updates are
-still being provided. For instance, Red Hat has stopped providing updates for
-5.0 and 5.1, but still does for 5.2.
------------------------------------------------------------------------------
-
-5. Step 3: Firewalls and Setting Access Policies
-
-So what is a "firewall"? It's a vague term that can mean anything that acts
-as a protective barrier between us and the outside world. This can be a
-dedicated system, or a specific application that provides this functionality.
-Or it can be a combination of components, including various combinations of
-hardware and software. Firewalls are built from "rules" that are used to
-define what is allowed to enter and exit a given system or network. Let's
-look at some of the possible components that are readily available for Linux,
-and how we might implement a reasonably safe firewalling strategy.
-
-In Step 1 above, we have turned off all services we don't need. In our
-example, there were a few we still needed to have running. In this section,
-we will take the next step here and decide which we need to leave open to the
-world. And which we might be able to restrict in some way. If we can block
-them all, so much the better, but this is not always practical.
------------------------------------------------------------------------------
-
-5.1. Strategy
-
-What we want to do now is restrict connections and traffic so that we only
-allow the minimum necessary for whatever our particular situation is. In some
-cases we may want to block all incoming "new" connection attempts. Example:
-we want to run X, but don't want anyone from outside to access it, so we'll
-block it completely from outside connections. In other situations, we may
-want to limit, or restrict, incoming connections to trusted sources only. The
-more restrictive, the better. Example: we want to ssh into our system from
-outside, but we only ever do this from our workplace. So we'll limit sshd
-connections to our workplace address range. There are various ways to do
-this, and we'll look at the most common ones.
-
-We also will not want to limit our firewall to any one application. There is
-nothing wrong with a "layered" defense-in-depth approach. Our front line
-protection will be a packet filter -- either ipchains or iptables (see
-below). Then we can use additional tools and mechanisms to reinforce our
-firewall.
-
-We will include some brief examples. Our rule of thumb will be to deny
-everything as the default policy, then open up just what we need. We'll try
-to keep this as simple as possible since it can be an involved and complex
-topic, and just stick to some of the most basic concepts. See the Links
-section for further reading on this topic.
------------------------------------------------------------------------------
-
-5.2. Packet Filters -- Ipchains and Iptables
-
-"Packet filters" (like ipchains) have the ability to look at individual
-packets, and make decisions based on what they find. These can be used for
-many purposes. One common purpose is to implement a firewall.
-
-Common packet filters on Linux are ipchains which is standard with 2.2
-kernels, and iptables which is available with the more recent 2.4 kernels.
-iptables has more advanced packet filtering capabilities and is recommended
-for anyone running a 2.4 kernel. But either can be effective for our
-purposes. ipfwadm is a similar utility for 2.0 kernels (not discussed here).
-
-If constructing your own ipchains or iptables firewall rules seems a bit
-daunting, there are various sites that can automate the process. See the
-Links section. Also the included examples may be used as a starting point. As
-of Red Hat 7.1, Red Hat is providing init scripts for ipchains and iptables,
-and gnome-lokkit for generating a very basic set of firewall rules (see below
-). This may be adequate, but it is still recommended to know the proper
-syntax and how the various mechanisms work as such tools rarely do more than
-a few very simple rules.
-
-Note Various examples are given below. These are presented for illustrative
- purposes to demonstrate some of the concepts being discussed here. While
- they might also be useful as a starting point for your own script,
- please note that they are not meant to be all encompassing. You are
- strongly encouraged to understand how the scripts work, so you can
- create something even more tailored for your own situation.
-
- The example scripts are just protecting inbound connections to one
- interface (the one connected to the Internet). This may be adequate for
- many simple home type situations, but, conversely, this approach is not
- adequate for all situations!
------------------------------------------------------------------------------
-
-5.2.1. ipchains
-
-ipchains can be used with either 2.2 or 2.4 kernels. When ipchains is in
-place, it checks every packet that moves through the system. The packets move
-across different "chains", depending where they originate and where they are
-going. Think of "chains" as rule sets. In advanced configurations, we could
-define our own custom chains. The three default built-in chains are input,
-which is incoming traffic, output, which is outgoing traffic, and forward,
-which is traffic being forwarded from one interface to another (typically
-used for "masquerading"). Chains can be manipulated in various ways to
-control the flow of traffic in and out of our system. Rules can be added at
-our discretion to achieve the desired result.
-
-At the end of every "chain" is a "target". The target is specified with the
--j option to the command. The target is what decides the fate of the packet
-and essentially terminates that particular chain. The most common targets are
-mostly self-explanatory: ACCEPT, DENY, REJECT, and MASQ. MASQ is for
-"ipmasquerading". DENY and REJECT essentially do the same thing, though in
-different ways. Is one better than the other? That is the subject of much
-debate, and depends on other factors that are beyond the scope of this
-document. For our purposes, either should suffice.
-
-ipchains has a very flexible configuration. Port (or port ranges),
-interfaces, destination address, source address can be specified, as well as
-various other options. The man page explains these details well enough that
-we won't get into specifics here.
-
-Traffic entering our system from the Internet, enters via the input chain.
-This is the one that we need as tight as we can make it.
-
-Below is a brief example script for a hypothetical system. We'll let the
-comments explain what this script does. Anything starting with a "#" is a
-comment. ipchains rules are generally incorporated into shell scripts, using
-shell variables to help implement the firewalling logic.
-
-#!/bin/sh
-#
-# ipchains.sh
-#
-# An example of a simple ipchains configuration.
-#
-# This script allows ALL outbound traffic, and denies
-# ALL inbound connection attempts from the outside.
-#
-###################################################################
-# Begin variable declarations and user configuration options ######
-#
-IPCHAINS=/sbin/ipchains
-# This is the WAN interface, that is our link to the outside world.
-# For pppd and pppoe users.
-# WAN_IFACE="ppp0"
-WAN_IFACE="eth0"
-
-## end user configuration options #################################
-###################################################################
-
-# The high ports used mostly for connections we initiate and return
-# traffic.
-LOCAL_PORTS=`cat /proc/sys/net/ipv4/ip_local_port_range |cut -f1`:\
-`cat /proc/sys/net/ipv4/ip_local_port_range |cut -f2`
-
-# Any and all addresses from anywhere.
-ANYWHERE="0/0"
-
-# Let's start clean and flush all chains to an empty state.
-$IPCHAINS -F
-
-# Set the default policies of the built-in chains. If no match for any
-# of the rules below, these will be the defaults that ipchains uses.
-$IPCHAINS -P forward DENY
-$IPCHAINS -P output ACCEPT
-$IPCHAINS -P input DENY
-
-# Accept localhost/loopback traffic.
-$IPCHAINS -A input -i lo -j ACCEPT
-
-# Get our dynamic IP now from the Inet interface. WAN_IP will be our
-# IP address we are protecting from the outside world. Put this
-# here, so default policy gets set, even if interface is not up
-# yet.
-WAN_IP=`ifconfig $WAN_IFACE |grep inet |cut -d : -f 2 |cut -d \ -f 1`
-
-# Bail out with error message if no IP available! Default policy is
-# already set, so all is not lost here.
-[ -z "$WAN_IP" ] && echo "$WAN_IFACE not configured, aborting." && exit 1
-
-# Accept non-SYN TCP, and UDP connections to LOCAL_PORTS. These are
-# the high, unprivileged ports (1024 to 4999 by default). This will
-# allow return connection traffic for connections that we initiate
-# to outside sources. TCP connections are opened with 'SYN' packets.
-$IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS ! -y -j ACCEPT
-
-# We can't be so selective with UDP since that protocol does not
-# know about SYNs.
-$IPCHAINS -A input -p udp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS -j ACCEPT
-
-## ICMP (ping)
-#
-# ICMP rules, allow the bare essential types of ICMP only. Ping
-# request is blocked, ie we won't respond to someone else's pings,
-# but can still ping out.
-$IPCHAINS -A input -p icmp --icmp-type echo-reply \
- -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
-$IPCHAINS -A input -p icmp --icmp-type destination-unreachable \
- -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
-$IPCHAINS -A input -p icmp --icmp-type time-exceeded \
- -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
-
-###################################################################
-# Set the catchall, default rule to DENY, and log it all. All other
-# traffic not allowed by the rules above, winds up here, where it is
-# blocked and logged. This is the default policy for this chain
-# anyway, so we are just adding the logging ability here with '-l'.
-# Outgoing traffic is allowed as the default policy for the 'output'
-# chain. There are no restrictions on that.
-
-$IPCHAINS -A input -l -j DENY
-
-echo "Ipchains firewall is up `date`."
-
-##-- eof ipchains.sh
-
-
-
-To use the above script would require that it is executable (i.e. chmod +x
-ipchains.sh), and run by root to build the chains, and hence the firewall.
-
-To summarize what this example did was to start by setting some shell
-variables in the top section, to be used later in the script. Then we set the
-default rules (ipchains calls these "policies") of denying all inbound and
-forwarded traffic, and of allowing all our own outbound traffic. We had to
-open some holes in the high, unprivileged ports so that we could have return
-traffic from connections that bigcat initiates to outside addresses. If we
-connect to someone's web server, we want that HTML data to be able to get
-back to us, for instance. The same applies to other network traffic. We then
-allowed a few specific types of the ICMP protocol (most are still blocked).
-We are also logging any inbound traffic that violates any of our rules so we
-know who is doing what. Notice that we are only using IP address here, not
-hostnames of any kind. This is so that our firewall works, even in situation
-where there may be DNS failures. Also, to prevent any kind of DNS spoofing.
-
-See the ipchains man page for a full explanation of syntax. The important
-ones we used here are:
-
-
- -A input: Adds a rule to the "input" chain. The default chains are
- input, output, and forward.
-
- -p udp: This rule only applies to the "UDP" "protocol". The -p option
- can be used with tcp, udp or icmp protocols.
-
- -i $WAN_IFACE: This rule applies to the specified interface only, and
- applies to whatever chain is referenced (input, output, or forward).
-
- -s [port]: This rule only applies to the source address as
- specified. It can optionally have a port (e.g. 22) immediately afterward,
- or port range, e.g. 1023:4999.
-
- -d [port]: This rule only applies to the destination
- address as specified. Also, it may include port or port range.
-
- -l : Any packet that hits a rule with this option is logged (lower case
- "L").
-
- -j ACCEPT: Jumps to the "ACCEPT" "target". This effectively terminates
- this chain and decides the ultimate fate for this particular packet,
- which in this example is to "ACCEPT" it. The same is true for other -j
- targets like DENY.
-
-
-By and large, the order in which command line options are specified is not
-significant. The chain name (e.g. input) must come first though.
-
-Remember in Step 1 when we ran netstat, we had both X and print servers
-running among other things. We don't want these exposed to the Internet, even
-in a limited way. These are still happily running on bigcat, but are now safe
-and sound behind our ipchains based firewall. You probably have other
-services that fall in this category as well.
-
-The above example is a simplistic all or none approach. We allow all our own
-outbound traffic (not necessarily a good idea), and block all inbound
-connection attempts from outside. It is only protecting one interface, and
-really just the inbound side of that interface. It would more than likely
-require a bit of fine tuning to make it work for you. For a more advanced set
-of rules, see the Appendix. And you might want to read [http://tldp.org/HOWTO
-/IPCHAINS-HOWTO.html] http://tldp.org/HOWTO/IPCHAINS-HOWTO.html.
-
-Whenever you have made changes to your firewall, you should verify its
-integrity. One step to make sure your rules seem to be doing what you
-intended, is to see how ipchains has interpreted your script. You can do this
-by opening your xterm very wide, and issuing the following command:
-
-+---------------------------------------------------------------------------+
-| # ipchains -L -n -v | less |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-The output is grouped according to chain. You should also find a way to scan
-yourself (see the Verifying section below). And then keep an eye on your logs
-to make sure you are blocking what is intended.
------------------------------------------------------------------------------
-
-5.2.2. iptables
-
-iptables is the next generation packet filter for Linux, and requires a 2.4
-kernel. It can do everything ipchains can, but has a number of noteworthy
-enhancements. The syntax is similar to ipchains in many respects. See the man
-page for details.
-
-The most noteworthy enhancement is "connection tracking", also known as
-"stateful inspection". This gives iptables more knowledge of the state of
-each packet. Not only does it know if the packet is a TCP or UDP packet, or
-whether it has the SYN or ACK flags set, but also if it is part of an
-existing connection, or related somehow to an existing connection. The
-implications for firewalling should be obvious.
-
-The bottom line is that it is easier to get a tight firewall with iptables,
-than with ipchains. So this is the recommended way to go.
-
-Here is the same script as above, revised for iptables:
-
-#!/bin/sh
-#
-# iptables.sh
-#
-# An example of a simple iptables configuration.
-#
-# This script allows ALL outbound traffic, and denies
-# ALL inbound connection attempts from the Internet interface only.
-#
-###################################################################
-# Begin variable declarations and user configuration options ######
-#
-IPTABLES=/sbin/iptables
-# Local Interfaces
-# This is the WAN interface that is our link to the outside world.
-# For pppd and pppoe users.
-# WAN_IFACE="ppp0"
-WAN_IFACE="eth0"
-#
-
-## end user configuration options #################################
-###################################################################
-
-# Any and all addresses from anywhere.
-ANYWHERE="0/0"
-
-# This module may need to be loaded:
-modprobe ip_conntrack_ftp
-
-# Start building chains and rules #################################
-#
-# Let's start clean and flush all chains to an empty state.
-$IPTABLES -F
-
-# Set the default policies of the built-in chains. If no match for any
-# of the rules below, these will be the defaults that IPTABLES uses.
-$IPTABLES -P FORWARD DROP
-$IPTABLES -P OUTPUT ACCEPT
-$IPTABLES -P INPUT DROP
-
-# Accept localhost/loopback traffic.
-$IPTABLES -A INPUT -i lo -j ACCEPT
-
-## ICMP (ping)
-#
-# ICMP rules, allow the bare essential types of ICMP only. Ping
-# request is blocked, ie we won't respond to someone else's pings,
-# but can still ping out.
-$IPTABLES -A INPUT -p icmp --icmp-type echo-reply \
- -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
-$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable \
- -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
-$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
- -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
-
-###################################################################
-# Set the catchall, default rule to DENY, and log it all. All other
-# traffic not allowed by the rules above, winds up here, where it is
-# blocked and logged. This is the default policy for this chain
-# anyway, so we are just adding the logging ability here with '-j
-# LOG'. Outgoing traffic is allowed as the default policy for the
-# 'output' chain. There are no restrictions on that.
-
-$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-$IPTABLES -A INPUT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT
-$IPTABLES -A INPUT -j LOG -m limit --limit 30/minute --log-prefix "Dropping: "
-
-echo "Iptables firewall is up `date`."
-
-##-- eof iptables.sh
-
-
-
-The same script logic is used here, and thus this does pretty much the same
-exact thing as the ipchains script in the previous section. There are some
-subtle differences as to syntax. Note the case difference in the chain names
-for one (e.g. INPUT vs input). Logging is handled differently too. It has its
-own "target" now (-j LOG), and is much more flexible.
-
-There are some very fundamental differences as well, that might not be so
-obvious. Remember this section from the ipchains script:
-
-# Accept non-SYN TCP, and UDP connections to LOCAL_PORTS. These are the high,
-# unprivileged ports (1024 to 4999 by default). This will allow return
-# connection traffic for connections that we initiate to outside sources.
-# TCP connections are opened with 'SYN' packets. We have already opened
-# those services that need to accept SYNs for, so other SYNs are excluded here
-# for everything else.
-$IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS ! -y -j ACCEPT
-
-# We can't be so selective with UDP since that protocol does not know
-# about SYNs.
-$IPCHAINS -A input -p udp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS -j ACCEPT
-
-
-
-We jumped through hoops here with ipchains so that we could restrict
-unwanted, incoming connections as much as possible. A bit of a kludge,
-actually.
-
-That section is missing from the iptables version. It is not needed as
-connection tracking handles this quite nicely, and then some. This is due to
-the "statefulness" of iptables. It knows more about each packet than ipchains
-. For instance, it knows whether the packet is part of a "new" connection, or
-an "established" connection, or a "related" connection. This is the so-called
-"stateful inspection" of connection tracking.
-
-There are many, many features of iptables that are not touched on here. For
-more reading on the Netfilter project and iptables, see [http://
-netfilter.samba.org] http://netfilter.samba.org. And for a more advanced set
-of rules, see the Appendix.
------------------------------------------------------------------------------
-
-5.2.3. Red Hat Firewall Configuration Tools
-
-Red Hat has not included firewall configuration tools until 7.1, when the GUI
-utility gnome-lokkit started being bundled. gnome-lokkit does a minimalist
-set of rules for ipchains only. Explicit support for iptables configuration
-is not an option, despite the fact that the default kernel is 2.4.
-
-gnome-lokkit is an option on non-upgrade installs, and can also be run as a
-stand-alone app any time after installation. It will ask a few simple
-questions, and dump the resulting rule-set into /etc/sysconfig/ipchains.
-
-As mentioned, this is a fairly minimalist set of rules, and possibly a
-sufficient starting point. An example /etc/sysconfig/ipchains created by
-gnome-lokkit:
-
- # Firewall configuration written by lokkit
- # Manual customization of this file is not recommended.
- # Note: ifup-post will punch the current nameservers through the
- # firewall; such entries will *not* be listed here.
- :input ACCEPT
- :forward ACCEPT
- :output ACCEPT
- -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
- -A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
- -A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
- -A input -s 0/0 -d 0/0 23 -p tcp -y -j ACCEPT
- -A input -s 0/0 -d 0/0 -i lo -j ACCEPT
- -A input -s 0/0 -d 0/0 -i eth1 -j ACCEPT
- -A input -s 127.0.0.1 53 -d 0/0 -p udp -j ACCEPT
- -A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
- -A input -s 0/0 -d 0/0 -p udp -j REJECT
-
-
-
-This is in a format that can be read by the ipchains command ipchains-restore
-. Consequently, a new or modified set or rules can be generated with the
-ipchains-save, and redirecting the output to this file. ipchains-restore is
-indeed how the ipchains init script processes this file. So for this to work,
-the ipchains service must be activated:
-
-+---------------------------------------------------------------------------+
-| # chkconfig ipchains on |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-Conversely, if you want to roll your own iptables rules instead, you should
-make sure the ipchains init service is disabled. There is also an iptables
-init script, that works much the same as the ipchains version. There is just
-no support from gnome-lokkit at this time.
------------------------------------------------------------------------------
-
-5.3. Tcpwrappers (libwrap)
-
-Tcpwrappers provides much the same desired results as ipchains and iptables
-above, though works quite differently. Tcpwrappers actually intercepts the
-connection attempt, then examines its configurations files, and decides
-whether to accept or reject the request. Tcpwrappers controls access at the
-application level, rather than the socket level like iptables and ipchains.
-This can be quite effective, and is a standard component on most Linux
-systems.
-
-Tcpwrappers consists of the configuration files /etc/hosts.allow and /etc/
-hosts.deny. The functionality is provided by the libwrap library.
-
-Tcpwrappers first looks to see if access is permitted in /etc/hosts.allow,
-and if so, access is granted. If not in /etc/hosts.allow, the file /etc/
-hosts.deny is then checked to see if access is not allowed. If so, access is
-denied. Else, access is granted. For this reason, /etc/hosts.deny should
-contain only one uncommented line, and that is: ALL: ALL. Access should then
-be permitted through entries in /etc/hosts.allow, where specific services are
-listed, along with the specific host addresses allowed to access these
-services. While hostnames can be used here, use of hostnames opens the
-limited possibility for name spoofing.
