Basic Security for Unix Workstations

Steve_Bailey@nih.gov

July 10, 2003

A computer is secure if you can depend
on it and its software to behave as you expect


















[Agenda]

Basic Security for Unix Workstations
Agenda

[Next]

Forces Working Against Security

  • Unix tradition of open access
  • Misconfiguration and buggy software
  • Vendors provide "easy to use" systems
  • International hacker communtiy
[Next]

Forces Working For Security

  • Unix is secure
  • Visibility of security incidents
  • Computer security organizations
[Agenda]

Obvious But Necessary Fixes

[Agenda]

Null passwords in /etc/passwd

Even with all the publicity about SGI's known open accounts, they
continue to distribute /etc/passwd with many no-password accounts.  
% grep "^[A-z]*::" /etc/passwd   (or /etc/shadow)

root::0:0:Super-User:/:/bin/csh
lp::9:9:Print Spooler Owner:/var/spool/lp:/bin/sh
nuucp::10:10:Remote UUCP User:/var/spool/uucppublic:/usr/lib/uucp/uucico
EZsetup::992:998:System Setup:/var/sysadmdesktop/EZsetup:/bin/csh
demos::993:997:Demonstration User:/usr/demos:/bin/csh
OutOfBox::995:997:Out of Box Experience:/usr/people/OutOfBox:/bin/csh
guest::998:998:Guest Account:/usr/people/guest:/bin/csh
And "badperson" knows to try them:  
Mar 18 14:37:24 6E:helix login[10550]: failed: ?@200.245.107.101 as 4Dgifts
Mar 18 14:37:40 6E:helix login[10550]: failed: ?@200.245.107.101 as tutor
Mar 18 14:38:38 6E:helix login[11027]: failed: ?@200.245.107.101 as tour
Mar 18 14:39:58 6E:helix login[11326]: failed: ?@200.245.107.101 as demos
Mar 18 14:40:12 6E:helix login[11326]: failed: ?@200.245.107.101 as lp
Mar 18 14:40:23 6E:helix login[11326]: failed: ?@200.245.107.101 as guest
[Next]

Disable root login over network

  • Unix systems usually allow root to login from anywhere,
    • even over the network
  • Restricting root logins from the console only is more secure;
    • you can always login as yourself and then "su" to root
  • That makes it easier to track "who was using root" and makes
    • it a little harder for "badperson" to attack your system
SGI | SUN | LINUX

[Next]

Disable root login over network
SGI IRIX (6.5.x)

Problem By default SGI does not restrict root login to the console.

Solution Edit the /etc/default/login file and uncomment the CONSOLE entry.
(remember to save a copy first as /etc/default/login.DIST)  

# more /etc/default/login
 ...
# If defined, only allows root logins on the device specified.
# MUST NOT be defined as either "/dev/syscon" or "/dev/systty"!
CONSOLE=/dev/console
 ...
[Next]

Disable root login over network
SGI IRIX (6.5.x)

BEFORE  
% telnet jigsaw.cit.nih.gov
Trying 165.112.136.138...
Connected to jigsaw.cit.nih.gov.
Escape character is '^]'.
login: root
Password:
IRIX Release 6.5 IP22 jigsaw
Copyright 1987-1998 Silicon Graphics, Inc. All Rights Reserved.
Last login: Mon Apr 19 15:55:46 EDT 1999 on :0
jigsaw 1#
AFTER  
% telnet jigsaw.cit.nih.gov
Trying 165.112.136.138...
Connected to jigsaw.cit.nih.gov.
Escape character is '^]'.
login: root
Password:
Connection closed by foreign host.
% 
[author: unfortunately the transaction is not logged.]

[Next]

Disable root login over network
SUN Solaris (5.8)

Problem None - by default Sun restricts root login to the console

Solution If necessary, edit the /etc/default/login file and uncomment the
CONSOLE entry (remember to save a copy first as /etc/default/login.DIST)  

# more /etc/default/login
 ...
# If CONSOLE is set, root can only login on that device.
# Comment this line out to allow remote login by root.
#
CONSOLE=/dev/console
 ...
[Next]

Disable root login over network
Red Hat Linux (5.2)

Problem none - /etc/securetty exists by default and prevents login
from the network via telnet.

