From: Jonathan Sergent sergent@io.com
Several things I would say would have changed this a great deal:
-- always make sure you have the latest updates from your
distribution
vendor installed (and turn off anything that you know has been
broken
but not yet fixed) -- would have eliminated stack smashing
possibility
-- use ssh if you are going to su to root. telnet is probably
okay for
mortal use. (Just make sure nobody gets in as you and installs
a
trojan su! Type "/bin/su" and watch out with your shell init
files.)
-- use a secure hub or switch (aka bridge) so that people
can't sniff
much when they try.
Something you didn't mention at all -- turn off .rhosts. You
can do
this real easily on PAM-enabled systems in like 30 seconds by
taking
the "pam_rhosts_auth" lines out of /etc/pam.d/r{login,sh} [in the
Red
Hat case -- will be /etc/pam.conf on other systems like Solaris
2.6].
From: marc_merlin@magic.metawire.com
(Marc MERLIN)
>> rpm -qa shows changed binaries.
I messed up however, I meant to say -Va (Verify All)
>- other security problems (/root/.ssh/authorized_keys,
mode 666 /etc/shadow,
>setuid copies of shells, etc.) that can be exploited to get
root again, but do
>not involve changed binaries that would show up under
checksums.
rpm -Va does check file modes (so it would catch /etc/shadow).
As for
/root/.ssh/authorized_keys, indeed, there are a few things that
you need to
check by hand.
Anyone has a url to a root kit? (so that I could have an idea
of what it'd
look like).
From: Mark Willey willey@etla.net
I have been thinking about security lately, and also about the
fact that
it's hard to verify your system if it was compromised, as your
tools or
the kernel itself may have been hacked. One thing I have been
thinking of
is a "security audit" machine that is connected only via a serial
port and
does everything thru a login. Although the environment could have
been
screwed up and still defeat this. Having this machine share your
SCSI
chain with a possibly-affected system would probably work pretty
well,
though, as you take the kernel out of the loop, and if you only
read from
the (possibly) affected drives, it should be allright. Too bad
SCSI
(usually) doesn't support this out of the box. :( Perhaps they
will get
it right with Fibre Channel, or NAS (network-attached storage)
systems.
Hm, but just wait until we get fancy Network-Attacked^H^H^Hhed
Storage that
can be compromised at the *drive's* OS level. ;-)
From: alvin@planet.fef.com (Alvin Oga)
Reposting From: Jonathan Sergent sergent@io.com
....
Several versions, with a variety of licenses...
* The canonical versions are from DataFellows for Windows and
Mac and they
are not too bad interface-wise but they cost money (there is a
30-day
trial of some sort) -- http://www.datafellows.com/f-secure/ssh/
* SecureCRT (from http://www.vandyke.com/) is
another one you can get a
free trial for.
https://secure.vandyke.com/download/SecureCRT/index.html
* There are some people doing a free one for the Mac whose
name and URL
I cannot recall.
* There is a binary-only freeware one for Windows at:
http://www.doc.ic.ac.uk/~ci2/ssh/
that is a bit clumsy but is at the right price for some.
From: Dave Zarzycki dave@c204500-a.frmt1.sfba.home.com
> If you want to avoid sending ftp passwords in cleartext
over the net, you
> can use ssh to encrypt your command channel. This will still
leave your data
> channel open to all attacks on TCP, and will not work
through a firewall.
Of course, if ssh in on both systems, why use ftp at all?
what's wrong
with scp?
From: marc_merlin@magic.metawire.com
(Marc MERLIN)
>>Tunnel port 21 over ssh.
[...]
If you want to avoid sending ftp passwords in cleartext over
the net, you
can use ssh to encrypt your command channel. This will still
leave your data
channel open to all attacks on TCP, and will not work through a
firewall.
From: Caleb David avatar@very.strange.com
Rick/Everyone else:
Some questions of my own related to this, no intention of
stealing
your thread :-) but you reminded me....