-
-Tcpwrappers is commonly used to protect services that are started via inetd
-(or xinetd). But also any program that has been compiled with libwrap
-support, can take advantage of it. Just don't assume that all programs have
-built in libwrap support -- they do not. In fact, most probably don't. So we
-will only use it in our examples here to protect services start via inetd.
-And then rely on our packet filtering firewall, or other mechanism, to
-protect non-(x)inetd services.
-
-Below is a small snippet from a typical inetd.conf file:
-
-+---------------------------------------------------------------------------+
-| # Pop and imap mail services et al |
-| # |
-| #pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d |
-| #pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d |
-| #imap stream tcp nowait root /usr/sbin/tcpd imapd |
-| # |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-The second to last column is the tcpwrappers daemon -- /usr/sbin/tcpd.
-Immediately after is the daemon it is protecting. In this case, POP and IMAP
-mail servers. Your distro probably has already done this part for you. For
-the few applications that have built-in support for tcpwrappers via the
-libwrap library, specifying the daemon as above is not necessary.
-
-We will use the same principles here: default policy is to deny everything,
-then open holes to allow the minimal amount of traffic necessary.
-
-So now with your text editor, su to root and open /etc/hosts.deny. If it does
-not exist, then create it. It is just a plain text file. We want the
-following line:
-
-+---------------------------------------------------------------------------+
-| ALL: ALL |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-If it is there already, fine. If not, add it in and then save and close file.
-Easy enough. "ALL" is one of the keywords that tcpwrappers understands. The
-format is $SERVICE_NAME : $WHO, so we are denying all connections to all
-services here. At least all services that are using tcpwrappers. Remember,
-this will primarily be inetd services. See man 5 hosts_access for details on
-the syntax of these files. Note the "5" there!
-
-Now let's open up just the services we need, as restrictively as we can, with
-a brief example:
-
-+---------------------------------------------------------------------------+
-| ALL: 127.0.0.1 |
-| sshd,ipop3d: 192.168.1. |
-| sshd: .myworkplace.com, hostess.mymomshouse.com |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-The first line allows all "localhost" connections. You will need this. The
-second allows connections to the sshd and ipop3d services from IP addresses
-that start with 192.168.1., in this case the private address range for our
-hypothetical home LAN. Note the trailing ".". It's important. The third line
-allows connections to only our sshd daemon from any host associated with
-.myworkplace.com. Note the leading "." in this example. And then also, the
-single host hostess.mymomshouse.com. In summary, localhost and all our LAN
-connections have access to any and all tcpwrappered services on bigcat. But
-only our workplace addresses, and our mother can use sshd on bigcat from
-outside connections. Everybody else is denied by the default policy in /etc/
-hosts.deny.
-
-The types of wild cards above (.myworkplace.com and 192.168.1.) are not
-supported by ipchains and iptables, or most other Linux applications for that
-matter. Also, tcpwrappers can use hostnames in place of IP addresses which is
-quite handy in some situations. This does not work with ipchains and iptables
-.
-
-You can test your tcpwrappers configuration with the included tcpdchk utility
-(see the man page). Note that at this time this does not work with xinetd,
-and may not even be included in this case.
-
-There is nothing wrong with using both tcpwrappers and a packet filtering
-firewall like ipchains. In fact, it is recommended to use a "layered"
-approach. This helps guard against accidental misconfigurations. In this
-case, each connection will be tested by the packet filter rules first, then
-tcpwrappers.
-
-Remember to make backup copies before editing system configuration files,
-restart the daemon afterward, and then check the logs for error messages.
------------------------------------------------------------------------------
-
-5.3.1. xinetd
-
-As mentioned, [http://www.xinetd.org] xinetd is an enhanced inetd , and
-replaces inetd as of Red Hat 7.0. It has much of the same functionality, with
-some notable enhancements. One is that tcpwrappers support be is compiled in,
-eliminating the need for explicit references to tcpd. Which means /etc/
-hosts.allow and /etc/hosts.deny are automatically in effect.
-
-Some of xinetd's other enhancements: specify IP address to listen on, which
-is a very effective method of access control; limit the rate of incoming
-connections and the total number of simultaneous connections; limit services
-to specific times of day. See the xinetd and xinetd.conf man pages for more
-details.
-
-The syntax is quite different though. An example from /etc/xinetd.d/tftp:
-
-+---------------------------------------------------------------------------+
-| service tftp |
-| { |
-| socket_type = dgram |
-| bind = 192.168.1.1 |
-| instances = 2 |
-| protocol = udp |
-| wait = yes |
-| user = nobody |
-| only_from = 192.168.1.0 |
-| server = /usr/sbin/in.tftpd |
-| server_args = /tftpboot |
-| disable = no |
-| } |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-Notice the bind statement. We are only listening on, or "binding" to, the
-private, LAN interface here. No outside connections can be made since the
-outside port is not even opened. We are also only accepting connections from
-192.168.1.0, our LAN. For xinetd's purposes, this denotes any IP address
-beginning with "192.168.1". Note that the syntax is different from inetd. The
-server statement in this case is the tftp daemon, in.tftpd. Again, this
-assumes that libwrap/tcpwrappers support is compiled into xinetd. The user
-running the daemon will be "nobody". Yes, there is a user account called
-"nobody", and it is wise to run such daemons as non-root users whenever
-possible. Lastly, the disable statement is xinetd's way of turning services
-on or off. In this case, it is "on". This is on here only as an example. Do
-NOT run tftp as a public service as it is unsafe.
------------------------------------------------------------------------------
-
-5.4. PortSentry
-
-[http://www.psionic.org/products/portsentry.html] Portsentry works quite
-differently than the other tools discussed so far. Portsentry does what its
-name implies -- it guards ports. Portsentry is configured with the /etc/
-portsentry/portsentry.conf file.
-
-Unlike the other applications discussed above, it does this by actually
-becoming the listening server on those ports. Kind of like baiting a trap.
-Running netstat -taup as root while portsentry is running, will show
-portsentry as the LISTENER on whatever ports portsentry is configured for. If
-portsentry senses a connection attempt, it blocks it completely. And then
-goes a step further and blocks the route to that host to stop all further
-traffic. Alternately, ipchains or iptables can be used to block the host
-completely. So it makes an excellent tool to stop port scanning of a range of
-ports.
-
-But portsentry has limited flexibility as to whether it allows a given
-connection. It is pretty much all or nothing. You can define specific IP
-addresses that it will ignore in /etc/portsentry/portsentry.ignore. But you
-cannot allow selective access to individual ports. This is because only one
-server can bind to a particular port at the same time, and in this case that
-is portsentry itself. So it has limited usefulness as a stand-alone firewall.
-As part of an overall firewall strategy, yes, it can be quite useful. For
-most of us, it should not be our first line of defense, and we should only
-use it in conjunction with other tools.
-
-Suggestion on when portsentry might be useful:
-
- * As a second layer of defense, behind either ipchains or iptables. Packet
- filtering will catch the packets first, so that anything that gets to
- portsentry would indicate a misconfiguration. Do not use in conjunction
- with inetd services -- it won't work. They will butt heads.
-
- * As a way to catch full range ports scans. Open a pinhole or two in the
- packet filter, and let portsentry catch these and re-act accordingly.
-
- * If you are very sure you have no exposed public servers at all, and you
- just want to know who is up to what. But do not assume anything about
- what portsentry is protecting. By default it does not watch all ports,
- and may even leave some very commonly probed ports open. So make sure you
- configure it accordingly. And make sure you have tested and verified your
- set up first, and that nothing is exposed.
-
-
-All in all, the packet filters make for a better firewall.
------------------------------------------------------------------------------
-
-5.5. Proxies
-
-The dictionary defines "proxy" as "the authority or power to act on behalf of
-another". This pretty well describes software proxies as well. It is an
-intermediary in the connection path. As an example, if we were using a web
-proxy like "squid" ([http://www.squid-cache.org/] http://www.squid-cache.org
-/), every time we browse to a web site, we would actually be connecting to
-our locally running squid server. Squid in turn, would relay our request to
-the ultimate, real destination. And then squid would relay the web pages back
-to us. It is a go-between. Like "firewalls", a "proxy" can refer to either a
-specific application, or a dedicated server which runs a proxy application.
-
-Proxies can perform various duties, not all of which have much to do with
-security. But the fact that they are an intermediary, makes them a good place
-to enforce access control policies, limit direct connections through a
-firewall, and control how the network behind the proxy looks to the Internet.
-So this makes them strong candidates to be part of an overall firewall
-strategy. And, in fact, are sometimes used instead of packet filtering
-firewalls. Proxy based firewalls probably make more sense where many users
-are behind the same firewall. And it probably is not high on the list of
-components necessary for home based systems.
-
-Configuring and administering proxies can be complex, and is beyond the scope
-of this document. The Firewall and Proxy Server HOWTO, [http://tldp.org/HOWTO
-/Firewall-HOWTO.html ] http://tldp.org/HOWTO/Firewall-HOWTO.html, has
-examples of setting up proxy firewalls. Squid usage is discussed at [http://
-squid-docs.sourceforge.net/latest/html/book1.htm] http://
-squid-docs.sourceforge.net/latest/html/book1.htm
------------------------------------------------------------------------------
-
-5.6. Individual Applications
-
-Some servers may have their own access control features. You should check
-this for each server application you run. We'll only look at a few of the
-common ones in this section. Man pages, and other application specific
-documentation, is your friend here. This should be done whether you have
-confidence in your firewall or not. Again, layers of protection is always
-best.
-
- * BIND - a very common package that provides name server functionality. The
- daemon itself is "named". This only requires full exposure to the
- Internet if you are providing DNS look ups for one or more domains to the
- rest of the world. If you are not sure what this means, you do not need,
- or want, it exposed. For the overwhelming majority of us this is the
- case. It is a very common crack target.
-
- But it may be installed, and can be useful in a caching only mode. This
- does not require full exposure to the Internet. Limit the interfaces on
- which it "listens" by editing /etc/named.conf (random example shown):
-
- +---------------------------------------------------------------+
- | |
- | options { |
- | directory "/var/named"; |
- | listen-on { 127.0.0.1; 192.168.1.1; }; |
- | version "N/A"; |
- | }; |
- | |
- | |
- +---------------------------------------------------------------+
-
- The "listen-on" statement is what limits where named listens for DNS
- queries. In this example, only on localhost and bigcat's LAN interface.
- There is no port open for the rest of the world. It just is not there.
- Restart named after making changes.
-
- * X11 can be told not to allow TCP connections by using the -nolisten tcp
- command line option. If using startx, you can make this automatic by
- placing alias startx="startx -- -nolisten tcp" in your ~/.bashrc, or the
- system-wide file, /etc/bashrc, with your text editor. If using xdm (or
- variants such as gdm, kdm, etc), this option would be specified in /etc/
- X11/xdm/Xservers (or comparable) as :0 local /usr/bin/X11/X -nolisten
- tcp. gdm actually uses /etc/X11/gdm/gdm.conf.
-
- If using xdm (or comparable) to start X automatically at boot, /etc/
- inittab can be modified as: xdm -udpPort 0, to further restrict
- connections. This is typically near the bottom of /etc/inittab.
-
- * Recent versions of sendmail can be told to listen only on specified
- addresses:
-
- +---------------------------------------------------------------+
- | # SMTP daemon options |
- | O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA |
- | |
- | |
- +---------------------------------------------------------------+
-
- The above excerpt is from /etc/sendmail.cf which can be carefully added
- with your text editor. The sendmail.mc directive is:
-
- +---------------------------------------------------------------------------+
- | |
- | dnl This changes sendmail to only listen on the loopback device 127.0.0.1 |
- | dnl and not on any other network devices. |
- | DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') |
- | |
- | |
- +---------------------------------------------------------------------------+
-
- In case you would prefer to build a new sendmail.cf, rather than edit the
- existing one. Other mail server daemons likely have similar configuration
- options. Check your local documentation. As of Red Hat 7.1, sendmail has
- compiled in support for tcpwrappers as well.
-
- * SAMBA connections can be restricted in smb.conf:
-
- +---------------------------------------------------------------+
- | bind interfaces = true |
- | interfaces = 192.168.1. 127. |
- | hosts allow = 192.168.1. 127. |
- | |
- | |
- +---------------------------------------------------------------+
-
- This will only open, and allow, connections from localhost (127.0.0.1),
- and the local LAN address range. Adjust the LAN address as needed.
-
- * The CUPS print daemon can be told where to listen for connections. Add to
- /etc/cups/cupsd.conf:
-
- +---------------------------------------------------------------+
- | Listen 192.168.1.1:631 |
- | |
- | |
- +---------------------------------------------------------------+
-
- This will only open a port at the specified address and port number.
-
- * xinetd can force daemons to listen only on a specified address with its
- "bind" configuration directive. For instance, an internal LAN interface
- address. See man xinetd.conf for this and other syntax. There are various
- other control mechanisms as well.
-
-
-As always, anytime you make system changes, backup the configuration file
-first, restart the appropriate daemon afterward, and then check the
-appropriate logs for error messages.
------------------------------------------------------------------------------
-
-5.7. Verifying
-
-The final step after getting your firewall in place, is to verify that it is
-doing what you intended. You would be wise to do this anytime you make even
-minor changes to your system configuration.
-
-So how to do this? There are several things you can do.
-
-For our packet filters like ipchains and iptables, we can list all our rules,
-chains, and associated activity with iptables -nvL | less (substitute
-ipchains if appropriate). Open your xterm as wide as possible to avoid
-wrapping long lines.
-
-This should give you an idea if your chains are doing what you think they
-should. You may want to perform some of the on-line tasks you normally do
-first: open a few web pages, send and retrieve mail, etc. This will, of
-course, not give you any information on tcpwrappers or portsentry. tcpdchk
-can be used to verify tcpwrappers configuration (except with xinetd).
-
-And then, scan yourself. nmap is the scanning tool of choice and is included
-with recent Red Hat releases, or from [http://www.insecure.org/nmap/
-nmap_download.html] http://www.insecure.org/nmap/nmap_download.html. nmap is
-very flexible, and essentially is a "port prober". In other words, it looks
-for open ports, among other things. See the nmap man page for details.
-
-If you do run nmap against yourself (e.g. nmap localhost), this should tell
-you what ports are open -- and visible locally only! Which hopefully by now,
-is quite different from what can be seen from the outside. So, scan yourself,
-and then find a trusted friend, or site (see the Links section), to scan you
-from the outside. Make sure you are not violating your ISPs Terms of Service
-by port scanning. It may not be allowed, even if the intentions are
-honorable. Scanning from outside is the best way to know how the rest of the
-world sees you. This should tell you how well that firewall is working. See
-the nmap section in the Appendix for some examples on nmap usage.
-
-One caveat on this: some ISPs may filter some ports, and you will not know
-for sure how well your firewall is working. Conversely, they make it look
-like certain ports are open by using web, or other, proxies. The scanner may
-see the web proxy at port 80 and mis-report it as an open port on your
-system.
-
-Another option is to find a website that offers full range testing. [http://
-www.hackerwhacker.com] http://www.hackerwhacker.com is one such site. Make
-sure that any such site is not just scanning a relatively few well known
-ports.
-
-Repeat this procedure with every firewall change, every system upgrade or new
-install, and when any key components of your system changes.
-
-You may also want to enable logging all the denied traffic. At least
-temporarily. Once the firewall is verified to be doing what you think it
-should, and if the logs are hopelessly overwhelming, you may want to disable
-logging.
-
-If relying on portsentry at all, please read the documentation. Depending on
-your configuration it will either drop the route to the scanner, or implement
-a ipchains/iptables rule doing the same thing. Also, since it "listens" on
-the specified ports, all those ports will show as "open". A false alarm in
-this case.
------------------------------------------------------------------------------
-
-5.8. Logging
-
-Linux does a lot of logging. Usually to more than one file. It is not always
-obvious what to make of all these entries -- good, bad or indifferent?
-Firewall logs tend to generate a fair amount of each. Of course, you are
-wanting to stop only the "bad", but you will undoubtedly catch some harmless
-traffic as well. The 'net has a lot of background noise.
-
-In many cases, knowing the intentions of an incoming packet are almost
-impossible. Attempted intrusion? Misbehaved protocol? Mis-typed IP address?
-Conclusions can be drawn based on factors such as destination port, source
-port, protocol, and many other variables. But there is no substitute for
-experience in interpreting firewall logs. It is a black art in many cases.
-
-So do we really need to log? And how much should we be trying to log? Logging
-is good in that it tells us that the firewall is functional. Even if we don't
-understand much of it, we know it is doing "something". And if we have to, we
-can dig into those logs and find whatever data might be called for.
-
-On the other hand, logging can be bad if it is so excessive, it is difficult
-to find pertinent data, or worse, fills up a partition. Or if we over re-act
-and take every last entry as an all out assault. Some perspective is a great
-benefit, but something that new users lack almost by definition. Again, once
-your firewall is verified, and you are perplexed or overwhelmed, home desktop
-users may want to disable as much logging as possible. Anyone with greater
-responsibilities should log, and then find ways to extract the pertinent data
-from the logs by filtering out extraneous information.
-
-Not sure where to look for log data? The two logs to keep an eye on are /var/
-log/messages and /var/log/secure. There may be other application specific
-logs, depending on what you have installed, or using. FTP, for instance, logs
-to /var/log/xfer on Red Hat.
-
-Portsentry and tcpwrappers do a certain amount of logging that is not
-adjustable. xinetd has logging enhancements that can be turned on. Both
-ipchains and iptables, on the other hand, are very flexible as to what is
-logged.
-
-For ipchains the -l option can be added to any rule. iptables uses the -j LOG
-target, and requires its own, separate rule instead. iptables goes a few
-steps further and allows customized log entries, and rate limiting. See the
-man page. Presumably, we are more interested in logging blocked traffic, so
-we'd confine logging to only our DENY and REJECT rules.
-
-So whether you log, and how much you log, and what you do with the logs, is
-an individual decision, and probably will require some trial and error so
-that it is manageable. A few auditing and analytical tools can be quite
-helpful:
-
-Some tools that will monitor your logs for you and notify you when necessary.
-These likely will require some configuration, and trial and error, to make
-the most out of them:
-
- * A nice log entry analyzer for ipchains and iptables from Manfred Bartz:
- [http://www.logi.cc/linux/NetfilterLogAnalyzer.php3] http://www.logi.cc/
- linux/NetfilterLogAnalyzer.php3. What does all that stuff mean anyway?
-
- * LogSentry (formerly logcheck) is available from [http://www.psionic.org/
- products/logsentry.html] http://www.psionic.org/products/logsentry.html,
- the same group that is responsible for portsentry. LogSentry is an all
- purpose log monitoring tool with a flexible configuration, that handles
- multiple logs.
-
- * [http://freshmeat.net/projects/firelogd/] http://freshmeat.net/projects/
- firelogd/, the Firewall Log Daemon from Ian Jones, is designed to watch,
- and send alerts on iptables or ipchains logs data.
-
- * [http://freshmeat.net/projects/fwlogwatch/] http://freshmeat.net/projects
- /fwlogwatch/ by Boris Wesslowski, is a similar idea, but supports more
- log formats.
-
-
------------------------------------------------------------------------------
-5.9. Where to Start
-
-Let's take a quick look at where to run our firewall scripts from.
