Security for Administrators

Presented by: Greg SmithPacsec.jp 2004

Introduction

Who am I? Who do I work for, and what is my

job? Why I am talking about this?

Who am I?

Greg Smith Using UNIX based operating

systems for 8 years Administrator work for 5 years Working with security off and on

for 4 years.

Who Do I Work For,and What is My Job?

I work for Secured Infrastructure Design Corporation.

I am a Security Analyst, and Administrator for various BSD / Linux servers

Why I Am Talking About This?

I believe that administrators should be more concerned about the well being of their servers.

I want to try and share some of my basic views on security.

Overview

My Definition of security Operating system level security Security via log monitoring Interactive security Administrator security measures

My Definition of Security

Making intelligent choices Being educated, and always

learning Perceptiveness Adaptation Care and attention

Operating System Level Security

Proper application management Keeping proper tabs on users’

interactions with the operating system

Noticing inconsistencies between the administrator and the user logins

Noticing inconsistencies in the file systems

Proper Application Management

Distribution Method ExplanationFreeBSD CVS/portupgrade FreeBSD uses a CVS

system to keep its operating system and dependencies up to date.

Debian apt-get update Debian uses the apt package management system to keep up to date

Gentoo emerge sync You can update the Gentoo portage tree with the emerge sync command.

Fedora Yum update Yum is a great alternative to use alongside the RHN.

Keeping Proper Tabs On Users

Watch login times, if you know said user was not in the office at a particular time, but appears to be logged in, check the logs further to see what this user did

Watch your own logins, if you notice an inconsistency with administrator logins, this would also warrant digging further into the logs.

Noticing InconsistenciesIn The File Systems

Is a file moved, deleted, or copied somewhere else on the system, and you don’t remember doing it?

Are there symlinks from logs to /dev/null.

Are there extra directories created with files in them you have never seen?

Watch for differences in the file system from the last time you logged in.

Security via Logging

Don’t be afraid to use tools like sed, awk, uniq, sort, to better navigate.

Interpret the logs, look for inconsistencies

Apache logs; look for file transfers from personal directories

FTP logs; look for suspicious transfers

Look for SSH authentication errors

Using Text Parsing ToolsTo Make Life Easier

Examples here are all based off FreeBSD 4.9’s default logging system.Log Example

Cron An easier way to view differences in the entries, using different text parsing methods.

Secure/Auth.log Watching the Secure/Auth log for anything sketchy.

Message/Syslog Looking for possible compromise.

Lastlog Just looking for inconsistencies.

Apache – httpd-access Use sed/awk/grep to condense logs.

Interpret The Logs, Look For Inconsistencies

Examples of this, in cron, 1000 entries

sed s/[0-9]/#/g cron.ot | sort | uniq

Secure/Auth Log Analysis

There are similar lines, parse them out better using awk and grep.

Secure/Auth Log Analysis

cat auth.log | grep Failed | awk '{print $3" "$6" "$7" "$11" "$13}‘

Using simple grep/awk, weeded out a lot of useless information.

Messages Log Analysis

There are similar lines, parse them out better with grep.

Messages Log Analysis

Using grep to parse better

Going even further

cat messages | grep root | grep BAD

With those simple instructions, your viewing time can be cut substantially.

More Security via Logging

Watch the last log, using the last command

The httpd-access and httpd-error log can be handy in tracing a possible compromise. Use the same methods as in the other examples to better parse the httpd logs.

More Security Via Logging

Monitor logs on a regular basis Learn the logging system for the

particular operating system at hand

To save time, skim logs looking for said inconsistencies; if found then probe deeper.

Watch for inconsistencies in log file sizes

Interactive Security

What do I consider interactive security?

Why would someone use this method?

What Do I ConsiderInteractive Security?

Perceptiveness. Know your system. Customize your server or

workstation to better suit you. Understand that proper mindset

can increase security substantially.

Why Would Someone Use This Method?

Cut down on man-hours used maintaining systems; less time will have to be spent by administrators on tedious tasks.

Enhance knowledge about basic functions of the operating system.

Less stressful work environment.

Administrative Measures

If a server has been compromised, learn from this, and adapt accordingly.

Segregation Common sense

Conclusions

Administrators work closest with the actual infrastructure that needs the most attention.

Better education of administrators could lead to less of a chance of being compromised.

Questions?

Special Thanks to:Richard S. Keirstead

Lars MaulSteve Manzuik