Talk 28-03-2000 Security

From CLUG Wiki

Jump to: navigation, search

Tom's Notes: Improve Security by Hacking your Own System

Where to get the "Linux Administrator's Security Guide"

Where to get hacking tools and exploits

The above information relates to the talk I gave on 28/3/00, and is intended (as the title suggests) for improving, rather than compromising security. Email me if you have any questions or comments relating to the talk.


Marc's Notes: Security Checklist

Know your system

  • List network connections using netstat: netstat -uta
  • Find setuid and setgid executables: find / -type f -perm +6000 -exec ls -la {} \;
  • Find world writable files: find / -perm +0004 -exec ls -la {} \;

Take preventative measures

  • Minimize the above: edit /etc/inetd.conf
  • Use tcp wrappers: edit /etc/hosts.{allow,deny}
  • Insert firewalling rules to catch spoofed packets and provide redundancy for tcp wrappers
  • Encrypt traffic when accessing your system remotely
  • Don't access your system from untrustworthy hosts
  • Minimize time spent running as root, and preferably log in as root from a local text console only
  • Attempt to secure local console: Add password and restricted entries to /etc/lilo.conf (make sure that it is only readable by root). Use BIOS passwords
  • Make text log files append only using chattr +a, and system critical files immutable using chattr +i
  • Minimize transitions to root. Somebody connecting from the network should not be able to log in as root (check xdm and sshd), changing to root should be left to su

Look after a running system

  • Apply security patches as soon as they are released. Subscribe to security alert mailing lists
  • Read your log files. Understand the log messages. Use since to help read your logs, but understand the security implications
  • Run sanity checks periodically - see netstat and find but also aide or md5sum
  • Examine strange commands and processes: ps ax, fuser -n tcp port

Recovery measures

  • Make backups: Several variations
    1. No backups
    2. Only backup irreplaceable data
    3. Back up your data and config files
    4. Snapshots: Stop writing processes, mount filesystems or entire disks readonly, then copy out partition or disk image: Eg cat /dev/hda | gzip -dc | scp - backupuser@remotehost.network:backup-image.hda.gz
    5. Run full backup strategy, using dump, tar or larger packages
    6. Make logs difficult to change: Log to remote hosts using @remotehost.network in /etc/syslog.conf. Enable remote reception using -r option for syslogd logger. Use dedicated logging host on normal network or use a dedicated serial cable, with log to /dev/ttyS? after being initialized

Interesting topics

  • Security through obscurity might not work for software vendors, but might work for you. Don't leak information about software versions - edit /etc/issue.net and rc scripts which create it, eliminate banners from sendmail (/etc/sendmail.cf), popper (bashful compile option) and others
  • Try and break into your system. It is a good education and you won't get into trouble for doing it
  • X and mail attachments are neglected security areas. Make sure you understand their security risks

Paranoia and advanced projects

  • Install IP loggers (eg ippl) which record all incomming packets. These loggers generate huge volumes of data very quickly. So you usually need to tune them, especially if you log UDP
  • /usr should not change during normal system operation. Turf your distribution if it does not. Put /usr and possibly /usr/local on a separate partition. Mount /usr readonly or write /usr to CD (ext2 can be written to CD)
  • Understand the benefits of mounting file systems with the noexec, nosetuid and nodev options
  • Newer kernels have support for capabilities. Get lcap and drop capabilities (such as setting of file system flags) in the default runlevel
  • Use sandboxes such as chroot for system services and restricted versions of bash, lsh or ksh for untrustworthy users. The linux usermode port should also be a good sandbox once it becomes stable. A contractor to the NSA is also working on improving linux security, as are the LIDS people.
  • Modify bootup scripts to run sanity checks before starting up. Boot from readonly media (stiffy, CD).

Learn from epidemiology

  • Monocultures are vulnerable to epidemics: Take advantage of linux userland modularity and pick alternatives, eg boa, fhttpd, khttpd or wn instead of the default apache as web server. Your system won't necessarily be more secure (you will be less vulnerable to script exploits, but experienced crackers might have an easier time), but you will be left standing in case of catastrophic failures. You will also make life difficult for authors of worms and viruses.
  • Improve herd immunity: Report scans or attacks against your system, but make sure that it really was an attack. Attach logs. Don't demand or expect a response. It is a tedious job, but you will help discover cracked hosts and increase the cost to script kiddies. Use a role account (operator, root) to report the complaint.


- Marc Welz

Retrieved from "http://wiki.clug.org.za/wiki/Talk_28-03-2000_Security"