Solution make sure /etc/securetty exists; just enter "tty1" through
"tty8", one per line and make the file owned by root and mode 600.

Even when entering the correct password, Linux says "Login incorrect" 

linux# more /etc/securetty
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
[Next]

Disable root login over network
Red Hat Linux (5.2)

AFTER 
% telnet crasharap188.nih.gov
Trying 156.40.64.188...
Connected to crasharap188.nih.gov.
Escape character is '^]'.
login: root
Password: 
Login incorrect

login:
[Next]

Choose a good root password

Passwords to Avoid
  • adding a special character at the end of a string of alphabetics
    • (e.g., abcdef1 or susan1)
  • substituting 1 for i, 0 for o, $ for s in common words
    • (e.g., d1abete$)
Good Passwords
  • contain at least six characters
  • and include two letters (a-z) and two special characters
    • (e.g., punctuation, digits)
  • and embed at least one special character within the password
  • and differ from your old password by at least three characters
Write it down, put it in your wallet!

[Next]

Disable System Identification Banner

Unix systems often identify themselves, making it easier for "badperson" to characterize your system and focus an attack strategy on the particular OS level and platform.

SGI | SUN | LINUX

[Next]

Disable System Identification Banner
SGI IRIX (6.5.x)

Problem Default "telnet" entry in /etc/inetd.conf does not include
any options 
telnet  stream  tcp  nowait  root   /usr/etc/telnetd   telnetd
Solution Invoke telnetd with "-h" option; be sure to send a HUP signal to inetd process so the change takes affect immediately. 
telnet  stream  tcp  nowait  root   /usr/etc/telnetd   telnetd -h
[Next]

Disable System Identification Banner
Sun Solaris (5.6)

Problem Sun does not include a "BANNER" string in the file
/etc/default/telnetd, so by default it uses `uname -sr` (e.g., SunOS 5.6).

Solution Create /etc/default/telnetd and include a line of the form 

BANNER=""
for no banner. (See "man telnetd" for more information)

[Next]

Disable System Identification Banner
Red Hat Linux (5.2)

Problem At every reboot /etc/rc.d/rc.local script creates /etc/issue
and /etc/issue.net files that describe the OS level and platform.
These files are displayed prior to the login prompt.

Solution

  • Remove commands from rc.local that create issue files
    • cd /etc/rc.d
mv rc.local rc.local.DIST
cp -p rc.local.DIST rc.local
vi rc.local
(remove offending commands)
  • Create empty issue files
    • cd /etc
mv issue issue.DIST
mv issue.net issue.net.DIST
touch issue issue.net
[Next]

Disable System Identification Banner
Red Hat Linux (5.2)

BEFORE 
% telnet crasharap188.nih.gov
Trying 156.40.64.188...
Connected to crasharap188.nih.gov.
Escape character is '^]'.

Red Hat Linux release 5.2 (Apollo)
Kernel 2.0.36 on an i586
login: 
AFTER 
% telnet crasharap188.nih.gov
Trying 156.40.64.188...
Connected to crasharap188.nih.gov.
Escape character is '^]'.
login: 
[Next]

What Internet services are you offering?

  • netstat - show network ports in use
  • fuser - identify the process-id using a port
  • lsof - (freeware) identify process-id using a port
  • example 1 - service started on-demand
  • example 2 - service started at boot-time
[Agenda]

Use netstat to show network ports in use (LISTEN)

linux# netstat -an | grep LISTEN
Proto Rcv Snd Local Addr    Foreign     State      
tcp   0   0   0.0.0.0:6027  0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:6018  0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:6023  0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:6014  0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:15001 0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:6017  0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:6016  0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:6011  0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:1999  0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:1998  0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:80    0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:515   0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:25    0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:2049  0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:635   0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:37    0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:22    0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:513   0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:514   0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:23    0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:21    0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:1024  0.0.0.0:*   LISTEN      
tcp   0   0   0.0.0.0:111   0.0.0.0:*   LISTEN      
[Next]

Use fuser to identify process-id using a port

Available on SGI and Linux. Don't know about Sun. 
  • fuser on SGI - list the process-id listening to port 513
    • % fuser 513/tcp
513/tcp:      160o
  • fuser on Linux - show the process-id listening to port 635
    • # /usr/sbin/fuser -n tcp 635 
635/tcp:               330
    


[Next]		
















Use lsof (freeware) to identify process-id using a port

Available on Sun and Linux. Not supported for SGI. 

