Basic Security for Unix WorkstationsJuly 10, 2003 A computer is secure if you can depend
|
Forces Working Against Security
|
Forces Working For Security
|
Obvious But Necessary Fixes
|
Null passwords in /etc/passwdEven with all the publicity about SGI's known open accounts, theycontinue to distribute /etc/passwd with many no-password accounts. % grep "^[A-z]*::" /etc/passwd (or /etc/shadow) root::0:0:Super-User:/:/bin/csh lp::9:9:Print Spooler Owner:/var/spool/lp:/bin/sh nuucp::10:10:Remote UUCP User:/var/spool/uucppublic:/usr/lib/uucp/uucico EZsetup::992:998:System Setup:/var/sysadmdesktop/EZsetup:/bin/csh demos::993:997:Demonstration User:/usr/demos:/bin/csh OutOfBox::995:997:Out of Box Experience:/usr/people/OutOfBox:/bin/csh guest::998:998:Guest Account:/usr/people/guest:/bin/cshAnd "badperson" knows to try them: Mar 18 14:37:24 6E:helix login[10550]: failed: ?@200.245.107.101 as 4Dgifts Mar 18 14:37:40 6E:helix login[10550]: failed: ?@200.245.107.101 as tutor Mar 18 14:38:38 6E:helix login[11027]: failed: ?@200.245.107.101 as tour Mar 18 14:39:58 6E:helix login[11326]: failed: ?@200.245.107.101 as demos Mar 18 14:40:12 6E:helix login[11326]: failed: ?@200.245.107.101 as lp Mar 18 14:40:23 6E:helix login[11326]: failed: ?@200.245.107.101 as guest[Next] |
Disable root login over network
|
Disable root login over network
Problem By default SGI does not restrict root login to the console.
|
Disable root login over network
Problem None - by default Sun restricts root login
to the console
|
Disable root login over network
Problem none - /etc/securetty exists by default and prevents login
|
Disable root login over network
AFTER
|
Disable System Identification Banner
Problem Default "telnet" entry in /etc/inetd.conf does not include
|
Disable System Identification Banner
Problem At every reboot /etc/rc.d/rc.local script creates /etc/issue
|
Disable System Identification Banner
BEFORE
|
What Internet services are you offering?
|
Use netstat to show network ports in use (LISTEN)linux# netstat -an | grep LISTEN Proto Rcv Snd Local Addr Foreign State tcp 0 0 0.0.0.0:6027 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6018 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6023 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6014 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:15001 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6017 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6016 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6011 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:1999 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:1998 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:635 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:513 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN[Next] |
Use fuser to identify process-id using a portAvailable on SGI and Linux. Don't know about Sun.
% fuser 513/tcp 513/tcp: 160o # /usr/sbin/fuser -n tcp 635 635/tcp: 330[Next] |
Use lsof (freeware) to identify process-id using a portAvailable on Sun and Linux. Not supported for SGI.
% lsof | grep LISTEN sshd1 417 root 3u inet 0x61507350 0t0 TCP *:22 (LISTEN) rpcbind 449 root 6u inet 0x60e39648 0t0 TCP *:sunrpc (LISTEN) inetd 476 root 4u inet 0x615064d0 0t0 TCP *:telnet (LISTEN) inetd 476 root 5u inet 0x60e38ac8 0t0 TCP *:shell (LISTEN) inetd 476 root 6u inet 0x61506450 0t0 TCP *:login (LISTEN) statd 481 daemon 4u inet 0x61506cd0 0t0 TCP *:32771 (LISTEN) lockd 483 root 5u inet 0x61506150 0t0 TCP *:lockd (LISTEN) lmgrd.ste 567 nobody 0u inet 0x61b078d8 0t0 TCP *:1726 (LISTEN) suntechd 571 nobody 0u inet 0x61b078d8 0t0 TCP *:1726 (LISTEN) suntechd 571 nobody 