-
-Portsentry can be run as an init process, like other system services. It is
-not so important when this is done. Tcpwrappers will be automatically be
-invoked by inetd or xinetd, so not to worry there either.
-
-But the packet filtering scripts will have to be started somewhere. And many
-scripts will have logic that uses the local IP address. This will mean that
-the script must be started after the interface has come up and been assigned
-an IP address. Ideally, this should be immediately after the interface is up.
-So this depends on how you connect to the Internet. Also, for protocols like
-PPP or DHCP that may be dynamic, and get different IP's on each re-connect,
-it is best to have the scripts run by the appropriate daemon.
-
-Red Hat uses /etc/ppp/ip-up.local for any user defined, local PPP
-configuration. If this file does not exist, create it, and make it executable
-(chmod +x). Then with your text editor, add a reference to your firewall
-script.
-
-For DHCP, it depends on which client. dhcpcd will execute /etc/dhcpcd/dhcpcd-
-.exe (e.g. dhcpcd-eth0.exe) whenever a lease is obtained or
-renewed. So this is where to put a reference to your firewall script. For
-pump (the default on Red Hat), the main configuration file is /etc/pump.conf.
-Pump will run whatever script is defined by the "script" statement any time
-there is a new or renewed lease:
-
- script /usr/local/bin/ipchains.sh
-
-
-
-If you have a static IP address (i.e. it never changes), the placement is not
-so important and should be before the interface comes up!
------------------------------------------------------------------------------
-
-5.10. Summary and Conclusions for Step 3
-
-In this section we looked at various components that might be used to
-construct a "firewall". And learned that a firewall is as much a strategy and
-combination of components, as it is any one particular application or
-component. We looked at a few of the most commonly available applications
-that can be found on most, if not all, Linux systems. This is not a
-definitive list.
-
-This is a lot of information to digest at all at one time and expect anyone
-to understand it all. Hopefully this can used as a starting point, and used
-for future reference as well. The packet filter firewall examples can be used
-as starting points as well. Just use your text editor, cut and paste into a
-file with an appropriate name, and then run chmod +x against it to make it
-executable. Some minor editing of the variables may be necessary. Also look
-at the Links section for sites and utilities that can be used to generate a
-custom script. This may be a little less daunting.
-
-Now we are done with Steps 1, 2 and 3. Hopefully by now you have already
-instituted some basic measures to protect your system(s) from the various and
-sundry threats that lurk on networks. If you haven't implemented any of the
-above steps yet, now is a good time to take a break, go back to the top, and
-have at it. The most important steps are the ones above.
-
-A few quick conclusions...
-
-"What is best iptables, ipchains, tcpwrappers, or portsentry?" The quick
-answer is that iptables can do more than any of the others. So if you are
-using a 2.4 kernel, use iptables. Then, ipchains if using a 2.2 kernel. The
-long answer is "it just depends on what you are doing and what the objective
-is". Sorry. The other tools all have some merit in any given situation, and
-all can be effective in the right situation.
-
-"Do I really need all these packages?" No, but please combine more than one
-approach, and please follow all the above recommendations. iptables by itself
-is good, but in conjunction with some of the other approaches, we are even
-stronger. Do not rely on any single mechanism to provide a security blanket.
-"Layers" of protection is always best. As is sound administrative practices.
-The best iptables script in the world is but one piece of the puzzle, and
-should not be used to hide other system weaknesses.
-
-"If I have a small home LAN, do I need to have a firewall on each computer?"
-No, not necessary as long as the LAN gateway has a properly configured
-firewall. Unwanted traffic should be stopped at that point. And as long as
-this is working as intended, there should be no unwanted traffic on the LAN.
-But, by the same token, doing this certainly does no harm. And on larger LANs
-that might be mixed platform, or with untrusted users, it would be advisable.
------------------------------------------------------------------------------
-
-6. Intrusion Detection
-
-This section will deal with how to get early warning, how to be alerted after
-the fact, and how to clean up from intrusion attempts.
------------------------------------------------------------------------------
-
-6.1. Intrusion Detection Systems (IDS)
-
-Intrusion Detection Systems (IDS for short) are designed to catch what might
-have gotten past the firewall. They can either be designed to catch an active
-break-in attempt in progress, or to detect a successful break-in after the
-fact. In the latter case, it is too late to prevent any damage, but at least
-we have early awareness of a problem. There are two basic types of IDS: those
-protecting networks, and those protecting individual hosts.
-
-For host based IDS, this is done with utilities that monitor the filesystem
-for changes. System files that have changed in some way, but should not
-change -- unless we did it -- are a dead give away that something is amiss.
-Anyone who gets in, and gets root, will presumably make changes to the system
-somewhere. This is usually the very first thing done. Either so he can get
-back in through a backdoor, or to launch an attack against someone else. In
-which case, he has to change or add files to the system.
-
-This is where tools like tripwire ([http://www.tripwire.org] http://
-www.tripwire.org) play a role. Tripwire is included beginning with Red Hat
-7.0. Such tools monitor various aspects of the filesystem, and compare them
-against a stored database. And can be configured to send an alert if any
-changes are detected. Such tools should only be installed on a known "clean"
-system.
-
-For home desktops and home LANs, this is probably not an absolutely necessary
-component of an overall security strategy. But it does give peace of mind,
-and certainly does have its place. So as to priorities, make sure the Steps
-1, 2 and 3 above are implemented and verified to be sound, before delving
-into this.
-
-We can get somewhat the same results with rpm -Va, which will verify all
-packages, but without all the same functionality. For instance, it will not
-notice new files added to most directories. Nor will it detect files that
-have had the extended attributes changed (e.g. chattr +i, man chattr and man
-lsattr). For this to be helpful, it needs to be done after a clean install,
-and then each time any packages are upgraded or added. Example:
-
-+---------------------------------------------------------------------------+
-| |
-| # rpm -Va > /root/system.checked |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-Then we have a stored system snapshot that we can refer back to.
-
-Another idea is to run chkrootkit ([http://www.chkrootkit.org/] http://
-www.chkrootkit.org/) as a weekly cron job. This will detect common "rootkits"
-.
------------------------------------------------------------------------------
-
-6.2. Have I Been Hacked?
-
-Maybe you are reading this because you've noticed something "odd" about your
-system, and are suspicious that someone was gotten in? This can be a clue.
-
-The first thing an intruder typically does is install a "rootkit". There are
-many prepackaged rootkits available on the Internet. The rootkit is
-essentially a script, or set of scripts, that makes quick work of modifying
-the system so the intruder is in control, and he is well hidden. He does this
-by installing modified binaries of common system utilities and tampering with
-log files. Or by using special kernel modules that achieve similar results.
-So common commands like ls may be modified so as to not show where he has his
-files stored. Clever!
-
-A well designed rootkit can be quite effective. Nothing on the system can
-really be trusted to provide accurate feedback. Nothing! But sometimes the
-modifications are not as smooth as intended and give hints that something is
-not right. Some things that might be warning signs:
-
- * Login acts weird. Maybe no one can login. Or only root can login. Any
- login weirdness at all should be suspicious. Similarly, any weirdness
- with adding or changing passwords.
-
- Wierdness with other system commands (e.g. top or ps) should be cause for
- concern as well.
-
- * System utilities are slower, or awkward, or show strange and unexpected
- results. Common utilities that might be modified are: ls, find, who, w,
- last, netstat, login, ps, top. This is not a definitive list!
-
- * Files or directories named "..." or ".. " (dot dot space). A sure bet in
- this case. Files with haxor looking names like "r00t-something".
-
- * Unexplained bandwidth usage, or connections. Script kiddies have a
- fondness for IRC, so such connections should raise a red flag.
-
- * Logs that are missing completely, or missing large sections. Or a sudden
- change in syslog behavior.
-
- * Mysterious open ports, or processes.
-
- * Files that cannot be deleted or moved. Some rootkits use chattr to make
- files "immutable", or not changable. This kind of change will not show up
- with ls, or rpm -V, so the files look normal at first glance. See the man
- pages for chattr and lsattr on how to reverse this. Then see the next
- section below on restoring your system as the jig is up at this point.
-
- This is becoming a more and more common script kiddie trick. In fact, one
- quick test to run on a suspected system (as root):
- +---------------------------------------------------------------+
- | /usr/bin/lsattr `echo $PATH | tr ':' ' '` | grep i-- |
- | |
- +---------------------------------------------------------------+
-
- This will look for any "immutable" files in root's PATH, which is almost
- surely a sign of trouble since no standard distributions ship files in
- this state. If the above command turns up anything at all, then plan on
- completely restoring the system (see below). A quick sanity check:
- +---------------------------------------------------------------+
- | # chattr +i /bin/ps |
- | # /usr/bin/lsattr `echo $PATH | tr ':' ' '` | grep "i--" |
- | ---i---------- /bin/ps |
- | # chattr -i /bin/ps |
- | |
- +---------------------------------------------------------------+
-
- This is just to verify the system is not tampered with to the point that
- lsattr is completely unreliable. The third line is exactly what you
- should see.
-
- * Indications of a "sniffer", such as log messages of an interface entering
- "promiscuous" mode.
-
- * Modifications to /etc/inetd.conf, rc.local, rc.sysint or /etc/passwd.
- Especially, any additions. Try using cat or tail to view these files.
- Additions will most likely be appended to the end. Remember though such
- changes may not be "visible" to any system tools.
-
-
-Sometimes the intruder is not so smart and forgets about root's
-.bash_history, or cleaning up log entries, or even leaves strange, leftover
-files in /tmp. So these should always be checked too. Just don't necessarily
-expect them to be accurate. Often such left behind files, or log entries,
-will have obvious script kiddie sounding names, e.g. "r00t.sh".
-
-Packet sniffers, like tcpdump ([http://www.tcpdump.org] http://
-www.tcpdump.org), might be useful in finding any uninvited traffic.
-Interpreting sniffer output is probably beyond the grasp of the average new
-user. snort ([http://www.snort.org] http://www.snort.org), and ethereal
-([http://www.ethereal.com] http://www.ethereal.com), are also good. Ethereal
-has a GUI.
-
-As mentioned, a compromised system will undoubtedly have altered system
-binaries, and the output of system utilities is not to be trusted. Nothing on
-the system can be relied upon to be telling you the whole truth.
-Re-installing individual packages may or may not help since it could be
-system libraries or kernel modules that are doing the dirty work. The point
-here is that there is no way to know with absolute certainty exactly what
-components have been altered.
-
-We can use rpm -Va |less to attempt to verify the integrity all packages. But
-again there is no assurance that rpm itself has not been tampered with, or
-the system components that RPM relies on.
-
-If you have pstree on your system, try this instead of the standard ps.
-Sometimes the script kiddies forget about this one. No guarantees though that
-this is accurate either.
-
-You can also try querying the /proc filesystem, which contains everything the
-kernel knows about processes that are running:
-
-+---------------------------------------------------------------------------+
-| |
-| # cat /proc/*/stat | awk '{print $1,$2}' |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-This will provide a list of all processes and PID numbers (assuming a
-malicious kernel module is not hiding this).
-
-Another approach is to visit [http://www.chkrootkit.org] http://
-www.chkrootkit.org, download their rootkit checker, and see what it says.
-
-Some interesting discussions on issues surrounding forensics can be found at
-[http://www.fish.com/security/] http://www.fish.com/security/. There is also
-a collection of tools available, aptly called "The Coroner's Toolkit" (TCT).
-
-Read below for steps on recovering from an intrusion.
------------------------------------------------------------------------------
-
-6.3. Reclaiming a Compromised System
-
-So now you've confirmed a break-in, and know that someone else has root
-access, and quite likely one or more hidden backdoors to your system. You've
-lost control. How to clean up and regain control?
-
-There is no sure fire way of doing this short of a complete re-install. There
-is no way to find with assurance all the modified files and backdoors that
-may have been left. Trying to patch up a compromised system risks a false
-sense of security and may actually aggravate an already bad situation.
-
-The steps to take, in this order:
-
- * Pull the plug and disconnect the machine. You may be unwittingly
- participating in criminal activity, and doing to others what has been
- done to you.
-
- * Depending on the needs of the situation and time available to restore the
- system, it is advantageous to learn as much as you can about how the
- attacker got in, and what was done in order to plug the hole and avoid a
- recurrence. This could conceivably be time consuming, and is not always
- feasible. And it may require more expertise than the typical user
- possesses.
-
- * Backup important data. Do not include any system files in the backup, and
- system configuration files like inetd.conf. Limit the backup to personal
- data files only! You don't want to backup, then restore something that
- might open a backdoor or other hole.
-
- * Re-install from scratch, and reformat the drive during the installation (
- mke2fs) to make sure no remnants are hiding. Actually, replacing the
- drive is not a bad idea. Especially, if you want to keep the compromised
- data available for further analysis.
-
- * Restore from backups. After a clean install is the best time to install
- an IDS (Intrusion Detection System) such as tripwire ([http://
- www.tripwire.org] http://www.tripewire.org).
-
- * Apply all updates from [ftp://updates.redhat.com] ftp://
- updates.redhat.com.
-
- * Re-examine your system for unnecessary services. Re-examine your firewall
- and access policies, and tighten all holes. Use new passwords, as these
- were stolen in all likelihood.
-
- * Re-connect system ;-)
-
-
-At this time, any rootkit cleanup tools that may be available on-line are not
-recommended. They probably do work just fine most of the time. But again, how
-to be absolutely sure that all is well and all vestiges of the intrusion are
-gone?
------------------------------------------------------------------------------
-
-7. General Tips
-
-This section will quickly address some general concepts for maintaining a
-more secure and reliable system or network. Let's emphasize "maintaining"
-here since computer systems change daily, as does the environment around
-them. As mentioned before, there isn't any one thing that makes a system
-secure. There are too many variables. Security is an approach and an attitude
-more than it is a reliance on any particular product, application or specific
-policy.
-
- * Do not allow remote root logins. This may be controlled by a
- configuration file such as /etc/securetty. Remove any lines that begin
- "pts". This is one big security hole.
-
- * In fact, don't log in as root at all. Period. Log in on your user account
- and su to root when needed. Whether the login is remote or local. Or use
- sudo, which can run individual commands with root privileges. (Red hat
- includes a sudo package. ) This takes some getting used to, but it is the
- "right" way to do things. And the safest. And will become more a more
- natural way of doing this as time goes on.
-
- I know someone is saying right now "but that is so much trouble, I am
- root, and it is my system". True, but root is a specialized account that
- was not ever meant to be used as a regular user account. Root has access
- to everything, even hardware devices. The system "trusts" root. It
- believes that you know what you are doing. If you make a mistook, it
- assumes that you meant that, and will do it's best to do what you told it
- to do...even if that destroys the system!
-
- As an example, let's say you start X as root, open Netscape, and visit a
- web site. The web page has badly behaved java script. And conceivably now
- that badly written java script might have access to much more of your
- system than if you had done it the "right" way.
-
- * Take passwords seriously. Don't give them out to anyone. Don't use the
- same one for everything. Don't use root's password for anything else --
- except root's password! Never sign up or register on line, using any of
- your system passwords. Passwords should be a combination of mixed case
- letters, numbers and/or punctuation and a reasonable length (eight
- characters or longer). Don't use so-called "dictionary" words that are
- easy to guess like "cat" or "dog". Don't incorporate personal information
- like names or dates or hostnames. Don't write down system passwords --
- memorize them.
-
- Use the more secure "shadow" passwords. This has been the default on Red
- Hat for some time now. If the file /etc/shadow exists, then it is enabled
- already. The commands pwconv and grpconv, can be used to convert password
- and group files to shadow format if available.
-
- * Avoid using programs that require clear text logins over untrusted
- networks like the Internet. Telnet is a prime example. ssh is much
- better. If there is any support for SSL (Secure Socket Layers), use it.
- For instance, does your ISP offer POP or IMAP mail via SSL? Recent Red
- Hat releases do include [http://www.openssl.org/] openssl, and many Linux
- applications can use SSL where support is available.
-
- * Set resource limits. There are various ways to do this. The need for this
- probably increases with the number of users accessing a given system. Not
- only does setting limits on such things as disk space prevent intentional
- mischief, it can also help with unintentionally misbehaved applications
- or processes. quota (man quota) can be used to set disk space limits.
- Bash includes the ulimit command (man ulimit or man bash), that can limit
- various functions on a per user basis.
-
- Also, not discussed here at any length, but PAM (Pluggable Authentication
- Modules) has a very sophisticated approach to controlling various system
- functions and resources. See man pam to get started. PAM is configured
- via either /etc/pam.conf or /etc/pam.d/*. Also files in /etc/security/*,
- including /etc/security/limits.conf, where again various sane limits can
- be imposed. An in depth look at PAM is beyond the scope of this document.
- The User-Authentication HOWTO ([http://tldp.org/HOWTO/
- User-Authentication-HOWTO/index.html] http://tldp.org/HOWTO/
- User-Authentication-HOWTO/index.html) has more on this.
-
- * Make sure someone with a clue is getting root's mail. This can be done
- with an "alias". Typically, the mail server will have a file such as /etc
- /aliases where this can defined. This can conceivably be an account on
- another machine if need be:
-
- +---------------------------------------------------------------+
- | |
- | # Person who should get root's mail. This alias |
- | # must exist. |
- | # CHANGE THIS LINE to an account of a HUMAN |
- | root: hal@bigcat |
- | |
- | |
- +---------------------------------------------------------------+
-
- Remember to run newaliases (or equivalent) afterward.
-
- * Be careful where you get software. Use trusted sources. How well do you
- trust complete strangers? Check Red Hat's ftp site (or mirrors) first if
- looking for a specific package. It will probably be best suited for your
- system any way. Or, the original package's project site is good as well.
- Installing from raw source (either tarball or src.rpm) at least gives you
- the ability to examine the code. Even if you don't understand it ;-)
- While this does not seem to be a wide spread problem with Linux software
- sites, it is very trivial for someone to add a very few lines of code,
- turning that harmless looking binary into a "Trojan horse" that opens a
- backdoor to your system. Then the jig is up.
-
- * So someone has scanned you, probed you, or otherwise seems to want into
- your system? Don't retaliate. There is a good chance that the source IP
- address is a compromised system, and the owner is a victim already. Also,
- you may be violating someone's Terms of Service, and have trouble with
- your own ISP. The best you can do is to send your logs to the abuse
- department of the source IP's ISP, or owner. This is often something like
- "abuse@someisp.com". Just don't expect to hear much back. Generally
- speaking, such activity is not legally criminal, unless an actual
- break-in has taken place. Furthermore, even if criminal, it will never be
- prosecuted unless significant damage (read: big dollars) can be shown.
-
- * Red Hat users can install the "Bastille Hardening System", [http://
- www.bastille-linux.org/] http://www.bastille-linux.org/. This is a
- multi-purpose system for "hardening" Red Hat and Mandrake system
- security. It has a GUI interface which can be used to construct firewall
- scripts from scratch and configure PAM among many other things. Debian
- support is new.
-
- * So you have a full-time Internet connection via cable-modem or DSL. But
- do you always use it, or always need it? There's an old saying that "the
- only truly secure system, is a disconnected system". Well, that's
- certainly one option. So take that interface down, or stop the
- controlling daemon (dhcpcd, pppoed, etc). Or possibly even set up cron
- jobs to bring your connection up and down according to your normal
- schedule and usage.
-
- * What about cable and DSL routers that are often promoted as "firewalls"?