    

  • 
lsof on Sun or Linux
    • 


    % lsof | grep LISTEN
sshd1       417   root    3u  inet 0x61507350        0t0        TCP *:22 (LISTEN)
rpcbind     449   root    6u  inet 0x60e39648        0t0        TCP *:sunrpc (LISTEN)
inetd       476   root    4u  inet 0x615064d0        0t0        TCP *:telnet (LISTEN)
inetd       476   root    5u  inet 0x60e38ac8        0t0        TCP *:shell (LISTEN)
inetd       476   root    6u  inet 0x61506450        0t0        TCP *:login (LISTEN)
statd       481 daemon    4u  inet 0x61506cd0        0t0        TCP *:32771 (LISTEN)
lockd       483   root    5u  inet 0x61506150        0t0        TCP *:lockd (LISTEN)
lmgrd.ste   567 nobody    0u  inet 0x61b078d8        0t0        TCP *:1726 (LISTEN)
suntechd    571 nobody    0u  inet 0x61b078d8        0t0        TCP *:1726 (LISTEN)
suntechd    571 nobody    4u  inet 0x61b07858        0t0        TCP *:32772 (LISTEN)
jre         627   root    8u  inet 0x61b06858        0t0        TCP *:1099 (LISTEN)
httpd       634   root   15u  inet 0x61b075d8        0t0        TCP *:80 (LISTEN)
jre         667   root   10u  inet 0x60e38f48        0t0        TCP *:32781 (LISTEN)
dtlogin     678   root    7u  inet 0x61b06d58        0t0        TCP *:32779 (LISTEN)
dmispd      686   root    4u  inet 0x61b06ed8        0t0        TCP *:32778 (LISTEN)
Xsession   2415   root    7u  inet 0x61b06d58        0t0        TCP *:32779 (LISTEN)
fbconsole  2428   root    7u  inet 0x61b06d58        0t0        TCP *:32779 (LISTEN)
speckeysd  2436   root    7u  inet 0x61b06d58        0t0        TCP *:32779 (LISTEN)
sdt_shell  2486   root    7u  inet 0x61b06d58        0t0        TCP *:32779 (LISTEN)
dsdm       2489   root    7u  inet 0x61b06d58        0t0        TCP *:32779 (LISTEN)
ttsession  2517   root    5u  inet 0x65df45c0        0t0        TCP *:51266 (LISTEN)
 ...
    


[Next]		
















Example 1 - a network service started on-demand



    

  1. 
netstat says a process is listening on port 513
    2. 


    linux# netstat -an | grep LISTEN
Proto Rcv Snd Local Addr    Foreign     State      
 ...
tcp   0   0   0.0.0.0:513   0.0.0.0:*   LISTEN      
 ...
    


  2. 
Run fuser to list process-ids using port 513
    3. 


    linux# /usr/sbin/fuser -n tcp 513
513/tcp:               306  8158
    


  3. 
Now use ps to list more information about these process-ids
    4. 


    linux# ps p 306,8158
  PID TTY STAT TIME COMMAND
  306  ?  S    0:02 inetd 
 8158  ?  S    0:00 in.rlogind 
    


  4. 
confirm that service is started on-demand from inetd.conf
    5. 


    linux# grep in.rlogind /etc/inetd.conf
login   stream  tcp     nowait  root    /usr/sbin/tcpd  in.rlogind
    


[Next]		
















Example 2 - a network service started at boot-time



    

  1. 
netstat says a process is listening on port 635
    2. 


    linux# netstat -an | grep LISTEN
Proto Rcv Snd Local Addr    Foreign     State      
 ...
tcp   0   0   0.0.0.0:635   0.0.0.0:*   LISTEN      
 ...
    