4u inet 0x61b07858 0t0 TCP *:32772 (LISTEN) jre 627 root 8u inet 0x61b06858 0t0 TCP *:1099 (LISTEN) httpd 634 root 15u inet 0x61b075d8 0t0 TCP *:80 (LISTEN) jre 667 root 10u inet 0x60e38f48 0t0 TCP *:32781 (LISTEN) dtlogin 678 root 7u inet 0x61b06d58 0t0 TCP *:32779 (LISTEN) dmispd 686 root 4u inet 0x61b06ed8 0t0 TCP *:32778 (LISTEN) Xsession 2415 root 7u inet 0x61b06d58 0t0 TCP *:32779 (LISTEN) fbconsole 2428 root 7u inet 0x61b06d58 0t0 TCP *:32779 (LISTEN) speckeysd 2436 root 7u inet 0x61b06d58 0t0 TCP *:32779 (LISTEN) sdt_shell 2486 root 7u inet 0x61b06d58 0t0 TCP *:32779 (LISTEN) dsdm 2489 root 7u inet 0x61b06d58 0t0 TCP *:32779 (LISTEN) ttsession 2517 root 5u inet 0x65df45c0 0t0 TCP *:51266 (LISTEN) ...[Next] |
Example 1 - a network service started on-demand
linux# netstat -an | grep LISTEN Proto Rcv Snd Local Addr Foreign State ... tcp 0 0 0.0.0.0:513 0.0.0.0:* LISTEN ... linux# /usr/sbin/fuser -n tcp 513 513/tcp: 306 8158 linux# ps p 306,8158 PID TTY STAT TIME COMMAND 306 ? S 0:02 inetd 8158 ? S 0:00 in.rlogind linux# grep in.rlogind /etc/inetd.conf login stream tcp nowait root /usr/sbin/tcpd in.rlogind |
Example 2 - a network service started at boot-time
linux# netstat -an | grep LISTEN Proto Rcv Snd Local Addr Foreign State ... tcp 0 0 0.0.0.0:635 0.0.0.0:* LISTEN ... linux# /usr/sbin/fuser -n tcp 635 635/tcp: 330 linux# ps p 330 PID TTY STAT TIME COMMAND 330 ? S 0:27 rpc.mountd linux# grep rpc.mountd /etc/init.d/* /etc/init.d/nfs:[ -f /usr/sbin/rpc.mountd ] || exit 0 /etc/init.d/nfs: daemon rpc.mountd /etc/init.d/nfs: killproc rpc.mountd /etc/init.d/nfs: status rpc.mountd /etc/init.d/nfs: echo -n "rpc.mountd " /etc/init.d/nfs: killall -HUP rpc.mountd /etc/init.d/nfs: /sbin/pidof rpc.mountd >/dev/null 2>&1; MOUNTD="$?" |
Disabling inetd (on-demand) services
|
Port numbers and service names% more /etc/services # # Network services, Internet style # # $Revision: 1.44 $ # tcpmux 1/tcp # TCP port multiplexer (RFC 1078) echo 7/tcp echo 7/udp discard 9/tcp sink null discard 9/udp sink null systat 11/tcp users daytime 13/tcp daytime 13/udp netstat 15/tcp qotd 17/tcp quote chargen 19/tcp ttytst source chargen 19/udp ttytst source ...[Next] |
Internet services on-demand by inetd% more /etc/inetd.conf ... # After changing this file, tell inetd to reread it with the command # /etc/killall -HUP inetd # ftp stream tcp nowait root /usr/etc/ftpd ftpd -l telnet stream tcp nowait root /usr/etc/telnetd telnetd shell stream tcp nowait root /usr/etc/rshd rshd -L login stream tcp nowait root /usr/etc/rlogind rlogind exec stream tcp nowait root /usr/etc/rexecd rexecd finger stream tcp nowait guest /usr/etc/fingerd fingerd ...[Next] |
Disabling init.d (boot-time) Internet services
|
Disabling boot-time Internet services
SGI uses chkconfig to decide which services will be started at boot time.
|
Disabling boot time Internet services
|
Disabling boot time Internet services
Linux chkconfig was inspired by, but is different from SGI's chkconfig
utility. Linux chkconfig maintains the /etc/rc.d hierarchy, which in turn
determines whether a service should be started or stopped at a given runlevel.
|
Common TCP Services by Port
|
Better Logging
|
About "R" Services"R" commands (rsh, rlogin, rcp) enable you to issue commandsto a remote host. These commands may be run without having to enter your password for the remote host.
|
|
About SSH (Secure Shell)SSH is a program for logging into a remote machine andexecuting commands in a remote machine. All communication between hosts is encrypted over an otherwise insecure network.
be "forwarded" over a secure (encrypted) channel |
ReferencesBooks
Useful Utilities
Selected Web Sites
|