- The lower priced units are mostly equating NAT (Network Address
- Translation), together with the ability to open holes for ports through
- it, as a firewall. While NAT itself does provide a fair degree of
- security for the systems behind the NAT gateway, this does not constitute
- anything but a very rudimentary firewall. And if holes are opened, there
- is still exposure. Also, you are relying on the router's firmware and
- implementation not to be flawed. It is wise to have some kind of
- additional protection behind such routers.
-
- * What about wireless network cards and hubs? Insecure, despite what the
- manufacturers may claim. Treat these connections just as you would an
- Internet connection. Use secure protocols like ssh only! Even if it is
- just one LAN box to another.
-
- * If you find you need to run a particular service, and it is for just you,
- or maybe a relatively small number of people, use a non-standard port.
- Most server daemons support this. For instance, sshd runs on port 22 by
- default. All worms and script kiddies will expect it there, and look for
- it there. So, run it on another port! See the sshd man page.
-
- * What about firewalls that block Internet connections according to the
- application (like ZoneAlarm from Windowsdom)? These were designed with
- this feature primarily because of the plethora of virii and trojans that
- are so common with MS operating systems. This is really not a problem on
- Linux. So, really no such application exists on Linux at this time. And
- there does not seem to be enough demand for it that someone has taken the
- time to implement it. A better firewall can be had on Linux, by following
- the other suggestions in this document.
-
- * Lastly, know your system! Let's face it, if you are new to Linux, you
- can't already know something you have never used. Understood. But in the
- process of learning, learn how to do things the right way, not the
- easiest way. There is several decades of history behind "the right way"
- of doing things. This has stood the test of time. What may seem
- unnecessary or burdensome now, will make sense in due time.
-
- Be familiar with whatever services you are running, and the implications
- these services might have to the overall health of your system if
- something does go wrong. Read what you can, and ask questions. Don't run
- something as a service "just because I can", or because the installer put
- it there. You can't start out being an experienced System Administrator
- clearly. But you can work to learn enough about your own system, that you
- are in control. This is one thing that separates *nix from MS systems: we
- can never be in complete control with MS, but we can with *nix.
- Conversely, if something bad happens, we often have no one else to blame.
-
-
------------------------------------------------------------------------------
-8. Appendix
-
-8.1. Servers, Ports, and Packets
-
-Let's take a quick, non-technical look at some networking concepts, and how
-they can potentially impact our own security. We don't need to know much
-about networking, but a general idea of how things work is certainly going to
-help us with firewalls and other related issues.
-
-As you may have noticed Linux is a very network oriented Operating System.
-Much is done by connecting to "servers" of one type or another -- X servers,
-font servers, print servers, etc.
-
-Servers provide "services", which provide various capabilities, both to the
-local system and potentially other remote systems. The same server generally
-provides both functionalities. Some servers work quietly behind the scenes,
-and others are more interactive by nature. We may only be aware of a print
-server when we need to print something, but it is there running, listening,
-and waiting for connection requests whether we ever use it or not (assuming
-of course we have it enabled). A typical Linux installation will have many,
-many types of servers available to it. Default installations often will turn
-some of these "on".
-
-And even if we are not connected to a real network all the time, we are still
-"networked" so to speak. Take our friendly local X server for instance. We
-may tend to think of this as just providing a GUI interface, which is only
-true to a point. It does this by "serving" to client applications, and thus
-is truly a server. But X Windows is also capable of serving remote clients
-over a network -- even large networks like the Internet. Though we probably
-don't really want to be doing this ;-)
-
-And yes, if you are not running a firewall or have not taken other
-precautions, and are connected to the Internet, it is quite possible that
-someone -- anyone -- could connect to your X server. X11 "listens" on TCP
-"port" 6000 by default. This principle applies to most other servers as well
--- they can be easily connected to, unless something is done to restrict or
-prevent connections.
-
-In TCP/IP (Transmission Control Protocol/Internet Protocol) networks like we
-are talking about with Linux and the Internet, every connected computer has a
-unique "IP Address". Think of this like a phone number. You have a phone
-number, and in order to call someone else, you have to know that phone
-number, and then dial it. The phone numbers have to be unique for the system
-to work. IP address are generally expressed as "dotted quad" notation, e.g.
-152.19.254.81.
-
-On this type of network, servers are said to "listen". This means that they
-have a "port" opened, and are awaiting incoming connections to that port.
-Connections may be local, as is typically the case with our X server, or
-remote -- meaning from another computer "somewhere". So servers "listen" on a
-specific "port" for incoming connections. Most servers have a default port,
-such as port 80 for web servers. Or 6000 for X11. See /etc/services for a
-list of common ports and their associated service.
-
-The "port" is actually just an address in the kernel's networking stack, and
-is a method that TCP, and other protocols, use to organize connections and
-the exchange of data between computers. There are total of 65,536 TCP and UDP
-ports available, though usually only a relatively few of these are used at
-any one time. These are classified as "privileged", those ports below 1024,
-and "unprivileged", 1024 and above. Most servers use the privileged ports.
-
-Only one server may listen on, or "bind" to, a port at a time. Though that
-server may well be able to open multiple connections via that one port.
-Computers talk to each other via these "port" connections. One computer will
-open a connection to a "port" on another computer, and thus be able to
-exchange data via the connection that has been established between their
-respective ports.
-
-Getting back to the phone analogy, and stretching it a bit, think of calling
-a large organization with a complex phone system. The organization has many
-"departments": sales, shipping, billing, receiving, customer service, R&D,
-etc. Each department has it's own "extension" number. So the shipping
-department might be extension 21, the sales might be department 80 and so on.
-The main phone number is the IP Address, and the department's extension is
-the port in this analogy. The "department's" number is always the same when
-we call. And generally they can handle many simultaneous incoming calls.
-
-The data itself is contained in "packets", which are small chunks of data,
-generally 1500 bytes or less each. Packets are used to control and organize
-the connection, as well as carry data. There are different types of packets.
-Some are specifically used for controlling the connection, and then some
-packets carry our data as their payload. If there is a lot of data, it will
-be broken up into multiple packets which is almost always how it works. The
-packets will be transmitted one at a time, and then "re-assembled" at the
-other end. One web page for instance, will take many packets to transmit --
-maybe hundreds or even thousands. This all happens very quickly and
-transparently.
-
-We can see a typical connection between two computers in this one line
-excerpt from netstat output:
-
-+---------------------------------------------------------------------------+
-| tcp 30 0 169.254.179.139:1359 18.29.1.67:21 CLOSE_WAIT |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-The interesting part is the IP addresses and ports in the fourth and fifth
-columns. The port is the number just to the right of the colon. The left side
-of the colon is the IP address of each computer. The fourth column is the
-local address, or our end of the connection. In the example, 169.254.179.139
-is the IP address assigned by my ISP. It is connected to port 21 (FTP) on
-18.29.1.67, which is rpmfind.net. This is just after an FTP download from
-rpmfind.net. Note that while I am connected to their FTP server on their port
-21, the port on my end that is used by my FTP client is 1359. This is a
-randomly assigned "unprivileged" port, used for my end of the two-way
-"conversation". The data moves in both directions: me:port#1359 <-> them:port
-#21. The FTP protocol is actually a little more complicated than this, but we
-won't delve into the finer points here. The CLOSE_WAIT is the TCP state of
-the connection at this particular point in time. Eventually the connection
-will close completely on both ends, and netstat will not show anything for
-this.
-
-The "unprivileged" port that is used for my end of the connection, is
-temporary and is not associated with a locally running server. It will be
-closed by the kernel when the connection is terminated. This is quite
-different than the ports that are kept open by "listening" servers, which are
-permanent and remain "open" even after a remote connection is terminated.
-
-So to summarize using the above example, we have client (me) connecting to a
-server (rpmfind.net), and the connection is defined and controlled by the
-respective ports on either end. The data is transmitted and controlled by
-packets. The server is using a "privileged" port (i.e. a port below number
-1024) which stays open listening for connections. The "unprivileged" port
-used on my end by my client application is temporary, is only opened for the
-duration of the connection, and only responds to the server's port at the
-other end of the connection. This type of port is not vulnerable to attacks
-or break-ins generally speaking. The server's port is vulnerable since it
-remains open. The administrator of the FTP server will need to take
-appropriate precautions that his server is secure. Other Internet
-connections, such as to web servers or mail servers, work similar to the
-above example, though the server ports are different. SMTP mail servers use
-port 25, and web servers typically use port 80. See the Ports section for
-other commonly used ports and services.
-
-One more point on ports: ports are only accessible if there is something
-listening on that port. No one can force a port open if there is no service
-or daemon listening there, ready to handle incoming connection requests. A
-closed port is a totally safe port.
-
-And a final point on the distinction between clients and servers. The example
-above did not have a telnet or ftp server in the LISTENER section in the
-netstat example above. In other words, no such servers were running locally.
-You do not need to run a telnet or ftp server daemon in order to connect to
-somebody else's telnet or ftp server. These are only for providing these
-services to others that would be making connections to you. Which you don't
-really want to be doing in most cases. This in no way effects the ability to
-use telnet and ftp client software.
------------------------------------------------------------------------------
-
-8.2. Common Ports
-
-A quick run down of some commonly seen and used ports, with the commonly
-associated service name, and risk factor. All have some risk. It is just that
-some have historically had more exploits than others. That is how they are
-evaluated below, and not necessarily to be interpreted as whether any given
-service is safe or not.
-
-1-19, assorted protocols, many of which are antiquated, and probably none of
-which are needed on a modern system. If you don't know what any of these are,
-then you definitely don't need them. The echo service (port 7) should not be
-confused with the common ping program. Leave all these off.
-
-20 - FTP-DATA. "Active" FTP connections use two ports: 21 is the control
-port, and 20 is where the data comes through. Passive FTP does not use port
-20 at all. Low risk, but see below.
-
-21 - FTP server port, aka File Transfer Protocol. A well entrenched protocol
-for transferring files between systems. Very high risk, and maybe the number
-one crack target.
-
-22 - SSH (Secure Shell), or sometimes PCAnywhere. Low to moderate risk (yes
-there are exploits even against so called "secure" services).
-
-23 - Telnet server. For LAN use only. Use ssh instead in non-secure
-environments. Moderate risk.
-
-25 - SMTP, Simple Mail Transfer Protocol, or mail server port, used for
-sending outgoing mail, and transferring mail from one place to another.
-Moderate risk. This has had a bad history of exploits, but has improved
-lately.
-
-37 - Time service. This is the built-in inetd time service. Low risk. For LAN
-use only.
-
-53 - DNS, or Domain Name Server port. Name servers listen on this port, and
-answer queries for resolving host names to IP addresses. High Risk.
-
-67 (UDP) - BOOTP, or DHCP, server port. Low risk. If using DHCP on your LAN,
-this does not need to be exposed to the Internet.
-
-68 (UDP) - BOOTP, or DHCP, client port. Low risk.
-
-69 - tftp, or Trivial File Transfer Protocol. Extremely insecure. LAN only,
-if really, really needed.
-
-79 - Finger, used to provide information about the system, and logged in
-users. Low risk as a crack target, but gives out way too much information and
-should not be run.
-
-80 - WWW or HTTP standard web server port. The most commonly used service on
-the Internet. Low risk.
-
-98 - Linuxconf web access administrative port. LAN only, if really needed at
-all.
-
-110 - POP3, aka Post Office Protocol, mail server port. POP mail is mail that
-the user retrieves from a remote system. Low risk.
-
-111 - sunrpc (Sun Remote Procedure Call), or portmapper port. Used by NFS
-(Network File System), NIS (Network Information Service), and various related
-services. Sounds dangerous and is high risk. LAN use only. A favorite crack
-target.
-
-113 - identd, or auth, server port. Used, and sometimes required, by some
-older style services (like SMTP and IRC) to validate the connection. Probably
-not needed in most cases. Low risk, but could give an attacker too much
-information about your system.
-
-119 -- nntp or news server port. Low risk.
-
-123 - Network Time Protocol for synchronizing with time servers where a high
-degree of accuracy is required. Low risk, but probably not required for most
-users. rdate makes an easier and more secure way of updating the system
-clock. And then inetd's built in time service for synchronizing LAN systems
-is another option.
-
-137-139 - NetBios (SMB) services. Mostly a Windows thing. Low risk on Linux,
-but LAN use only. 137 is a very commonly seen port attempt. A rather
-obnoxious protocol from Redmond that generates a lot of "noise", much of
-which is harmless.
-
-143 - IMAP, Interim Mail Access Protocol. Another mail retrieval protocol.
-Low to moderate risk.
-
-161 - SNMP, Simple Network Management Protocol. More commonly used in routers
-and switches to monitor statistics and vital signs. Not needed for most of
-us, and low risk.
-
-177 - XDMCP, the X Display Management Control Protocol for remote connections
-to X servers. Low risk, but LAN only is recommended.
-
-443 - HTTPS, a secure HTTP (WWW) protocol in fairly wide use. Low risk.
-
-465 - SMTP over SSL, secure mail server protocol. Low risk.
-
-512 (TCP) - exec is how it shows in netstat. Actually the proper name is
-rexec, for Remote Execution. Sounds dangerous, and is. High risk, LAN only if
-at all.
-
-512 (UDP) - biff, a mail notification protocol. Low risk, LAN only.
-
-513 - login, actually rlogin, aka Remote Login. No relation to the standard /
-bin/login that we use every time we log in. Sounds dangerous, and is. High
-risk, and LAN only if really needed.
-
-514 (TCP) - shell is the nickname, and how netstat shows it. Actually, rsh is
-the application for "Remote Shell". Like all the "r" commands, this is a
-throw back to kindler, gentler times. Very insecure, so high risk, and LAN
-only usage, if at all.
-
-514 (UDP) - syslog daemon port, only used for remote logging purposes. The
-average user does not need this. Probably low risk, but definitely LAN only
-if really required.
-
-515 - lp or print server port. High risk, and LAN only of course. Someone on
-the other side of the world does not want to use your printer for it's
-intended purpose!
-
-587 - MSA, or "submission", the Mail Submission Agent protocol. A new mail
-handling protocol supported by most MTA's (mail servers). Low risk.
-
-631 - the CUPS (print daemon) web management port. LAN only, low risk.
-
-635 - mountd, part of NFS. LAN use only.
-
-901 - SWAT, Samba Web Administration Tool port. LAN only.
-
-993 - IMAP over SSL, secure IMAP mail service. Very low risk.
-
-995 - POP over SSL, secure POP mail service. Very low risk.
-
-1024 - This is the first "unprivileged" port, which is dynamically assigned
-by the kernel to whatever application requests it. This can be almost
-anything. Ditto for ports just above this.
-
-1080 - Socks Proxy server. A favorite crack target.
-
-1243 - SubSeven Trojan. Windows only problem.
-
-1433 - MS SQL server port. A sometimes target. N/A on Linux.
-
-2049 - nfsd, Network File Service Daemon port. High risk, and LAN usage only
-is recommended.
-
-3128 - Squid proxy server port. Low risk, but for most should be LAN only.
-
-3306 - MySQL server port. Low risk, but for most should be LAN only.
-
-5432 - PostgreSQL server port. LAN only, relatively low risk.
-
-5631 (TCP), 5632 (UDP) - PCAnywhere ports. Windows only. PCAnywhere can be
-quite "noisy", and broadcast wide address ranges.
-
-6000 - X11 TCP port for remote connections. Low to moderate risk, but again,
-this should be LAN only. Actually, this can include ports 6000-6009 since X
-can support multiple displays and each display would have its own port. ssh's
-X11Forwarding will start using ports at 6010.
-
-6346 - gnutella.
-
-6667 - ircd, Internet Relay Chat Daemon.
-
-6699 - napster.
-
-7100-7101 - Some font servers use these ports. Low risk, but LAN only.
-
-8000 and 8080 - common web cache and proxy server ports. LAN only.
-
-10000 - webmin, a web based system administration utility. Low risk at this
-point.
-
-27374 - SubSeven, a commonly probed for Windows only Trojan. Also, 1243.
-
-31337 - Back Orifice, another commonly probed for Windows only Trojan.
-
-More services and corresponding port numbers can be found in /etc/services.
-Also, the "official" list is [http://www.iana.org/assignments/port-numbers]
-http://www.iana.org/assignments/port-numbers.
-
-A great analysis of what probes to these and other ports might mean from
-Robert Graham: [http://www.linuxsecurity.com/resource_files/firewalls/
-firewall-seen.html] http://www.linuxsecurity.com/resource_files/firewalls/
-firewall-seen.html. A very good reference.
-
-Another point here, these are the standard port designations. There is no law
-that says any service has to run on a specific port. Usually they do, but
-certainly they don't always have to.
-
-Just a reminder that when you see these types of ports in your firewall logs,
-it is not anything to go off the deep end about. Not if you have followed
-Steps 1-3 above, and verified your firewall works. You are fairly safe. Much
-of this traffic may be "stray bullets" too -- Internet background noise,
-misconfigured clients or routers, noisy Windows stuff, etc.
------------------------------------------------------------------------------
-
-8.3. Netstat Tutorial
-
-8.3.1. Overview
-
-netstat is a very useful utility for viewing the current state of your
-network status -- what servers are listening for incoming connections, what
-interfaces they listen on, who is connected to us, who we are connect to, and
-so on. Take a look at the man page for some of the many command line options.
-We'll just use a relative few options here.
-
-As an example, let's check all currently listening servers and active
-connections for both TCP and UDP on our hypothetical host, bigcat. bigcat is
-a home desktop installation, with a DSL Internet connection in this example.
-bigcat has two ethernet cards: one for the external connection to the ISP,
-and one for a small LAN with an address of 192.168.1.1.
-
-+--------------------------------------------------------------------------------+
-| |
-|$ netstat -tua |
-|Active Internet connections (servers and established) |
-|Proto Recv-Q Send-Q Local Address Foreign Address State |
-|tcp 0 0 *:printer *:* LISTEN |
-|tcp 0 0 bigcat:8000 *:* LISTEN |
-|tcp 0 0 *:time *:* LISTEN |
-|tcp 0 0 *:x11 *:* LISTEN |
-|tcp 0 0 *:http *:* LISTEN |
-|tcp 0 0 bigcat:domain *:* LISTEN |
-|tcp 0 0 bigcat:domain *:* LISTEN |
-|tcp 0 0 *:ssh *:* LISTEN |
-|tcp 0 0 *:631 *:* LISTEN |
-|tcp 0 0 *:smtp *:* LISTEN |
-|tcp 0 1 dsl-78-199-139.s:1174 64.152.100.93:nntp SYN_SENT |
-|tcp 0 1 dsl-78-199-139.s:1175 64.152.100.93:nntp SYN_SENT |
-|tcp 0 1 dsl-78-199-139.s:1173 64.152.100.93:nntp SYN_SENT |
-|tcp 0 0 dsl-78-199-139.s:1172 207.153.203.114:http ESTABLISHED |
-|tcp 1 0 dsl-78-199-139.s:1199 www.xodiax.com:http CLOSE_WAIT |
-|tcp 0 0 dsl-78-199-139.sd:http 63.236.92.144:34197 TIME_WAIT |
-|tcp 400 0 bigcat:1152 bigcat:8000 CLOSE_WAIT |
-|tcp 6648 0 bigcat:1162 bigcat:8000 CLOSE_WAIT |
-|tcp 553 0 bigcat:1164 bigcat:8000 CLOSE_WAIT |
-|udp 0 0 *:32768 *:* |
-|udp 0 0 bigcat:domain *:* |
-|udp 0 0 bigcat:domain *:* |
-|udp 0 0 *:631 *:* |
-| |
-| |
-+--------------------------------------------------------------------------------+
-
-This output probably looks very different from what you get on your own
-system. Notice the distinction between "Local Address" and "Foreign Address",
-and how each includes a corresponding port number (or service name if
-available) after the colon. "Local Address" is our end of the connection. The
-first group with LISTEN in the far right hand column are services that are
-running on this system. These are servers that are running in the background
-on bigcat, and "listen" for incoming connections. So they have a port opened,
-and this is where they "listen". These connections might come from the local
-system (i.e. bigcat itself), or remote systems. This is very important
-information to have! The others just below this are connections that have
-been established from this system to other systems. The respective
-connections are in varying states as indicated by the key words in the last
-column. Those with no key word in the last column at the end are servers
-responding to UDP connections. UDP is a different protocol from TCP
-altogether, but is used for some types of low priority network traffic.