...using RH 5.0 with quite a few 5.1 packages installed (maybe
all, I
don't recall exactly how much I upgraded from the 'net).
Kernel
2.1.107.
I currently have my box set up using tcp_wrappers and
everything
denied except what's explicity allowed in hosts.allow (this would
be
99.999999% of the planet, the rest being sites I would login from
--
work, mostly). I have, as daemons, sendmail 8.8.7, apache 1.3,
named,
a mush and a mux (port 4201 and 2000, respectively), and
sshd.
I use ssh to login remotely whenever possible, but there are
a
couple people/friends who don't have access to an ssh client,
so
presumably their passwords could be sniffed out. Neither of them
has
anything resembling root access.
Am I totally insane to think that tcp_wrappers are going to
prevent
most illegitimate access via normal shell services (telnet,
rlogin,
etc)? I realize named is supposed to be a security hole, but I
didn't
see on rootshell any mention of exploits using it -- can
anyone
elaborate on this? The apache server is about as well locked down
as
it can be w/out killing CGI scripts. Sendmail disallows all the
Bad
Stuff except for hosts I explicity allow to relay through me.
The mush/mux is irrelevant except for denial-of-service attacks
by
means of maxing out the CPU with softcode commands.
It's possible that I have misconfigured ssh somehow, but am
currently under the impression that my sessions are encrypted
by
default -- am I wrong here? If so, how do I fix it so they are?
And,
what's the difference between sshd and ssh-agent?
Thanks,
Cal
From: marc_merlin@magic.metawire.com
(Marc MERLIN)
rpm -qa shows changed binaries.
Then you do a find for suid/sgid binaries, and you check that all
of them
are maintained by RPM.
That way:
- You make sure all you existing suid and other root launched
programs are
the original ones (if not, just re-install the package, rpm -U
--force)
- You also know that you have no other suid backdoors.
From: Rafael Skodlar raffi@kset.com
Hmmm, I am the last one to expect that to happen over there.
I recently exchanged some email about firewalls with somebody
who will
likely read this. His position was that others have worse
security so it's
going to happen there more likely.
My position is that a firewall is the only way to go....
You can install firewall on on the same machine as it is used
for www and
other services or use it in a clasical, 2 interface way.
weenie or not, the damage is there. Time to reinstall the OS,
rpm upgrade
wont do it (Marc?).
That's one thing I don't understand in Unix, commercial or
free. Why do we
still run applications and programs with unecrypted passwords?
That's
crazy! We know for years where the basic security holes are, yet
they
still ship old apps/utils. So much time has been wasted because
of that.
Why is ssh not a part of RH distribution? If somebody wants to
use old
programs they could run rpm to downgrade the system.
RH is not using shadow passwds, not using ssh, sudo, or secure
ftp, or...
Why?
> Correct me if I'm wrong: There's no way to secure
non-anonymous
> ftp, right? By "secure", I mean prevent disclosure of
plaintext
wu-ftp has some of that stuff but there were some bugs in it a
few months
back.
From: marc_merlin@magic.metawire.com (Marc MERLIN)
You're saying that you telneted to your machine from some
client's site, and
someone was running a password sniffer?
Why not just leave the line out completely?
Like:
bin:*:1:1:bin:/bin:
1) Recompile wu-ftpd to do anonymous ftp only (it's a
compilation option
somewhere)
2) Remove users shells from /etc/shells (I think only ftp
actually uses
/etc/shells (well chsh also, but you don't use that
everyday)).
I do pop3 over ssh, works very well :-)
>5. Allow only APOP; disable the USER/PASS
authentication
>mechanism. Qualcomm's qpopper (inherited from Berkeley
popper)
>supports APOP: Anybody know how to mandate that auth
method
>in qpopper, solely?
If you add users to the apop database, they become forced to
use APOP.