  2. 
Run fuser to list process-ids using port 635
    3. 


    linux# /usr/sbin/fuser -n tcp 635
635/tcp:               330
    


  3. 
Now use ps to list more information about process-id 330
    4. 


    linux# ps p 330
  PID TTY STAT TIME COMMAND
  330  ?  S    0:27 rpc.mountd 
    


  4. 
no inetd process, so check boot-time scripts
    5. 


    linux# grep rpc.mountd /etc/init.d/*
/etc/init.d/nfs:[ -f /usr/sbin/rpc.mountd ] || exit 0
/etc/init.d/nfs:        daemon rpc.mountd
/etc/init.d/nfs:        killproc rpc.mountd
/etc/init.d/nfs:        status rpc.mountd
/etc/init.d/nfs:        echo -n "rpc.mountd "
/etc/init.d/nfs:        killall -HUP rpc.mountd
/etc/init.d/nfs:        /sbin/pidof rpc.mountd >/dev/null 2>&1; MOUNTD="$?"
    


[Next]		
















Disabling inetd (on-demand) services



[Agenda]		
















Port numbers and service names



% more /etc/services
#
# Network services, Internet style
#
# $Revision: 1.44 $
#
tcpmux          1/tcp                   # TCP port multiplexer (RFC 1078)
echo            7/tcp
echo            7/udp
discard         9/tcp           sink null
discard         9/udp           sink null
systat          11/tcp          users
daytime         13/tcp
daytime         13/udp
netstat         15/tcp
qotd            17/tcp          quote
chargen         19/tcp          ttytst source
chargen         19/udp          ttytst source
 ...



[Next]		
















Internet services on-demand by inetd



% more /etc/inetd.conf
 ...
# After changing this file, tell inetd to reread it with the command
#       /etc/killall -HUP inetd
#
ftp     stream  tcp     nowait  root    /usr/etc/ftpd   ftpd -l
telnet  stream  tcp     nowait  root    /usr/etc/telnetd        telnetd
shell   stream  tcp     nowait  root    /usr/etc/rshd           rshd -L
login   stream  tcp     nowait  root    /usr/etc/rlogind        rlogind
exec    stream  tcp     nowait  root    /usr/etc/rexecd         rexecd
finger  stream  tcp     nowait  guest   /usr/etc/fingerd        fingerd
 ...



[Next]		
















Disabling init.d (boot-time) Internet services



SGI | SUN | LINUX

[Agenda]

















System startup scripts

Scripts in /etc/init.d run at boot time to make the system usable

(to enable the network, start logging, start mail, etc.)

Some scripts start network programs you may not need (or want)

(sendmail comes to mind)

To disable unwanted network programs, you need to find out how

it was started in the first place. This isn't easy!

[Agenda]

















Disabling boot-time Internet services

SGI IRIX (6.5.x)

SGI uses chkconfig to decide which services will be started at boot time.

Use chkconfig to list the status of each service (on or off).

% chkconfig
        Flag                 State      
        ====                 =====       ...

        acct                 off        privileges           off
        appletalk            off        proclaim_relayagent  off
        array                off        proclaim_server      off
        autoconfig_ipaddress off        rarpd                off
        autofs               off        routed               on
        automount            off        rsvpd                off
        bsdlpr               on         rtmond               off
        cachefs              off        rwhod                off
        desktop              on         sar                  off
        fontserver           off        savecore             on
        gated                off        sdpd                 off
        ipaliases            off        sendmail             off
        lockd                off        snetd                off
        lp                   on         snmpd                off
        mediad               on         soundscheme          off
        miser                off        timed                off
        mrouted              off        timeslave            on
        named                off        verbose              off
        nds                  off        videod               on
        network              on         visuallogin          on
        netwr_client         off        vswap                off
        nfs                  off        webface              off
        noiconlogin          off        windowsystem         on
        nostickytmp          off        xdm                  off
        ns_admin             off        yp                   off
        ns_fasttrack         on         ypmaster             off
        nsd                  on         ypserv               off
        pmcd                 off



          ...



%



[Next]		
















Disabling boot time Internet services

Sun Solaris (5.6)



% ls /etc/rc2.d/
ORIG-S88sendmail          S70uucp                   S85lmgrd
K20spc                    S71rpc                    S85power
K60nfs.server             S71sysid.sys              S88sendmail
K76snmpdx                 S72autoinstall            S88utmpd
K77dmi                    S72inetsvc                S89bdconfig
ORIG-S73nfs.client        S73cachefs.daemon         S91leoconfig
README                    S74autofs                 S92rtvc-config
S01MOUNTFSYS              S74syslog                 S92volmgt
S05RMTMPFILES             S74xntpd                  S93cacheos.finish
S20sysetup                S75cron                   S95vxvm-recover
S21perf                   S76nscd                   S96vmsa-server
S30sysid.net              S80PRESERVE               S99audit
S47asppp                  S80lp                     S99dtlogin
S59sshd                   S80spc                    S99httpd
S69inet                   S81spong
% 

[Next]		
















Disabling boot time Internet services

Red Hat Linux (5.2)

Linux chkconfig was inspired by, but is different from SGI's chkconfig
utility. Linux chkconfig maintains the /etc/rc.d hierarchy, which in turn
determines whether a service should be started or stopped at a given runlevel.