-
-Now, the same thing with the "-n" flag to suppress converting to "names" so
-we can actually see the port numbers:
-
-+-----------------------------------------------------------------------------+
-|$ netstat -taun |
-|Active Internet connections (servers and established) |
-|Proto Recv-Q Send-Q Local Address Foreign Address State |
-|tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN |
-|tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN |
-|tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN |
-|tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN |
-|tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN |
-|tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN |
-|tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN |
-|tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN |
-|tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN |
-|tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN |
-|tcp 0 1 169.254.179.139:1174 64.152.100.93:119 SYN_SENT |
-|tcp 0 1 169.254.179.139:1175 64.152.100.93:119 SYN_SENT |
-|tcp 0 1 169.254.179.139:1173 64.152.100.93:119 SYN_SENT |
-|tcp 0 0 169.254.179.139:1172 207.153.203.114:80 ESTABLISHED |
-|tcp 1 0 169.254.179.139:1199 216.26.129.136:80 CLOSE_WAIT |
-|tcp 0 0 169.254.179.139:80 63.236.92.144:34197 TIME_WAIT |
-|tcp 400 0 127.0.0.1:1152 127.0.0.1:8000 CLOSE_WAIT |
-|tcp 6648 0 127.0.0.1:1162 127.0.0.1:8000 CLOSE_WAIT |
-|tcp 553 0 127.0.0.1:1164 127.0.0.1:8000 CLOSE_WAIT |
-|udp 0 0 0.0.0.0:32768 0.0.0.0:* |
-|udp 0 0 192.168.1.1:53 0.0.0.0:* |
-|udp 0 0 127.0.0.1:53 0.0.0.0:* |
-|udp 0 0 0.0.0.0:631 0.0.0.0:* |
-| |
-| |
-+-----------------------------------------------------------------------------+
-
-Let's look at the first few lines of this in detail. On line one,
-
-+----------------------------------------------------------------------------+
-| tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN |
-| |
-| |
-+----------------------------------------------------------------------------+
-
-"Local Address" is 0.0.0.0, meaning "all" interfaces that are available. The
-local port is 515, or the standard print server port, usually owned by the
-lpd daemon. You can find a listing of common service names and corresponding
-ports in the file /etc/services.
-
-The fact that it is listening on all interfaces is significant. In this case,
-that would be lo (localhost), eth0, and eth1. Printer connections could
-conceivably be made over any of these interfaces. Should a user on this
-system bring up a PPP connection, then the print daemon would be listening on
-that interface (ppp0) as well. The "Foreign Address" is also 0.0.0.0, meaning
-from "anywhere".
-
-It is also worth noting here, that even though this server is telling the
-kernel to listen on all interfaces, the netstat output does not reflect
-whether there may be a firewall in place that may be filtering incoming
-connections. We just can't tell that at this point. Obviously, for certain
-servers, this is very desirable. Nobody outside your own LAN has any reason
-whatsoever to connect to your print server port for instance.
-
-Line two is a little different:
-
-+----------------------------------------------------------------------------+
-| tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN |
-| |
-| |
-+----------------------------------------------------------------------------+
-
-Notice the "Local Address" this time is localhost's address of 127.0.0.1.
-This is very significant as only connections local to this machine will be
-accepted. So only bigcat can connect to bigcat's TCP port 8000. The security
-implications should be obvious. Not all servers have configuration options
-that allow this kind of restriction, but it is a very useful feature for
-those that do. Port 8000 in this example, is owned by the web proxy
-Junkbuster.
-
-With the next three entries, we are back to listening on all available
-interfaces:
-
-+-----------------------------------------------------------------------------+
-| tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN |
-| tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN |
-| tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN |
-| |
-| |
-+-----------------------------------------------------------------------------+
-
-Looking at /etc/services, we can tell that port 37 is a "time" service, which
-is a time server. 6000 is X11, and 80 is the standard port for HTTP servers
-like Apache. There is nothing really unusual here as these are all readily
-available services on Linux.
-
-The first two above are definitely not the kind of services you'd want just
-anyone to connect to. These should be firewalled so that all outside
-connections are refused. Again, we can't tell from this output whether any
-firewall is in place, much less how effectively implemented it may be.
-
-The web server on port 80 is not a huge security risk by itself. HTTP is a
-protocol that is often open to all comers. For instance, if we wanted to host
-our own home page, Apache can certainly do this for us. It is also possible
-to firewall this off, so that it is for use only to our LAN clients as part
-of an Intranet. Obviously too, if you do not have a good justification for
-running a web server, then it should be disabled completely.
-
-The next two lines are interesting:
-
-+-----------------------------------------------------------------------------+
-| tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN |
-| tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN |
-| |
-| |
-+-----------------------------------------------------------------------------+
-
-Again notice the "Local Address" is not 0.0.0.0. This is good! The port this
-time is 53, or the DNS port used by nameserver daemons like named. But we see
-the nameserver daemon is only listening on the lo interface (localhost), and
-the interface that connects bigcat to the LAN. So the kernel only allows
-connections from localhost, and the LAN. There will be no port 53 available
-to outside connections at all. This is a good example of how individual
-applications can sometimes be securely configured. In this case, we are
-probably looking at a caching DNS server since a real nameserver that is
-responsible for handling DNS queries would have to have port 53 open to the
-world. This is a security risk and requires special handling.
-
-The last three LISTENER entries:
-
-+-----------------------------------------------------------------------------+
-| tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN |
-| tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN |
-| tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN |
-| |
-| |
-+-----------------------------------------------------------------------------+
-
-These are back to listening on all available interfaces. Port 22 is sshd, the
-Secure Shell server daemon. This is a good sign! Notice that the service for
-port 631 does not have a service name if we look at the output in the first
-example. This might be a clue that something unusual is going on here. (See
-the next section for the answer to this riddle.) And lastly, port 25, the
-standard port for the SMTP mail daemon. Most Linux installations probably
-will have an SMTP daemon running, so this is not necessarily unusual. But is
-it necessary?
-
-The next grouping is established connections. For our purposes the state of
-the connection as indicated by the last column is not so important. This is
-well explained in the man page.
-
-+-------------------------------------------------------------------------------+
-| tcp 0 1 169.254.179.139:1174 64.152.100.93:119 SYN_SENT |
-| tcp 0 1 169.254.179.139:1175 64.152.100.93:119 SYN_SENT |
-| tcp 0 1 169.254.179.139:1173 64.152.100.93:119 SYN_SENT |
-| tcp 0 0 169.254.179.139:1172 207.153.203.114:80 ESTABLISHED |
-| tcp 1 0 169.254.179.139:1199 216.26.129.136:80 CLOSE_WAIT |
-| tcp 0 0 169.254.179.139:80 63.236.92.144:34197 TIME_WAIT |
-| tcp 400 0 127.0.0.1:1152 127.0.0.1:8000 CLOSE_WAIT |
-| tcp 6648 0 127.0.0.1:1162 127.0.0.1:8000 CLOSE_WAIT |
-| tcp 553 0 127.0.0.1:1164 127.0.0.1:8000 CLOSE_WAIT |
-| |
-| |
-+-------------------------------------------------------------------------------+
-
-There are nine total connections here. The first three is our external
-interface connecting to a remote host on their port 119, the standard NNTP
-(News) port. There are three connections here to the same news server.
-Apparently the application is multi-threaded, as it is trying to open
-multiple connections to the news server. The next two entries are connections
-to a remote web server as indicated by the port 80 after the colon in the
-fifth column. Probably a pretty common looking entry for most of us. But the
-one just after is reversed and has the port 80 in the fourth column, so this
-is someone that has connected to bigcat's web server via its external,
-Internet-side interface. The last three entries are all connections from
-localhost to localhost. So we are connecting to ourselves here. Remembering
-from above that port 8000 is bigcat's web proxy, this is a web browser that
-is connected to the locally running proxy. The proxy then will open an
-external connection of its own, which probably is what is going on with lines
-four and five.
-
-Since we gave netstat both the -t and -u options, we are getting both the TCP
-and UDP listening servers. The last few lines are the UDP ones:
-
-+----------------------------------------------------------------------------+
-| udp 0 0 0.0.0.0:32768 0.0.0.0:* |
-| udp 0 0 192.168.1.1:53 0.0.0.0:* |
-| udp 0 0 127.0.0.1:53 0.0.0.0:* |
-| udp 0 0 0.0.0.0:631 0.0.0.0:* |
-| |
-| |
-+----------------------------------------------------------------------------+
-
-The last three entries have ports that are familiar from the above
-discussion. These are servers that are listening for both TCP and UDP
-connections. Same servers in this case, just using two different protocols.
-The first one on local port 32768 is new, and does not have a service name
-available to it in /etc/services. So at first glance this should be
-suspicious and pique our curiosity. See the next section for the explanation.
-
-Can we draw any conclusions from this hypothetical situation? For the most
-part, these look to be pretty normal looking network services and connections
-for Linux. There does not seem to be an unduly high number of servers running
-here, but that by itself does not mean much since we don't know if all these
-servers are really required or not. We know that netstat can not tell us if
-any of these are effectively firewalled, so there is no way to say how secure
-all this might be. We also don't really know if all the listening services
-are really required by the owner here. That is something that varies widely
-from installation to installation. Does bigcat even have a printer attached
-for instance? Presumably it does, or this is a completely unnecessary risk.
------------------------------------------------------------------------------
-
-8.3.2. Port and Process Owners
-
-We've learned a lot about what is going on with bigcat's networking from the
-above section. But suppose we see something we don't recognize and want to
-know what started that particular service? Or we want to stop a particular
-server and it is not obvious from the above output?
-
-The -p option should give us the process's PID and the program name that
-started the process in the last column. Let's look at the TCP servers again
-(with first three columns cropped for spacing). We'll have to run this as
-root to get all the available information:
-
-+----------------------------------------------------------------------------+
-|# netstat -tap |
-|Active Internet connections (servers and established) |
-| Local Address Foreign Address State PID/Program name |
-| *:printer *:* LISTEN 988/inetd |
-| bigcat:8000 *:* LISTEN 1064/junkbuster |
-| *:time *:* LISTEN 988/inetd |
-| *:x11 *:* LISTEN 1462/X |
-| *:http *:* LISTEN 1078/httpd |
-| bigcat:domain *:* LISTEN 956/named |
-| bigcat:domain *:* LISTEN 956/named |
-| *:ssh *:* LISTEN 972/sshd |
-| *:631 *:* LISTEN 1315/cupsd |
-| *:smtp *:* LISTEN 1051/master |
-| |
-| |
-+----------------------------------------------------------------------------+
-
-Some of these we already know about. But we see now that the printer daemon
-on port 515 is being started via inetd with a PID of "988". inetd is a
-special situation. inetd is often called the "super server", since it's main
-role is to spawn sub-services. xinetd replaces inetd as of Red Hat 7.0. If we
-look at the first line, inetd is listening on port 515 for printer services.
-If a connection comes for this port, inetd intercepts it, and then will spawn
-the appropriate daemon, i.e. the print daemon in this case. The configuration
-of how inetd handles this is typically done in /etc/inetd.conf. This should
-tell us that if we want to stop an inetd controlled server on a permanent
-basis, then we will have to dig into the inetd (or perhaps xinetd)
-configuration. Also the time service above is started via inetd as well. This
-should also tell us that these two services can be further protected by
-tcpwrappers (discussed in Step 3 above). This is one benefit of using inetd
-to control certain system services.
-
-We weren't sure about the service on port 631 above since it did not have a
-standard service name, which means it is something maybe unusual or off the
-beaten path. Now we see it is owned by cupsd (not included with Red Hat by
-the way), which is one of several print daemons available under Linux. This
-happens to be the web interface for controlling the printer service.
-Something cupsd does that is indeed a little different than other print
-servers.
-
-The last entry above is the SMTP mail server on bigcat. Often, this is
-sendmail. But not in this case. The command is "master", which may not ring
-any bells. Armed with the program name we could go searching the filesystem
-with tools like the locate or find commands. After we found it, we could then
-probably discern what package it belonged to. But with the PID available now,
-we can look at ps output, and see if that helps us any:
-
-+---------------------------------------------------------------------------+
-| $ /bin/ps ax |grep 1051 |grep -v grep |
-| 1051 ? S 0:24 /usr/libexec/postfix/master |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-We took a shortcut here by combining ps with grep. It looks like that this
-file belongs to postfix, which is indeed a mail server package comparable to
-sendmail ( and is included with Powertools, not the base distribution).
-
-Running ps with the --forest flag (-f for short) can be helpful in
-determining what processes are parent or child process or another process. An
-edited example:
-
-+---------------------------------------------------------------------------+
-| $ /bin/ps -axf |
-| 956 ? S 0:00 named -u named |
-| 957 ? S 0:00 \_ named -u named |
-| 958 ? S 0:46 \_ named -u named |
-| 959 ? S 0:47 \_ named -u named |
-| 960 ? S 0:00 \_ named -u named |
-| 961 ? S 0:11 \_ named -u named |
-| 1051 ? S 0:30 /usr/libexec/postfix/master |
-| 1703 ? S 0:00 \_ tlsmgr -l -t fifo -u -c |
-| 1704 ? S 0:00 \_ qmgr -l -t fifo -u -c |
-| 1955 ? S 0:00 \_ pickup -l -t fifo -c |
-| 1863 ? S 0:00 \_ trivial-rewrite -n rewrite -t unix -u -c |
-| 2043 ? S 0:00 \_ cleanup -t unix -u -c |
-| 2049 ? S 0:00 \_ local -t unix |
-| 2062 ? S 0:00 \_ smtpd -n smtp -t inet -u -c |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-A couple of things to note here. We have two by now familiar daemons here:
-named and postfix (smtpd). Both are spawning sub-processes. In the case of
-named, what we are seeing is threads, various sub-processes that it always
-spawns. Postfix is also spawning sub-processes, but not as "threads". Each
-sub-process has its own specific task. It is worth noting that child
-processes are dependent on the parent process. So killing the parent PID,
-will in turn kill all child processes.
-
-If all this has not shed any light, we might also try locate:
-
-+---------------------------------------------------------------------------+
-| $ locate /master |
-| /etc/postfix/master.cf |
-| /var/spool/postfix/pid/master.pid |
-| /usr/libexec/postfix/master |
-| /usr/share/vim/syntax/master.vim |
-| /usr/share/vim/vim60z/syntax/master.vim |
-| /usr/share/doc/postfix-20010202/html/master.8.html |
-| /usr/share/doc/postfix-20010202/master.cf |
-| /usr/share/man/man8/master.8.gz |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-find is perhaps the most flexible file finding utility, but doesn't use a
-database the way locate does, so is much slower:
-
-+---------------------------------------------------------------------------+
-| $ find / -name master |
-| /usr/libexec/postfix/master |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-If lsof is installed, it is another command that is useful for finding who
-owns processes or ports:
-
-+---------------------------------------------------------------------------+
-| # lsof -i :631 |
-| COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME |
-| cupsd 1315 root 0u IPv4 3734 TCP *:631 (LISTEN) |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-This is again telling us that the cupsd print daemon is the owner of port
-631. Just a different way of getting at it. Yet one more way to get at this
-is with fuser, which should be installed:
-
-+---------------------------------------------------------------------------+
-| # fuser -v -n tcp 631 |
-| |
-| USER PID ACCESS COMMAND |
-| 631/tcp root 1315 f.... cupsd |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-See the man pages for fuser and lsof command syntax.
-
-Another place to look for where a service is started, is in the init.d
-directory, where the actual init scripts live. Something like ls -l /etc/rc.d
-/init.d/, should give us a list of these. Often the script name itself gives
-a hint as to which service(s) it starts, though it may not necessarily
-exactly match the "Program Name" as provided by netstat. Or we can use grep
-to search inside files and match a search pattern. Need to find where
-rpc.statd is being started, and we don't see a script by this name?
-
-+---------------------------------------------------------------------------+
-| # grep rpc.statd /etc/init.d/* |
-| /etc/init.d/nfslock: [ -x /sbin/rpc.statd ] || exit 0 |
-| /etc/init.d/nfslock: daemon rpc.statd |
-| /etc/init.d/nfslock: killproc rpc.statd |
-| /etc/init.d/nfslock: status rpc.statd |
-| /etc/init.d/nfslock: /sbin/pidof rpc.statd >/dev/null 2>&1; STATD="$?" |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-We didn't really need all that information, but at least we see now exactly
-which script is starting it. Remember too that not all services are started
-this way. Some may be started via inetd, or xinetd.
-
-The /proc filesystem also keeps everything we want to know about processes
-that are running. We can query this to find out more information about each
-process. Do you need to know the full path of the command that started a
-process?
-
-+-----------------------------------------------------------------------------+
-| # ls -l /proc/1315/exe |
-| lrwxrwxrwx 1 root root 0 July 4 19:41 /proc/1315/exe -> /usr/sbin/cupsd |
-| |
-| |
-+-----------------------------------------------------------------------------+
-
-Finally, we had a loose end or two in the UDP listening services. Remember we
-had a strange looking port number 32768, that also had no service name
-associated with it:
-
-+------------------------------------------------------------------------------------+
-| # netstat -aup |
-| Active Internet connections (servers and established) |
-| Local Address Foreign Address State PID/Program name |
-| *:32768 *:* 956/named |
-| bigcat:domain *:* 956/named |
-| bigcat:domain *:* 956/named |
-| *:631 *:* 1315/cupsd |
-| |
-| |
-+------------------------------------------------------------------------------------+
-
-Now by including the "PID/Program name" option with the -p flag, we see this
-also belongs to named, the nameserver daemon. Recent versions of BIND use an
-unprivileged port for some types of traffic. In this case, this is BIND 9.x.
-So no real alarms here either. The unprivileged port here is the one named
-uses to to talk to other nameservers for name and address lookups, and should
-not be firewalled.
-
-So we found no big surprises in this hypothetical situation.
-
-If all else fails, and you can't find a process owner for an open port,
-suspect that it may be an RPC (Remote Procedure Call) service of some kind.
-These use randomly assigned ports without any seeming logic or consistency,
-and are typically controlled by the portmap daemon. In some cases, these may
-not reveal the process owner to netstat or lsof. Try stopping portmap, and
-then see if the mystery service goes away. Or you can use rpcinfo -p
-localhost to see what RPC services may be running (portmap must be running
-for this to work).
-
-Warning If you suspect you have been broken into, do not trust netstat or ps
- output. There is a good chance that they, and other system
- components, has been tampered with in such a way that the output is
- not reliable.