Problem with APOP: to my knowledge only eudora supports it (on
the windows
side that is, fetchmail does APOP very well also).
[securing ftp]
Tunnel port 21 over ssh.
Another solution is to use a windows ssh client (like SecureCRT)
that
supports zmodem. Then, you log in and use good old sz and rz.
The new ssh that was just released yesterday is supposed to work
on windows,
_and_ provide scp.
From: Mark Willey willey@etla.net
This can be secured quite easily. Of course you already know
about ssh.
If you are in a place with telnet-only access out, you can use
S/Key to
provide one-time keys. Under NetBSD, this is as easy as
running
"skeyinit". Then I use PilOTP on my Pilot to generate an MD4 hash
on
demand and log in.
If you need to su, keep a screen process running in the
background with a
root shell. Lock that session with an arbitrary password that you
use
only once.
These methods require some work on your part. But I am sure
you are
receptive to them, as you just got hacked. :)
I also have other defenses set up. I usually don't talk about
it but as
we're among friends... ;-) (And if any o you hack my machine,
well, I
can find out where you live.) <evil grin>
Run standard security audit tools, COPS, Tripwire, etc, as
well as your
own security scan scripts. Does Linux come with an /etc/security
shell
script that runs nightly? Oh yeah, important: *read* the output
of the
script. :) Also review your logs. I also have some tools to
audibly
announce when certain events happen on my machine.
Now this said, I *do not* believe my machine is secure at all.
But I have
tried to remove the easy entries and try to let only trustworthy
people on
the machine.
>3. ftp: Under this scenario, I (the sysadmin) can
still
>get/retrieve files via _anonymous_ ftp (because I can ssh
in
>and su to root) and also via scp (without having to
compromise
S/Key can hep you here, too.
From duncan@mail.sfpcug.ORG Sat
May 11 19:10:57 1996
Return-Path: duncan@mail.sfpcug.ORG
Received: from atlas.sfpcug.org (atlas.sfpcug.ORG
[140.174.70.31]) by hugin.imat.com (8.7.4/8.7.3) with SMTP id
TAA11520 for rick@hugin.imat.com; Sat, 11 May
1996 19:10:56 -0700
Received: (from duncan@localhost) by
atlas.sfpcug.org (8.6.12/8.6.12) id TAA10953 for tinc; Sat, 11
May 1996 19:06:57 -0700
Date: Sat, 11 May 1996 19:06:57 -0700
From: Duncan MacKinnon duncan@mail.sfpcug.ORG
Message-Id: 199605120206.TAA10953@atlas.sfpcug.org
To: tinc@atlas.sfpcug.org
Status: RO
>From agate!brain.cs.berkeley.edu!genehkan Mon Mar 25
02:13:59 1996
Path: agate!brain.cs.berkeley.edu!genehkan
From: genehkan@brain.cs.berkeley.edu
(Gene Kan)
Newsgroups: ucb.os.linux,ucb.org.callug
Subject: Minutes for Linux Security Talk, Ian Goldberg,
031996
Date: 20 Mar 1996 21:18:39 GMT
Organization: Cal Linux Users Group
Lines: 156
Message-ID: 4ipsnf$qb4@agate.berkeley.edu
NNTP-Posting-Host: wakko.cs.berkeley.edu
Xref: agate ucb.os.linux:960 ucb.org.callug:237
From: Linda Kamas kamas@eecs.berkeley.edu
Annotated and modified by Gene Kan, 03/20/96
Linux Security Talk 3/19/96
===========================
Presenter: Ian Goldberg
Threat Models
-------------
Set perimeters of trust around your computer--physical, over
network
connections,intra-group.
#1 common reason for a break-in is for others to use your
computer's
resources.
Ex: Use your hard disk for stolen software
Use your CPU cycles for passwd cracking
Use your identity to disguise attacks on other computers
This is what will be discussed.