Use chkconfig to list the status of each service (on or off).

$ /sbin/chkconfig --list
httpd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nfsfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
random 0:off 1:on 2:on 3:on 4:on 5:on 6:off
keytable 0:off 1:off 2:on 3:on 4:on 5:on 6:off
lpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
kerneld 0:off 1:on 2:on 3:on 4:on 5:on 6:off
inet 0:off 1:off 2:off 3:on 4:on 5:on 6:off
nfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
routed 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rusersd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rwhod 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sendmail 0:off 1:off 2:off 3:on 4:on 5:on 6:off
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off
autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
loadmon 0:off 1:off 2:off 3:on 4:on 5:on 6:off



[Next]		
















Common TCP Services by Port









Port






Name






Notes







1

tcpmux

TCP port multiplexer





7

echo

Echos characters sent to it





9

discard

Accepts connections but discards the data





11

systat

System status, reports active users on your system





19

chargen

Generates constant stream of characters





20

ftp-data

Data port for ftp





21

ftp

Command port for ftp





23

telnet

Telnet virtual terminal





25

smtp

Email, typically sendmail





37

time

Time of day, machine-readable form





53

domain

Domain Name Service





67

bootp (UDP)

Boot protocol





69

tftp (UDP)

Trivial ftp





70

gopher

Text-based information server





79

finger

Return information about a particular user account or machine





80

httpd

The World Wide Web





109

pop-2

Post Office Protocol for reading mail over the Internet





110

pop-3

Better Post Office Protocol





111

sunrpc

Sun RPC portmapper





119

nntp

Network News Transport Protocol





123

ntp

Network Time Protocol





161

snmp

Simple Network Management Protocol





177

xdmcp

X Display Manager (XDM) Control Protocol





194

irc

Internet Relay Chat Protocol





512

exec

Remote command execution





513

rwho (UDP)

Remote who command





513

login

Remote login (rlogin)





514

shell

Remote shell (rsh)





523

timed

Time server daemon





2049

nfs

Sun NFS Server





6000

x-server

X11 Window Server (thru 6063)





7100

font-service

X font service






     

[Next]		
















Better Logging



    

  • 
Prevent users from viewing log files
    • 


  • 
Keep log files longer - rotating
    • 


  • 
Include more logging
    • 


[Agenda]		
















About "R" Services

"R" commands (rsh, rlogin, rcp) enable you to issue commands

to a remote host. These commands may be run without having

to enter your password for the remote host.

    

  • 
rsh remotehost date executes "date" on remotehost
    • 


  • 
rlogin remotehost logs into remotehost
    • 


  • 
rshd and rlogind daemons must be enabled on remotehost
    • 


  • 
.rhosts file in home directory on remotehost
    • 


      yourhost userid
    


  • 
security implications
    • 


[Agenda]		
























About SSH (Secure Shell)

SSH is a program for logging into a remote machine and

executing commands in a remote machine. All communication

between hosts is encrypted over an otherwise insecure network.

    

  • 
Remote host must run sshd server
    • 


  • 
Workstation must have ssh client (site lic for PC, Mac)
    • 


  • 
X Window and other TCP/IP port connections can
    • 


    be "forwarded" over a secure (encrypted) channel

  • 
ssh, slogin, scp client commands
    • 


  • 
See References for informationon how to get ssh
    • 


[Agenda]		
















References



Books



    


  • 
Practical Unix & Internet Security, 2nd Ed.,
    • 
Simson Garfinkel and Gene Spafford, O'Reilly & Associates, 1996

    

  • 
Hacking Linux Exposed: Linux Security Secrets &
Solutions,
    • 
Brian Hatch, James Lee, and George Kurtz, McGraw-Hill, 2001





Useful Utilities





Selected Web Sites



[Agenda]