------------------------------------------------------------------------------
-
-8.4. Attacks and Threats
-
-In this section, we will take a quick look at some of the common threats and
-techniques that are out there, and attempt to put them into some perspective.
-
-The corporate world, government agencies and high profile Internet sites have
-to be concerned with a much more diverse and challenging set of threats than
-the typical home desktop user. There are many reasons someone may want to
-break in to someone else's computer. It may be just for kicks, or any number
-of malicious reasons. They may just want a base from which to attack someone
-else. This is a very common motivation.
-
-The most common "attack" for most of us is from already compromised systems.
-The Internet is littered with computers that have been broken into, and are
-now doing their master's bidding blindly, in zombie-like fashion. They are
-programmed to scan massively large address ranges, probing each individual IP
-address as they go. Looking for one or more open ports, and then probing for
-known weaknesses if they get the chance. Very impersonal. Very methodical.
-And very effective. We are all in the path of such robotic scans. All because
-those responsible for these systems fail to do what you are doing now -
-taking steps to protect their system(s), and avoid being r00ted.
-
-These scans do not look at login banners that may be presented on connection.
-It will do little good to change your /etc/issue.net to pretend that you are
-running some obscure operating system. If they find something listening, they
-will try all of the exploits appropriate to that port, without regard to any
-indications your system may give. If it works, they are in -- if not, they
-will move on.
------------------------------------------------------------------------------
-
-8.4.1. Port Scans and Probes
-
-First, let's define "scan" and "probe" since these terms come up quite a bit.
-A "probe" implies testing if a given port is open or closed, and possibly
-what might be listening on that port. A "scan" implies either "probing"
-multiple ports on one or more systems. Or individual ports on multiple
-systems. So you might "scan" all ports on your own system for instance. Or a
-cracker might "scan" the 216.78.*.* address range to see who has port 111
-open.
-
-Black hats can use scan and probe information to know what services are
-running on a given system, and then they might know what exploits to try.
-They may even be able to tell what Operating System is running, and even
-kernel version, and thus get even more information. "Worms", on the other
-hand, are automated and scan blindly, generally just looking for open ports,
-and then a susceptible victim. They are not trying to "learn" anything, the
-way a cracker might.
-
-The distinction between "scan" and "probe"is often blurred. Both can used in
-good ways, or in bad ways, depending on who is doing it, and why. You might
-ask a friend to scan you, for instance, to see how well your firewall is
-working. This is a legitimate use of scanning tools such as nmap. But what if
-someone you don't know does this? What is their intent? If it's your ISP,
-they may be trying to enforce their Terms of Service Agreement. Or maybe, it
-is someone just playing, and seeing who is "out there". But more than likely
-it is someone or something with not such good intentions.
-
-Full range port scans (meaning probing of many ports on the same machine)
-seem to be a not so common threat for home based networks. But certainly,
-scanning individual ports across numerous systems is a very, very common
-occurrence.
------------------------------------------------------------------------------
-
-8.4.2. Rootkits
-
-A "rootkit" is the script kiddie's stock in trade. When a successful
-intrusion takes place, the first thing that is often done, is to download and
-install such "rootkits". The rootkit is a set of scripts designed to take
-control of the system, and then hide the intrusion. Rootkits are readily
-available on the web for various Operating Systems.
-
-A rootkit will typically replace critical system files such as ls, ps,
-netstat, login and others. Passwords may be added, hidden daemons started,
-logs tampered with, and surely one of more backdoors are opened. The hidden
-backdoors allow easy access any time the attacker wants back in. And often
-the vulnerability itself may even be fixed so that the new "owner" has the
-system all to himself. The entire process is scripted so it happens very
-quickly. The rightful owners of these compromised systems generally have no
-idea what is going on, and are victims themselves. A well designed rootkit
-can be very difficult to detect.
------------------------------------------------------------------------------
-
-8.4.3. Worms and Zombies
-
-A "worm" is a self replicating exploit. It infects a system, then attempts to
-spread itself typically via the same vulnerability. Various "worms" are
-weaving their way through the entire Internet address space constantly,
-spreading themselves as they go.
-
-But somewhere behind the zombie, there is a controller. Someone launched the
-worm, and they will be informed after a successful intrusion. It is then up
-to them how the system will be used.
-
-Many of these are Linux systems, looking for other Linux systems to "infect"
-via a number of exploits. But most Operating Systems share in this threat.
-Once a vulnerable system is found, the actual entry and take over is quick,
-and may be difficult to detect after the fact. The first thing an intruder
-(whether human or "worm") will do is attempt to cover their tracks. A
-"rootkit" is downloaded and installed. This trend has been exacerbated by the
-growing popularity of cable modems and DSL. The number of full time Internet
-connections is growing rapidly, and this makes fertile ground for such
-exploits since often these aren't as well secured as larger sites.
-
-While this may sound ominous, a few simple precautions can effectively deter
-this type of attack. With so many easy victims out there, why waste much
-effort breaking into your system? There is no incentive to really try very
-hard. Just scan, look, try, move on if unsuccessful. There is always more IPs
-to be scanned. If your firewall is effectively bouncing this kind of thing,
-it is no threat to you at all. Take comfort in that, and don't over re-act.
-
-It is worth noting, that these worms cannot "force" their way in. They need
-an open and accessible port, and a known vulnerability. If you remember the
-"Iptables Weekly Log Summary" in the opening section above, many of those may
-have all been the result of this type of scan. If you've followed the steps
-in this HOWTO, you should be reasonably safe here. This one is easy enough to
-deflect.
------------------------------------------------------------------------------
-
-8.4.4. Script Kiddies
-
-A "script kiddie" is a "cracker" wanna be who doesn't know enough to come up
-with his/her own exploits, but instead relies on "scripts" and exploits that
-have been developed by others. Like "worms", they are looking for easy
-victims, and may similarly scan large address ranges looking for specific
-ports with known vulnerabilities. Often, the actual scanning is done from
-already comprised systems so that it is difficult to trace it back to them.
-
-The script kiddie has a bag of ready made tricks at his disposal, including
-an arsenal of "rootkits" for various Operating Systems. Finding susceptible
-victims is not so hard, given enough time and address space to probe. The
-motives are a mixed bag as well. Simple mischief, defacement of web sites,
-stolen credit card numbers, and the latest craze, "Denial of Service" attacks
-(see below). They collect zombies like trophies and use them to carry out
-whatever their objective is.
-
-Again, the key here is that they are following a "script", and looking for
-easy prey. Like the worm threat above, a functional firewall and a few very
-basic precautions, should be sufficient to deflect any threat here. By now,
-you should be relatively safe from this nuisance.
------------------------------------------------------------------------------
-
-8.4.5. Spoofed IPs
-
-How easy is it to spoof an IP address? With the right tools, very easy. How
-much of a threat is this? Not much, for most of us, and is over-hyped as a
-threat.
-
-Because of the way TCP/IP works, each packet must carry both the source and
-destination IP addresses. Any return traffic is based on this information. So
-a spoofed IP can never return any useful information to an attacker who is
-sending out spoofed packets. The traffic would go back to wherever that
-spoofed IP address was pointed. The attacker gets nothing back at all.
-
-This does have potential for "DoS" attacks (see below) where learning
-something about the targeted system is not important. And may be used for
-some general mischief making as well.
------------------------------------------------------------------------------
-
-8.4.6. Targeted Attacks
-
-The worm and wide ranging address type scans, are impersonal. They are just
-looking for any vulnerable system. It makes no difference whether it is a top
-secret government facility, or your mother's Window's box. But there are
-"black hats" that will spend a great deal of effort to get into a system or
-network. We'll call these "targeted" attacks since there has been a
-deliberate decision made to break in to a specific system or network.
-
-In this case, the attacker will look the system over for weaknesses. And
-possibly make many different kinds of attempts, until he finds a crack to
-wiggle through. Or gives up. This is more difficult to defend against. The
-attacker is armed and dangerous, so to speak, and is stalking his prey.
-
-Again, this scenario is very unlikely for a typical home system. There just
-generally isn't any incentive to take the time and effort when there are
-bigger fish to fry. For those who may be targets, the best defense here
-includes many of things we've discussed. Vigilance is probably more important
-than ever. Good logging practices and an IDS (Intrusion Detection System)
-should be in place. And subscribing to one or more security related mailing
-lists like BUGTRAQ. And of course, reading those alerts daily, and taking the
-appropriate actions, etc.
------------------------------------------------------------------------------
-
-8.4.7. Denial of Service (DoS)
-
-"DoS" is another type of "attack" in which the intention is to disrupt or
-overwhelm the targeted system or network in such a way that it cannot
-function normally. DoS can take many forms. On the Internet, this often means
-overwhelming the victim's bandwidth or TCP/IP stack, by sending floods of
-packets and thus effectively disabling the connection. We are talking about
-many, many packets per second. Thousands in some cases. Or perhaps, the
-objective is to crash a server.
-
-This is much more likely to be targeted at organizations or high profile
-sites, than home users. And can be quite challenging to stop depending on the
-technique. And it generally requires the co-operation of networks between the
-source(s) and the target, so that the floods are stopped, or minimized,
-before they reach the targeted destination. Once they hit the destination,
-there is no good way to completely ignore them.
-
-"DDoS", Distributed Denial of Service, is where multiple sources are used to
-maximize the impact. Again, not likely to be directly targeted at home users.
-These are "slaves" that are "owned" by a cracker, or script kiddie, that are
-woken up and are targeted at the victim. There may be many computers involved
-in the attack.
-
-If you are home user, and with a dynamic IP address, you might find
-disconnecting, then re-connecting to get a new IP, an effective way out if
-you are the target. Maybe.
------------------------------------------------------------------------------
-
-8.4.8. Brute Force
-
-"Brute force" attacks are where the attacker makes repetitive attempts at the
-same perceived weakness(es). Like a battering ram. A classic example would be
-where someone tries to access a telnet server simply by continually throwing
-passwords at it, hoping that one will eventually work. Or maybe crash the
-server. This doesn't require much imagination, and is not a commonly used
-tactic against home systems.
-
-By the way, this is one good argument against allowing remote root logins.
-The root account exists on all systems. It is probably the only one that this
-is true of. You'd like to make a potential attacker guess both the login name
-and password. But if root is allowed remote logins, then the attacker only
-needs to guess the password!
------------------------------------------------------------------------------
-
-8.4.9. Viruses
-
-And now something not to worry about. Viruses seem to be primarily a
-Microsoft problem. For various reasons, viruses are not a significant threat
-to Linux users. This is not to say that it will always be this way, but the
-current virus explosion that plagues Microsoft systems, can not spread to
-Linux (or Unix) based systems. In fact, the various methods and practices
-that enable this phenomena, are not exploitable on Linux. So Anti-Virus
-software is not recommended as part of our arsenal. At least for the time
-being with Linux only networks.
------------------------------------------------------------------------------
-
-8.5. Links
-
-Some references for further reading are listed below. Not listed is your
-distribution's site, security page or ftp download site. You will have to
-find these on your own. Then you should bookmark them!
-
- * Redhat sites of interest:
-
- The Redhat watch/security mailing list: [https://listman.redhat.com/
- mailman/listinfo/redhat-watch-list] https://listman.redhat.com/mailman/
- listinfo/redhat-watch-list
-
- Red Hat errata and security notices: [http://redhat.com/errata/] http://
- redhat.com/errata/
-
- The Red Hat update FTP site: [ftp://updates.redhat.com/] ftp://
- updates.redhat.com/
-
-
- * Other relevant documents available from the Linux Documentation Project:
-
- Security HOWTO: [http://tldp.org/HOWTO/Security-HOWTO.html ] http://
- tldp.org/HOWTO/Security-HOWTO.html
-
- Firewall HOWTO: [http://tldp.org/HOWTO/Firewall-HOWTO.html] http://
- tldp.org/HOWTO/Firewall-HOWTO.html
-
- Ipchains HOWTO: [http://tldp.org/HOWTO/IPCHAINS-HOWTO.html ] http://
- tldp.org/HOWTO/IPCHAINS-HOWTO.html
-
- User Authentication: [http://tldp.org/HOWTO/User-Authentication-HOWTO/
- index.html] http://tldp.org/HOWTO/User-Authentication-HOWTO/index.html,
- includes a nice discussion on PAM.
-
- VPN (Virtual Private Network): [http://tldp.org/HOWTO/VPN-HOWTO.html]
- http://tldp.org/HOWTO/VPN-HOWTO.html and [http://tldp.org/HOWTO/
- VPN-Masquerade-HOWTO.html] http://tldp.org/HOWTO/
- VPN-Masquerade-HOWTO.html
-
- The Remote X Apps Mini HOWTO, [http://www.tldp.org/HOWTO/mini/
- Remote-X-Apps.html] http://www.tldp.org/HOWTO/mini/Remote-X-Apps.html,
- includes excellent discussions on the security implications of running X
- Windows.
-
- The Linux Network Administrators Guide: [http://tldp.org/LDP/nag2/
- index.html] http://tldp.org/LDP/nag2/index.html, includes a good overview
- of networking and TCP/IP, and firewalling.
-
- The Linux Administrator's Security Guide: [http://www.seifried.org/lasg/]
- http://www.seifried.org/lasg/, includes many obvious topics of interest,
- including firewalling, passwords and authentication, PAM, and more.
-
- Securing Red Hat: [http://tldp.org/LDP/solrhe/
- Securing-Optimizing-Linux-RH-Edition-v1.3/index.html] http://tldp.org/LDP
- /solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/index.html
-
-
- * Tools for creating custom ipchains and iptables firewall scripts:
-
- Firestarter: [http://firestarter.sourceforge.net] http://
- firestarter.sourceforge.net
-
- Two related projects: [http://seawall.sourceforge.net/] http://
- seawall.sourceforge.net/ for ipchains, and [http://
- shorewall.sourceforge.net/] http://shorewall.sourceforge.net/ for
- iptables.
-
-
- * Netfilter and iptables documentation from the netfilter developers
- (available in many other languages as well):
-
- FAQ: [http://netfilter.samba.org/documentation/FAQ/netfilter-faq.html]
- http://netfilter.samba.org/documentation/FAQ/netfilter-faq.html
- Packet filtering: [http://netfilter.samba.org/documentation/HOWTO/
- packet-filtering-HOWTO.html] http://netfilter.samba.org/documentation/
- HOWTO/packet-filtering-HOWTO.html
- Networking: [http://netfilter.samba.org/documentation/HOWTO/
- networking-concepts-HOWTO.html] http://netfilter.samba.org/documentation/
- HOWTO/networking-concepts-HOWTO.html
- NAT/masquerading: [http://netfilter.samba.org/documentation/HOWTO/
- NAT-HOWTO.html] http://netfilter.samba.org/documentation/HOWTO/
- NAT-HOWTO.html
-
-
- * Port number assignments, and what that scanner may be scanning for:
-
- [http://www.linuxsecurity.com/resource_files/firewalls/
- firewall-seen.html] http://www.linuxsecurity.com/resource_files/firewalls
- /firewall-seen.html
-
- [http://www.sans.org/newlook/resources/IDFAQ/oddports.htm] http://
- www.sans.org/newlook/resources/IDFAQ/oddports.htm
-
- [http://www.iana.org/assignments/port-numbers] http://www.iana.org/
- assignments/port-numbers, the official assignments.
-
-
- * General security sites. These all have areas on documentation, alerts,
- newsletters, mailing lists, and other resources.
-
- Linux Security.com: [http://www.linuxsecurity.com] http://
- www.linuxsecurity.com, loaded with good info, and Linux specific. Lots of
- good docs: [http://www.linuxsecurity.com/docs/] http://
- www.linuxsecurity.com/docs/
-
- CERT, [http://www.cert.org] http://www.cert.org
-
- The SANS Institute: [http://www.sans.org/] http://www.sans.org/
-
- The Coroner's Toolkit (TCT): [http://www.fish.com/security/] http://
- www.fish.com/security/, discussions and tools for dealing with post
- break-in issues (and preventing them in the first place).
-
-
- * Privacy:
-
- Junkbuster: [http://www.junkbuster.com] http://www.junkbuster.com, a web
- proxy and cookie manager.
-
- PGP: [http://www.gnupg.org/] http://www.gnupg.org/
-
-
- * Other documentation and reference sites:
-
- Linux Security.com: [http://www.linuxsecurity.com/docs/] http://
- www.linuxsecurity.com/docs/
-
- Linux Newbie: [http://www.linuxnewbie.org/nhf/intel/security/index.html]
- http://www.linuxnewbie.org/nhf/intel/security/index.html
-
- The comp.os.linux.security FAQ: [http://www.linuxsecurity.com/docs/
- colsfaq.html] http://www.linuxsecurity.com/docs/colsfaq.html
-
- The Internet Firewall FAQ: [http://www.interhack.net/pubs/fwfaq/] http://
- www.interhack.net/pubs/fwfaq/
-
- The Site Security Handbook RFC: [http://www.ietf.org/rfc/rfc2196.txt]
- http://www.ietf.org/rfc/rfc2196.txt
-
-
- * Miscellaneous sites of interest:
-
- [http://www.bastille-linux.org] http://www.bastille-linux.org, for
- Mandrake and Red Hat only.
-
- SAINT: [http://www.wwdsi.com/saint/] http://www.wwdsi.com/saint/, system
- security analysis.
-
- SSL: [http://www.openssl.org/] http://www.openssl.org/
-
- SSH: [http://www.openssh.org/] http://www.openssh.org/
-
- Scan yourself: [http://www.hackerwhacker.com] http://
- www.hackerwhacker.com
-
- PAM: [http://www.kernel.org/pub/linux/libs/pam/index.html] http://
- www.kernel.org/pub/linux/libs/pam/index.html
-
- Detecting Trojaned Linux Kernel Modules: [http://members.prestige.net/
- tmiller12/papers/lkm.htm] http://members.prestige.net/tmiller12/papers/
- lkm.htm
-
- Rootkit checker: [http://www.chkrootkit.org] http://www.chkrootkit.org
-
- Port scanning tool nmap's home page: [http://www.insecure.org] http://
- www.insecure.org
-
- Nessus, more than just a port scanner: [http://www.nessus.org] http://
- www.nessus.org
-
- Tripwire, intrusion detection: [http://www.tripwire.org] http://
- www.tripwire.org
-
- Snort, sniffer and more: [http://www.snort.org] http://www.snort.org
-
- [http://www.mynetwatchman.com] http://www.mynetwatchman.com and [http://
- dshield.org] http://dshield.org are "Distributed Intrusion Detection
- Systems". They collect log data from subscribing "agents", and collate
- the data to find and report malicious activity. If you want to fight
- back, check these out.
-
-
-
------------------------------------------------------------------------------
-8.6. Editing Text Files
-
-By Bill Staehle
-
-All the world is a file.
-
-There are a great many types of files, but I'm going to stretch it here, and
-class them into two really broad families:
-
-
-
- Text files are just that.
- Binary files are not.
-
-
-
-Binary files are meant to be read by machines, text files can be easily
-edited, and are generally read by people. But text files can be (and
-frequently are) read by machines. Examples of this would be configuration
-files, and scripts.
-
-There are a number of different text editors available in *nix. A few are
-found on every system. That would be '/bin/ed' and '/bin/vi'. 'vi' is almost
-always a clone such as 'vim' due to license problems. The problem with 'vi'
-and 'ed' is that they are terribly user unfriendly. Another common editor
-that is not always installed by default is 'emacs'. It has a lot more
-features and capability, and is not easy to learn either.
