UNIX Security Basics

1
UNIX Security Basics
David LaPorte Network Security Engineer Network
Operations Center
2
Topics

• Internal Threats
• External Threats
• The Countermeasures
• Recommended Software
• Common Mistakes
• Additional Resources

3
External Threats

• Open, insecure services
• BIND (8.2.2p5 - 11/12/99)
• Sendmail (8.9.3 - 2/4/99)
• wuFTP (2.6.0 10/19/99)
• Denial of service (DOS) attacks
• SYN Flooding
• Smurfing
• Sniffing
• Assume anything you send over the network is
  insecure
• Use SSH exclusively!!!

4
Internal Threats

• Incorrect permissions
• Setting proper umasks
• SUID/SGID binaries
• Trojan Horses
• Accessible /etc/passwd
• Use shadow passwords
• Outdated binaries
• Buffer overflows
• Incorrect programming practices

5
The Countermeasures

• Monitor logs closely
• Use logcheck, swatch, or other tool to monitor
  logs in real-time and set off alerts
• Log to a central loghost via syslog
• Use TCP Wrappers
• Limit connectivity to only those hosts that need
  it
• Disable unnecessary services
• Shutdown inetd unless you really need it,
  liberally comment otherwise
• Portscan yourself with nmap to see whats
  running, check process listing with ps or top
• Use fuser/lsof to determine which process is
  using which port

6
The Countermeasures

• Enforce strict permissions
• Use a file integrity checker such as Tripwire to
  establish system baseline
• If you ever think youre hacked, comparing your
  system state to the baseline should expose any
  trojan horses

7
Recommended Software

• SSH
• Drop-in replacement for telnet and r services
• ftp//ftp.cs.hut.fi/pub/ssh
• Port Sentry
• Port scan detector
• http//www.psionic.com/abacus/portsentry/
• TCP Wrappers
• ftp//coast.cs.purdue.edu/pub/tools/unix/tcp_wrapp
  ers

8
Recommended Software

• Nmap
• Port scanning utility
• http//www.insecure.org/nmap
• Tripwire
• File integrity checker
• http//www.tripwiresecurity.com
• Harvard soon have a site license
• Logcheck
• Scans log files for problems or security
  violations
• http//www.psionic.com/abacus/logcheck

9
Common Mistakes

• Dont assume your OS is secure out of the box
• Most are not
• Updates needed on even the most secure
• Dont wait to install updates
• Pull machine off wire immediately after install
• Make all configuration changes and install all
  current updates
• Dont do everything as root
• Less is more!

10
Staying Current

• Subscribe to mailing lists
• Bugtraq_at_securityfocus.com
• Install latest updates as soon as available
• Linux ftp//updates.redhat.com
• Solaris http//sunsolve.sun.com
• Tru64 ftp//ftp.service.digital.com

11
Additional Resources

• Security-related websites
• http//www.securityfocus.com
• http//www.securityportal.com
• http//packetstorm.securify.com
• Practical UNIX Internet Security
• http//www.oreilly.com/catalog/puis/