Where to Get Info
-----------------
newsgroups:
comp.security.announce (low volume)
comp.security.unix (high volume)
lists:
linux-security
linux-alert
enroll by mailing to majordomo@linux.???
type "subscribe linux-security" in body of email to enroll in
linux-security.
Book:
"Firewalls and Internet Security: Repelling the Wily Hacker"
by
William R. Cheswich and Steven M. Bellovin
What to Check
-------------
Listed below are important commands to see what your machine is
doing
and configuration files to edit to make your machine more
secure.
1. ps -auxw
Look at all processes that are running and be familiar with
them.
Typical programs running as root:
inetd
crond
sendmail
getty (the login prompt which asks for passwords)
Programs that must run as many users must run as root.
2. netstat
See who is connected to your machine.
tcp ex: telnet, rlogin need reliable connection
udp ex: nfs doesn't register errors
ports < 1024 are run by root
port 2049 is NFS connection, oddly enough.
unix sockets are relatively benign, they are connections
within
your computer.
Advice: don't run NFS if you want security.
3. lsof -i
This command is not necc. available with linux installation,
you'll
need to get this off the net.
This shows the internet connections of all files.
What you may see:
inetd this is where security holes probably are.
this program is run at boot time and initiates
root internet service programs.
example inetd internally provided services: time, echo
advice: turn OFF all network services that you won't be
using,
(ex: turn off ftp and telnet if you will not be telnetting/
ftping TO your computer)
specific advice: turn OFF systat and netstat. You don't need
others
using this to find out about your machine. (NOTE: the default
mode of these programs is enabled.)
If you don't use pop2 or pop3 (to pop your mail from home to
somewhere else) disable these.
how to execute the advice: edit the /etc/inetd.conf file by
commenting
out services that are unnecessary. All internet services are
governed by a line in the inetd.conf file, with a
corresponding
service -> port mapping in /etc/services. It is good
practice
to run as few services as root as possible since each service
program could potentially have bugs which lead to security
holes.
advice: set the user of inetd executed as the user "nobody".
This is
one of the fields in the inetd.conf config lines. You can
choose
to have processes run as any user, but only those processes
which
MUST run as root should be run as root, since that promotes
security holes.
4. The program tcpd is good (you don't run this, root
does).
This only lets users from computers x connect to your machine
and
partake in services y.
advice: edit /etc/hosts.allow and /etc/hosts.deny to
allow/deny
certain hosts and certain services. Put all your tcpd
programs
in hosts.deny for more security.
the format of /etc/hosts.{allow, deny} is
service: hosts
foo: ALL (good default for a hosts.deny file)
the tcpd manpage is well-documented. Read it.
5. Another file to edit is /etc/rc.d/rc.inet2 (maybe something
else in redhat)
Comment out programs you do not need to run.
advice: keep backups of the original files. If you do screw up,
keep boot
and root disks handy. To boot in single-user mode (may need
this)
type:
boot: linux single
MORAL: Be familiar with what network services you are running.
Other Advice
------------
.rhosts are bad
Use kerberos and ssh.
kerberos = program with services like ftp (kftp) and rlogin
(krlogin)
but tickets encrypted by passwd are sent over the net for
confirmation rather than passwds.
ssh = secure shell
Most probable security risks:
httpd
sendmail
lpd
Configuration files (those listed in previous section:
rc.inet2, inetd.com)
that are world writeable is a BAD idea.
Testing your System
-------------------
Satan tests security on your machine. Only run satan on your own
machine.
Be root on another (a friend's) machine and run satan against
your machine
from there.
Check your syslog for unusual activity. tcpd logs any usage of
programs?
network services? in a syslog file and lists by whom they were
used. There
is not very much accounting going on in Unix systems, so you are
kind of
limited as to what you can figure out, but overall, the netstat
and lsof
utilities provide you with some amount of help.
--
Gene
* .stack a with it do programmers Forth
* http://ucsee.eecs.berkeley.edu/~genehkan