-
-As to 'user friendly' editors, 'mcedit' and 'pico' are good choices to start
-with. These are often much easier for those new to *nix.
-
-The first things to learn are how to exit an editing session, how to save
-changes to the file, and then how to avoid breaking long lines that should
-not be broken (wrapped).
-
-The 'vi' editor
-
-'vi' is one of the most common text editors in the Unix world, and it's
-nearly always found on any *nix system. Actually, due to license problems,
-the '/bin/vi' on a Linux system is always a 'clone', such as 'elvis', 'nvi',
-or 'vim' (there are others). These clones can act exactly like the original
-'vi', but usually have additional features that make it slightly less
-impossible to use.
-
-So, if it's so terrible, why learn about it? Two reasons. First, as noted,
-it's almost guaranteed to be installed, and other (more user friendly)
-editors may not be installed by default. Second, many of the 'commands' work
-in other applications (such as the pager 'less' which is also used to view
-man pages). In 'less', accidentally pressing the 'v' key starts 'vi' in most
-installations.
-
-'vi' has two modes. The first is 'command mode', and keystrokes are
-interpreted as commands. The other mode is 'insert' mode, where nearly all
-keystrokes are interpreted as text to be inserted.
-
-==> Emergency exit from 'vi' 1. press the key up to three times, until
-the computer beeps, or the screen flashes. 2. press the keys :q!
-
-That is: colon, the letter Q, and then the exclamation point, followed by the
-Enter key.
-
-'vi' commands are as follows. All of these are in 'command' mode:
-
-
-a Enter insertion mode after the cursor.
-A Enter insertion mode at the end of the current line.
-i Enter insertion mode before the cursor.
-o Enter insertion mode opening a new line BELOW current line.
-O Enter insertion mode opening a new line ABOVE current line.
-h move cursor left one character.
-l move cursor right one character.
-j move cursor down one line.
-k move cursor up one line.
-/mumble move cursor forward to next occurrence of 'mumble' in
- the text
-?mumble move cursor backward to next occurrence of 'mumble'
- in the text
-n repeat last search (? or / without 'mumble' to search for
- will do the same thing)
-u undo last change made
-
-^B Scroll back one window.
-^F Scroll forward one window.
-^U Scroll up one half window.
-^D Scroll down one half window.
-
-:w Write to file.
-:wq Write to file, and quit.
-:q quit.
-:q! Quit without saving.
-
- Leave insertion mode.
-
-
-
-NOTE: The four 'arrow' keys almost always work in 'command' or 'insert' mode.
-
-The 'ed' editor.
-
-The 'ed' editor is a line editor. Other than the fact that it is virtually
-guaranteed to be on any *nix computer, it has no socially redeeming features,
-although some applications may need it. A _lot_ of things have been offered
-to replace this 'thing' from 1975.
-
-==> Emergency exit from 'ed'
-
-1. type a period on a line by itself, and press This gets you to the
-command mode or prints a line of text if you were in command mode. 2. type q
-and press . If there were no changes to the file, this action quits
-ed. If you then see a '?' this means that the file had changed, and 'ed' is
-asking if you want to save the changes. Press q and a second time to
-confirm that you want out.
-
-The 'pico' editor.
-
-'pico' is a part of the Pine mail/news package from the University of
-Washington (state, USA). It is a very friendly editor, with one minor
-failing. It silently inserts a line feed character and wraps the line when it
-exceeds (generally) 74 characters. While this is fine while creating mail,
-news articles, and text notes, it is often fatal when editing system files.
-The solution to this problem is simple. Call the program with the -w option,
-like this:
-
-pico -w file_2_edit
-
-Pico is so user friendly, no further instructions are needed. It _should_ be
-obvious (look at the bottom of the screen for commands). There is an
-extensive help function. Pico is available with nearly all distributions,
-although it _may_ not be installed by default.
-
-==> Emergency exit from 'pico'
-
-Press and hold the key, and press the letter x. If no changes had been
-made to the file, this will quit pico. If changes had been made, it will ask
-if you want to save the changes. Pressing n will then exit.
-
-The 'mcedit' editor.
-
-'mcedit' is part of the Midnight Commander shell program, a full featured
-visual shell for Unix-like systems. It can be accessed directly from the
-command line ( mcedit file_2_edit ) or as part of 'mc' (use the arrow keys to
-highlight the file to be edited, then press the F4 key).
-
-mcedit is probably the most intuitive editor available, and comes with
-extensive help. "commands" are accessed through the F* keys. Midnight
-Commander is available with nearly all distributions, although it _may_ not
-be installed by default.
-
-==> Emergency exit from 'mcedit'
-
-Press the F10 key. If no changes have been made to the file, this will quit
-mcedit. If changes had been made, it will ask if you want to Cancel this
-action. Pressing n will then exit.
------------------------------------------------------------------------------
-
-8.7. nmap
-
-Let's look at a few quick examples of what nmap scans look like. The intent
-here is to show how to use nmap to verify our firewalling, and system
-integrity. nmap has other uses that we don't need to get into. Do NOT use
-nmap on systems other than your own, unless you have permission from the
-owner, and you know it is not a violation of anyone's Terms of Service. This
-kind of thing will be taken as hostile by most people.
-
-As mentioned previously, nmap is a sophisticated port scanning tool. It tries
-to see if a host is "there", and what ports might be open. Barring that, what
-states those ports might be in. nmap has a complex command line and can do
-many types of "scans". See the man page for all the nitty gritty.
-
-A couple of words of warning first. If using portsentry, turn it off. It will
-drop the route to wherever the scan is coming from. You might want to turn
-off any logging also, or at least be aware that you might get copious logs if
-doing multiple scans.
-
-A simple, default scan of "localhost":
-
-+---------------------------------------------------------------------------+
-| # nmap localhost |
-| |
-| Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) |
-| Interesting ports on bigcat (127.0.0.1): |
-| (The 1507 ports scanned but not shown below are in state: closed) |
-| |
-| Port State Service |
-| 22/tcp open ssh |
-| 25/tcp open smtp |
-| 37/tcp open time |
-| 53/tcp open domain |
-| 80/tcp open http |
-| 3000/tcp open ppp |
-| |
-| Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-If you've read most of this document, you should be familiar with these
-services by now. These are some of the same ports we've seen in other
-examples. Some things to note on this scan: it only did 1500+ "interesting"
-ports -- not all ports. This can be configured differently if more is
-desirable (see man page). It only did TCP ports too. Again, configurable. It
-only picks up "listening" services, unlike netstat that shows all open ports
--- listening or otherwise. Note the last "open" port here is 3000 is
-identified as "PPP". Wrong! That is just an educated guess by nmap based on
-what is contained in /etc/services for this port number. Actually in this
-case it is ntop (a network traffic monitor). Take the service names with a
-grain of salt. There is no way for nmap to really know what is on that port.
-Matching port numbers with service names can at times be risky. Many do have
-standard ports, but there is nothing to say they have to use the commonly
-associated port numbers.
-
-Notice that in all our netstat examples, we had two classes of open ports:
-listening servers, and then established connections that we initiated to
-other remote hosts (e.g. a web server somewhere). nmap only sees the first
-group -- the listening servers! The other ports connecting us to remote
-servers are not visible, and thus not vulnerable. These ports are "private"
-to that single connection, and will be closed when the connection is
-terminated.
-
-So we have open and closed ports here. Simple enough, and gives a pretty good
-idea what is running on bigcat -- but not necessarily what we look like to
-the outside world since this was done from localhost, and wouldn't reflect
-any firewalling or other access control mechanisms.
-
-Let's do a little more intensive scan. Let's check all ports -- TCP and UDP.
-
-+---------------------------------------------------------------------------+
-| # nmap -sT -sU -p 1-65535 localhost |
-| |
-| Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) |
-| Interesting ports on bigcat (127.0.0.1): |
-| (The 131050 ports scanned but not shown below are in state: closed) |
-| |
-| Port State Service |
-| 22/tcp open ssh |
-| 25/tcp open smtp |
-| 37/tcp open time |
-| 53/tcp open domain |
-| 53/udp open domain |
-| 80/tcp open http |
-| 3000/tcp open ppp |
-| 8000/tcp open unknown |
-| 32768/udp open unknown |
-| |
-| Nmap run completed -- 1 IP address (1 host up) scanned in 385 seconds |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-This is more than just "interesting" ports -- it is everything. We picked up
-a couple of new ones in the process too. We've seen these before with netstat
-, so we know what they are. That is the Junkbuster web proxy on port 8000/tcp
-and named on 32768/udp. This scan takes much, much longer, but it is the only
-way to see all ports.
-
-So now we have a pretty good idea of what is open on bigcat. Since we are
-scanning localhost from localhost, everything should be visible. We still
-don't know how the outside world sees us though. Now I'll ssh to another host
-on the same LAN, and try again.
-
-+---------------------------------------------------------------------------+
-| # nmap bigcat |
-| |
-| Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) |
-| Interesting ports on bigcat (192.168.1.1): |
-| (The 1520 ports scanned but not shown below are in state: closed) |
-| |
-| Port State Service |
-| 22/tcp open ssh |
-| 3000/tcp open ppp |
-| |
-| Nmap run completed -- 1 IP address (1 host up) scanned in 1 second |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-I confess to tampering with the iptables rules here to make a point. Only two
-visible ports on this scan. Everything else is "closed". So says nmap. Once
-again:
-
-+----------------------------------------------------------------------------------+
-| # nmap bigcat |
-| |
-| Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) |
-| Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 |
-| |
-| Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds |
-| |
-| |
-+----------------------------------------------------------------------------------+
-
-Oops, I blocked ICMP (ping) while I was at it this time. One more time:
-
-+---------------------------------------------------------------------------+
-| # nmap -P0 bigcat |
-| |
-| Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) |
-| All 1523 scanned ports on bigcat (192.168.1.1) are: filtered |
-| |
-| Nmap run completed -- 1 IP address (1 host up) scanned in 1643 seconds |
-| |
-| |
-+---------------------------------------------------------------------------+
-
-That's it. Notice how long that took. Notice ports are now "filtered" instead
-of "closed". How does nmap know that? Well for one, "closed" means bigcat
-sent a packet back saying "nothing running here", i.e. port is closed. In
-this last example, the iptables rules were changed to not allow ICMP (ping),
-and to "DROP" all incoming packets. In other words, no response at all. A
-subtle difference since nmap seems to still know there was a host there, even
-though no response was given. One lesson here, is if you want to slow a
-scanner down, "DROP" (or "DENY") the packets. This forces a TCP time out for
-the remote end on each port probe. Anyway, if your scans look like this, that
-is probably as well as can be expected, and your firewall is doing its job.
-
-A brief note on UDP: nmap can not accurately determine the status of these
-ports if they are "filtered". You probably will get a false-positive "open"
-condition. This has to do with UDP being a connectionless protocol. If nmap
-gets no answer (e.g. due to a "DROP"), it assumes the packets reached the
-target, and thus the port will be reported as "open". This is "normal" for
-nmap.
-
-We can play with firewall rules in a LAN set up to try to simulate how the
-outside world sees us, and if we are smart, and know what we are doing, and
-don't have a brain fart, we probably will have a pretty good picture. But it
-is still best to try to find a way to do it from outside if possible. Again,
-make sure you are not violating any ISP rules of conduct. Do you have a
-friend on the same ISP?
------------------------------------------------------------------------------
-
-8.8. Sysctl Options
-
-The "sysctl" options are kernel parameters that can be configured via the /
-proc filesystem. These can be dynamically adjusted at run-time. Typically
-these options are off if set to "0", and on if set to "1".
-
-Some of these have security implications, and thus is why we are here ;-)
-We'll just list the ones we think are relevant. Feel free to cut and paste
-these into a firewall script, or other file that is run during boot (like /
-etc/rc.local). Red Hat provides the sysctl command for dynamically adjusting
-these values (see man page). Or they can permanently be set in /etc/
-sysctl.conf with your text editor of choice. sysctl is executed during init,
-and uses these values. You can read up on what these mean in /usr/src/linux/
-Documentation/sysctl/README and other files in the kernel Documentation
-directories.
-
-The traditional method:
-
-#!/bin/sh
-#
-# Configure kernel sysctl run-time options.
-#
-###################################################################
-
-# Anti-spoofing blocks
-for i in /proc/sys/net/ipv4/conf/*/rp_filter;
-do
- echo 1 > $i
-done
-
-# Ensure source routing is OFF
-for i in /proc/sys/net/ipv4/conf/*/accept_source_route;
- do
- echo 0 > $i
- done
-
-# Ensure TCP SYN cookies protection is enabled
-[ -e /proc/sys/net/ipv4/tcp_syncookies ] &&\
- echo 1 > /proc/sys/net/ipv4/tcp_syncookies
-
-# Ensure ICMP redirects are disabled
-for i in /proc/sys/net/ipv4/conf/*/accept_redirects;
- do
- echo 0 > $i
- done
-
-# Ensure oddball addresses are logged
-[ -e /proc/sys/net/ipv4/conf/all/log_martians ] &&\
- echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
-
-[ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ] &&\
- echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
-
-[ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ] &&\
- echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
-
-## Optional from here on down, depending on your situation. ############
-
-# Ensure ip-forwarding is enabled if
-# we want to do forwarding or masquerading.
-[ -e /proc/sys/net/ipv4/ip_forward ] &&\
- echo 1 > /proc/sys/net/ipv4/ip_forward
-
-# On if your IP is dynamic (or you don't know).
-[ -e /proc/sys/net/ipv4/ip_dynaddr ] &&\
- echo 1 > /proc/sys/net/ipv4/ip_dynaddr
-
-# eof
-
-
-
-The same effect by using /etc/sysctl.conf instead:
-
-#
-# Add to existing sysctl.conf
-#
-
-# Anti-spoofing blocks
-net.ipv4.conf.default.rp_filter = 1
-net.ipv4.conf.all.rp_filter = 1
-
-# Ensure source routing is OFF
-net.ipv4.conf.default.accept_source_route = 0
-net.ipv4.conf.all.accept_source_route = 0
-
-# Ensure TCP SYN cookies protection is enabled
-net.ipv4.tcp_syncookies = 1
-
-# Ensure ICMP redirects are disabled
-net.ipv4.conf.default.accept_redirects = 0
-net.ipv4.conf.all.accept_redirects = 0
-
-# Ensure oddball addresses are logged
-net.ipv4.conf.default.log_martians = 1
-net.ipv4.conf.all.log_martians = 1
-
-
-net.ipv4.icmp_echo_ignore_broadcasts = 1
-
-net.ipv4.icmp_ignore_bogus_error_responses = 1
-
-## Optional from here on down, depending on your situation. ############
-
-# Ensure ip-forwarding is enabled if
-# we want to do forwarding or masquerading.
-net.ipv4.ip_forward = 1
-
-# On if your IP is dynamic (or you don't know).
-net.ipv4.ip_dynaddr = 1
-
-# end of example
-
-
------------------------------------------------------------------------------
-
-8.9. Secure Alternatives
-
-This section will give a brief run down on secure alternatives to potentially
-insecure methods. This will be a hodge podge of clients and servers.
-
- * telnet, rsh - ssh
-
- * ftp, rcp - scp or sftp. Both are part of ssh packages. Also, files can
- easily be transfered via HTTP if Apache is already running anyway. Apache
- can be buttoned down even more by using SSL (HTTPS).
-
- * sendmail - postfix, qmail. Not to imply that current versions of sendmail
- are insecure. Just that there is some bad history there, and just because
- it is so widely used that it makes an inviting crack target.
-
- As noted above, Linux installations often include a fully functional mail
- server. While this may have some advantages, it is not necessary in many
- cases for simply sending mail, or retrieving mail. This can all be done
- without a "mail server daemon" running locally.
-
- * POP3 - SPOP3, POP3 over SSL. If you really need to run your own POP
- server, this is the way to do it. If retrieving your mail from your ISP's
- server, then you are at their mercy as to what they provide.
-
- * IMAP - IMAPS, same as above.
-
- * If you find you need a particular service, and it is for just you or a
- few friends, consider running it on a non-standard port. Most server
- daemons support this, and is not a problem as long as those who will be
- connecting, know about it. For instance, the standard port for sshd is
- 22. Any worm or scan will probe for this port number. So run it on a
- randomly chosen port. See the sshd man page.
-
-
------------------------------------------------------------------------------
-8.10. Ipchains and Iptables Redux
-
-This section offers a little more advanced look at some of things that
-ipchains and iptables can do. These are basically the same scripts as in Step
-3 above, just with some more advanced configuration options added. These will
-provide "masquerading", "port forwarding", allow access to some user
-definable services, and a few other things. Read the comments for
-explanations.
------------------------------------------------------------------------------
-
-8.10.1. ipchains II
-
-#!/bin/sh
-#
-# ipchains.sh
-#
-# An example of a simple ipchains configuration. This script
-# can enable 'masquerading' and will open user definable ports.
-#
-###################################################################
-# Begin variable declarations and user configuration options ######
-#
-# Set the location of ipchains (default).
-IPCHAINS=/sbin/ipchains
-
-# Local Interfaces
-#
-# This is the WAN interface, that is our link to the outside world.
-# For pppd and pppoe users.
-# WAN_IFACE="ppp0"
-WAN_IFACE="eth0"
-#
-# Local Area Network (LAN) interface.
-#LAN_IFACE="eth0"
-LAN_IFACE="eth1"
-
-# Our private LAN address(es), for masquerading.
-LAN_NET="192.168.1.0/24"
-
-# For static IP, set it here!
-#WAN_IP="1.2.3.4"
-
-# Set a list of public server port numbers here...not too many!
-# These will be open to the world, so use caution. The example is
-# sshd, and HTTP (www). Any services included here should be the
-# latest version available from your vendor. Comment out to disable
-# all PUBLIC services.
-#PUBLIC_PORTS="22 80 443"
-PUBLIC_PORTS="22"
-
-# If we want to do port forwarding, this is the host
-# that will be forwarded to.
-#FORWARD_HOST="192.168.1.3"
-
-# A list of ports that are to be forwarded.
-#FORWARD_PORTS="25 80"
-
-# If you get your public IP address via DHCP, set this.
-DHCP_SERVER=66.21.184.66
-
-# If you need identd for a mail server, set this.
-MAIL_SERVER=
-
-# A list of unwelcome hosts or nets. These will be denied access
-# to everything, even our 'PUBLIC' services. Provide your own list.
-#BLACKLIST="11.22.33.44 55.66.77.88"
-
-# A list of "trusted" hosts and/or nets. These will have access to
-# ALL protocols, and ALL open ports. Be selective here.
-#TRUSTED="1.2.3.4/8 5.6.7.8"
-
-## end user configuration options #################################
-###################################################################
-
-# The high ports used mostly for connections we initiate and return
-# traffic.
-LOCAL_PORTS=`cat /proc/sys/net/ipv4/ip_local_port_range |cut -f1`:\
-`cat /proc/sys/net/ipv4/ip_local_port_range |cut -f2`
-
-# Any and all addresses from anywhere.
-ANYWHERE="0/0"
-
-# Start building chains and rules #################################
-#
-# Let's start clean and flush all chains to an empty state.
-$IPCHAINS -F
-
-# Set the default policies of the built-in chains. If no match for any
-# of the rules below, these will be the defaults that ipchains uses.
-$IPCHAINS -P forward DENY
-$IPCHAINS -P output ACCEPT
-$IPCHAINS -P input DENY
-
-# Accept localhost/loopback traffic.
-$IPCHAINS -A input -i lo -j ACCEPT
-
-# Get our dynamic IP now from the Inet interface. WAN_IP will be our
-# IP address we are protecting from the outside world. Put this
-# here, so default policy gets set, even if interface is not up
-# yet.
-[ -z "$WAN_IP" ] &&\
- WAN_IP=`ifconfig $WAN_IFACE |grep inet |cut -d : -f 2 |cut -d \ -f 1`
-
-# Bail out with error message if no IP available! Default policy is
-# already set, so all is not lost here.
-[ -z "$WAN_IP" ] && echo "$WAN_IFACE not configured, aborting." && exit 1
-
-WAN_MASK=`ifconfig $WAN_IFACE | grep Mask | cut -d : -f 4`
-WAN_NET="$WAN_IP/$WAN_MASK"
-
-## Reserved IPs:
-#
-# We should never see these private addresses coming in from outside
-# to our external interface.
-$IPCHAINS -A input -l -i $WAN_IFACE -s 10.0.0.0/8 -j DENY
-$IPCHAINS -A input -l -i $WAN_IFACE -s 172.16.0.0/12 -j DENY
-$IPCHAINS -A input -l -i $WAN_IFACE -s 192.168.0.0/16 -j DENY
-$IPCHAINS -A input -l -i $WAN_IFACE -s 127.0.0.0/8 -j DENY
-$IPCHAINS -A input -l -i $WAN_IFACE -s 169.254.0.0/16 -j DENY
-$IPCHAINS -A input -l -i $WAN_IFACE -s 224.0.0.0/4 -j DENY
-$IPCHAINS -A input -l -i $WAN_IFACE -s 240.0.0.0/5 -j DENY
-# Bogus routing
-$IPCHAINS -A input -l -s 255.255.255.255 -d $ANYWHERE -j DENY
-
-## LAN access and masquerading
-#
-# Allow connections from our own LAN's private IP addresses via the LAN
-# interface and set up forwarding for masqueraders if we have a LAN_NET
-# defined above.
-if [ -n "$LAN_NET" ]; then
- echo 1 > /proc/sys/net/ipv4/ip_forward
- $IPCHAINS -A input -i $LAN_IFACE -j ACCEPT
- $IPCHAINS -A forward -s $LAN_NET -d $LAN_NET -j ACCEPT
- $IPCHAINS -A forward -s $LAN_NET -d ! $LAN_NET -j MASQ
-fi
-
-## Blacklist hosts/nets
-#
-# Get the blacklisted hosts/nets out of the way, before we start opening
-# up any services. These will have no access to us at all, and will be
-# logged.
-for i in $BLACKLIST; do
- $IPCHAINS -A input -l -s $i -j DENY
-done
-
-## Trusted hosts/nets
-#
-# This is our trusted host list. These have access to everything.
-for i in $TRUSTED; do
- $IPCHAINS -A input -s $i -j ACCEPT
-done
-
-# Port Forwarding
-#
-# Which ports get forwarded to which host. This is one to one
-# port mapping (ie 80 -> 80) in this case.
-# NOTE: ipmasqadm is a separate package from ipchains and needs
-# to be installed also. Check first!
-[ -n "$FORWARD_HOST" ] && ipmasqadm portfw -f &&\
- for i in $FORWARD_PORTS; do
- ipmasqadm portfw -a -P tcp -L $WAN_IP $i -R $FORWARD_HOST $i
- done
-
-## Open, but Restricted Access ports/services
-#
-# Allow DHCP server (their port 67) to client (to our port 68) UDP traffic
-# from outside source.
-[ -n "$DHCP_SERVER" ] &&\
- $IPCHAINS -A input -p udp -s $DHCP_SERVER 67 -d $ANYWHERE 68 -j ACCEPT
-
-# Allow 'identd' (to our TCP port 113) from mail server only.
-[ -n "$MAIL_SERVER" ] &&\
- $IPCHAINS -A input -p tcp -s $MAIL_SERVER -d $WAN_IP 113 -j ACCEPT
-
-# Open up PUBLIC server ports here (available to the world):
-for i in $PUBLIC_PORTS; do
- $IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP $i -j ACCEPT
-done
-
-# So I can check my home POP3 mailbox from work. Also, so I can ssh
-# in to home system. Only allow connections from my workplace's
-# various IPs. Everything else is blocked.
-$IPCHAINS -A input -p tcp -s 255.10.9.8/29 -d $WAN_IP 110 -j ACCEPT
-
-# Uncomment to allow ftp data back (active ftp). Not required for 'passive'
-# ftp connections.
-#$IPCHAINS -A input -p tcp -s $ANYWHERE 20 -d $WAN_IP $LOCAL_PORTS -y -j ACCEPT
-
-# Accept non-SYN TCP, and UDP connections to LOCAL_PORTS. These are
-# the high, unprivileged ports (1024 to 4999 by default). This will
-# allow return connection traffic for connections that we initiate
-# to outside sources. TCP connections are opened with 'SYN' packets.
-# We have already opened those services that need to accept SYNs
-# for, so other SYNs are excluded here for everything else.
-$IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS ! -y -j ACCEPT
-
-# We can't be so selective with UDP since that protocol does not know
-# about SYNs.
-$IPCHAINS -A input -p udp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS -j ACCEPT
-
-# Allow access to the masquerading ports conditionally. Masquerading
-# uses it's own port range -- on 2.2 kernels ONLY! 2.4 kernels, do not
-# use these ports, so comment out!
-[ -n "$LAN_NET" ] &&\
- $IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP 61000: ! -y -j ACCEPT &&\
- $IPCHAINS -A input -p udp -s $ANYWHERE -d $WAN_IP 61000: -j ACCEPT
-
-## ICMP (ping)
-#
-# ICMP rules, allow the bare essential types of ICMP only. Ping
-# request is blocked, ie we won't respond to someone else's pings,
-# but can still ping out.
-$IPCHAINS -A input -p icmp --icmp-type echo-reply \
- -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
-$IPCHAINS -A input -p icmp --icmp-type destination-unreachable \
- -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
-$IPCHAINS -A input -p icmp --icmp-type time-exceeded \
- -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
-
-#######################################################################
-# Set the catchall, default rule to DENY, and log it all. All other
-# traffic not allowed by the rules above, winds up here, where it is
-# blocked and logged. This is the default policy for this chain
-# anyway, so we are just adding the logging ability here with '-l'.
-# Outgoing traffic is allowed as the default policy for the 'output'
-# chain. There are no restrictions on that.
-
-$IPCHAINS -A input -l -j DENY
-
-echo "Ipchains firewall is up `date`."
-
-##-- eof ipchains.sh
-
-
------------------------------------------------------------------------------
-
-8.10.2. iptables II
-
-#!/bin/sh
-#
-# iptables.sh
-#
-# An example of a simple iptables configuration. This script
-# can enable 'masquerading' and will open user definable ports.
-#
-###################################################################
-# Begin variable declarations and user configuration options ######
-#
-# Set the location of iptables (default).
-IPTABLES=/sbin/iptables
-
-# Local Interfaces
-# This is the WAN interface that is our link to the outside world.
-# For pppd and pppoe users.
-# WAN_IFACE="ppp0"
-WAN_IFACE="eth0"
-#
-# Local Area Network (LAN) interface.
-#LAN_IFACE="eth0"
-LAN_IFACE="eth1"
-
-# Our private LAN address(es), for masquerading.
-LAN_NET="192.168.1.0/24"
-
-# For static IP, set it here!
-#WAN_IP="1.2.3.4"
-
-# Set a list of public server port numbers here...not too many!
-# These will be open to the world, so use caution. The example is
-# sshd, and HTTP (www). Any services included here should be the
-# latest version available from your vendor. Comment out to disable
-# all Public services. Do not put any ports to be forwarded here,
-# this only direct access.
-#PUBLIC_PORTS="22 80 443"
-PUBLIC_PORTS="22"
-
-# If we want to do port forwarding, this is the host
-# that will be forwarded to.
-#FORWARD_HOST="192.168.1.3"
-
-# A list of ports that are to be forwarded.
-#FORWARD_PORTS="25 80"
-
-# If you get your public IP address via DHCP, set this.
-DHCP_SERVER=66.21.184.66
-
-# If you need identd for a mail server, set this.
-MAIL_SERVER=
-
-# A list of unwelcome hosts or nets. These will be denied access
-# to everything, even our 'Public' services. Provide your own list.
-#BLACKLIST="11.22.33.44 55.66.77.88"
-
-# A list of "trusted" hosts and/or nets. These will have access to
-# ALL protocols, and ALL open ports. Be selective here.
-#TRUSTED="1.2.3.4/8 5.6.7.8"
-
-## end user configuration options #################################
-###################################################################
-
-# Any and all addresses from anywhere.
-ANYWHERE="0/0"
-
-# These modules may need to be loaded:
-modprobe ip_conntrack_ftp
-modprobe ip_nat_ftp
-
-# Start building chains and rules #################################
-#
-# Let's start clean and flush all chains to an empty state.
-$IPTABLES -F
-$IPTABLES -X
-
-
-# Set the default policies of the built-in chains. If no match for any
-# of the rules below, these will be the defaults that IPTABLES uses.
-$IPTABLES -P FORWARD DROP
-$IPTABLES -P OUTPUT ACCEPT
-$IPTABLES -P INPUT DROP
-
-# Accept localhost/loopback traffic.
-$IPTABLES -A INPUT -i lo -j ACCEPT
-
-# Get our dynamic IP now from the Inet interface. WAN_IP will be the
-# address we are protecting from outside addresses.
-[ -z "$WAN_IP" ] &&\
- WAN_IP=`ifconfig $WAN_IFACE |grep inet |cut -d : -f 2 |cut -d \ -f 1`
-
-# Bail out with error message if no IP available! Default policy is
-# already set, so all is not lost here.
-[ -z "$WAN_IP" ] && echo "$WAN_IFACE not configured, aborting." && exit 1
-
-WAN_MASK=`ifconfig $WAN_IFACE |grep Mask |cut -d : -f 4`
-WAN_NET="$WAN_IP/$WAN_MASK"
-
-## Reserved IPs:
-#
-# We should never see these private addresses coming in from outside
-# to our external interface.
-$IPTABLES -A INPUT -i $WAN_IFACE -s 10.0.0.0/8 -j DROP
-$IPTABLES -A INPUT -i $WAN_IFACE -s 172.16.0.0/12 -j DROP
-$IPTABLES -A INPUT -i $WAN_IFACE -s 192.168.0.0/16 -j DROP
-$IPTABLES -A INPUT -i $WAN_IFACE -s 127.0.0.0/8 -j DROP
-$IPTABLES -A INPUT -i $WAN_IFACE -s 169.254.0.0/16 -j DROP
-$IPTABLES -A INPUT -i $WAN_IFACE -s 224.0.0.0/4 -j DROP
-$IPTABLES -A INPUT -i $WAN_IFACE -s 240.0.0.0/5 -j DROP
-# Bogus routing
-$IPTABLES -A INPUT -s 255.255.255.255 -d $ANYWHERE -j DROP
-
-# Unclean
-$IPTABLES -A INPUT -i $WAN_IFACE -m unclean -m limit \
- --limit 15/minute -j LOG --log-prefix "Unclean: "
-$IPTABLES -A INPUT -i $WAN_IFACE -m unclean -j DROP
-
-## LAN access and masquerading
-#
-# Allow connections from our own LAN's private IP addresses via the LAN
-# interface and set up forwarding for masqueraders if we have a LAN_NET
-# defined above.
-if [ -n "$LAN_NET" ]; then
- echo 1 > /proc/sys/net/ipv4/ip_forward
- $IPTABLES -A INPUT -i $LAN_IFACE -j ACCEPT
-# $IPTABLES -A INPUT -i $LAN_IFACE -s $LAN_NET -d $LAN_NET -j ACCEPT
- $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -o $WAN_IFACE -j MASQUERADE
-fi
-
-## Blacklist
-#
-# Get the blacklisted hosts/nets out of the way, before we start opening
-# up any services. These will have no access to us at all, and will
-# be logged.
-for i in $BLACKLIST; do
- $IPTABLES -A INPUT -s $i -m limit --limit 5/minute \
- -j LOG --log-prefix "Blacklisted: "
- $IPTABLES -A INPUT -s $i -j DROP
-done
-
-## Trusted hosts/nets
-#
-# This is our trusted host list. These have access to everything.
-for i in $TRUSTED; do
- $IPTABLES -A INPUT -s $i -j ACCEPT
-done
-
-# Port Forwarding
-#
-# Which ports get forwarded to which host. This is one to one
-# port mapping (ie 80 -> 80) in this case.
-[ -n "$FORWARD_HOST" ] &&\
- for i in $FORWARD_PORTS; do
- $IPTABLES -A FORWARD -p tcp -s $ANYWHERE -d $FORWARD_HOST \
- --dport $i -j ACCEPT
- $IPTABLES -t nat -A PREROUTING -p tcp -d $WAN_IP --dport $i \
- -j DNAT --to $FORWARD_HOST:$i
- done
-
-## Open, but Restricted Access ports
-#
-# Allow DHCP server (their port 67) to client (to our port 68) UDP
-# traffic from outside source.
-[ -n "$DHCP_SERVER" ] &&\
- $IPTABLES -A INPUT -p udp -s $DHCP_SERVER --sport 67 \
- -d $ANYWHERE --dport 68 -j ACCEPT
-
-# Allow 'identd' (to our TCP port 113) from mail server only.
-[ -n "$MAIL_SERVER" ] &&\
- $IPTABLES -A INPUT -p tcp -s $MAIL_SERVER -d $WAN_IP --dport 113 -j ACCEPT
-
-# Open up Public server ports here (available to the world):
-for i in $PUBLIC_PORTS; do
- $IPTABLES -A INPUT -p tcp -s $ANYWHERE -d $WAN_IP --dport $i -j ACCEPT
-done
-
-# So I can check my home POP3 mailbox from work. Also, so I can ssh
-# in to home system. Only allow connections from my workplace's
-# various IPs. Everything else is blocked.
-$IPTABLES -A INPUT -p tcp -s 255.10.9.8/29 -d $WAN_IP --dport 110 -j ACCEPT
-
-## ICMP (ping)
-#
-# ICMP rules, allow the bare essential types of ICMP only. Ping
-# request is blocked, ie we won't respond to someone else's pings,
-# but can still ping out.
-$IPTABLES -A INPUT -p icmp --icmp-type echo-reply \
- -s $ANYWHERE -d $WAN_IP -j ACCEPT
-$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable \
- -s $ANYWHERE -d $WAN_IP -j ACCEPT
-$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
- -s $ANYWHERE -d $WAN_IP -j ACCEPT
-
-# Identd Reject
-#
-# Special rule to reject (with rst) any identd/auth/port 113
-# connections. This will speed up some services that ask for this,
-# but don't require it. Be careful, some servers may require this
-# one (IRC for instance).
-#$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
-
-###################################################################
-# Build a custom chain here, and set the default to DROP. All
-# other traffic not allowed by the rules above, ultimately will
-# wind up here, where it is blocked and logged, unless it passes
-# our stateful rules for ESTABLISHED and RELATED connections. Let
-# connection tracking do most of the worrying! We add the logging
-# ability here with the '-j LOG' target. Outgoing traffic is
-# allowed as that is the default policy for the 'output' chain.
-# There are no restrictions placed on that in this script.
-
-# New chain...
-$IPTABLES -N DEFAULT
-# Use the 'state' module to allow only certain connections based
-# on their 'state'.
-$IPTABLES -A DEFAULT -m state --state ESTABLISHED,RELATED -j ACCEPT
-$IPTABLES -A DEFAULT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT
-# Enable logging for anything that gets this far.
-$IPTABLES -A DEFAULT -j LOG -m limit --limit 30/minute --log-prefix "Dropping: "
-# Now drop it, if it has gotten here.
-$IPTABLES -A DEFAULT -j DROP
-
-# This is the 'bottom line' so to speak. Everything winds up
-# here, where we bounce it to our custom built 'DEFAULT' chain
-# that we defined just above. This is for both the FORWARD and
-# INPUT chains.
-
-$IPTABLES -A FORWARD -j DEFAULT
-$IPTABLES -A INPUT -j DEFAULT
-
-echo "Iptables firewall is up `date`."
-
-##-- eof iptables.sh
-
-
------------------------------------------------------------------------------
-
-8.10.3. Summary
-
-A quick run down of the some highlights...
-
-We added some host based access control rules: "blacklisted", and "trusted".
-We then showed several types of service and port based access rules. For
-instance, we allowed some very restrictive access to bigcat's POP3 server so
-we could connect only from our workplace. We allowed a very narrow rule for
-the ISP's DHCP server. This rule only allows one port on one outside IP
-address to connect to only one of our ports and only via the UDP protocol.
-This is a very specific rule! We are being specific since there is no reason
-to allow any other traffic to these ports or from these addresses. Remember
-our goal is the minimum amount of traffic necessary for our particular
-situation.
-
-So we made those few exceptions mentioned above, and all other services
-running on bigcat should be effectively blocked completely from outside
-connections. These are still happily running on bigcat, but are now safe and
-sound behind our packet filtering firewall. You probably have other services
-that fall in this category as well.
-
-We also have a small, home network in the above example. We did not take any
-steps to block that traffic. So the LAN has access to all services running on
-bigcat. And it is further "masqueraded", so that it has Internet access
-(different HOWTO), by manipulating the "forward" chain. And the LAN is still
-protected by our firewall since it sits behind the firewall. We also didn't
-impose any restrictive rules on the traffic leaving bigcat. In some
-situations, this might be a good idea.
-
-Of course, this is just a hypothetical example. Your individual situation is
-surely different, and would require some changes and likely some additions to
-the rules above. For instance, if your ISP does not use DHCP (most do not),
-then that rule would make no sense. PPP works differently and such rules are
-not needed.
-
-Please don't interpret that running any server as we did in this example is
-necessarily a "safe" thing to do. We shouldn't do it this way unless a) we
-really need to and b) we are running the current, safe version, and c) we are
-able to keep abreast of security related issues that might effect these
-services. Vigilance and caution are part of our responsibilities here too.
------------------------------------------------------------------------------
-
-8.10.4. iptables mini-me
-
-Just to demonstrate how succinctly iptables can be configured in a minimalist
-situation, the below is from the Netfilter team's Rusty's Really Quick Guide
-To Packet Filtering:
-
-
- "Most people just have a single PPP connection to the Internet, and don't
- want anyone coming back into their network, or the firewall:"
-
- ## Insert connection-tracking modules (not needed if built into kernel).
- insmod ip_conntrack
- insmod ip_conntrack_ftp
-
- ## Create chain which blocks new connections, except if coming from inside.
- iptables -N block
- iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
- iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
- iptables -A block -j DROP
-
- ## Jump to that chain from INPUT and FORWARD chains.
- iptables -A INPUT -j block
- iptables -A FORWARD -j block
-
-
-
-This simple script will allow all outbound connections that we initiate, i.e.
-any NEW connections (since the default policy of ACCEPT is not changed). Then
-any connections that are "ESTABLISHED" and "RELATED" to these are also
-allowed. And, any connections that are not incoming from our WAN side
-interface, ppp0, are also allowed. This would be lo or possibly a LAN
-interface like eth1. So we can do whatever we want, but no unwanted, incoming
-connection attempts are allowed from the Internet. None.
-
-This script also demonstrates the creation of a custom chain, defined here as
-"block", which is used both for the INPUT and FORWARD chains.
-