Security for Administrators
Presented by: Greg SmithPacsec.jp 2004
Introduction
Who am I? Who do I work for, and what is my
job? Why I am talking about this?
Who am I?
Greg Smith Using UNIX based operating
systems for 8 years Administrator work for 5 years Working with security off and on
for 4 years.
Who Do I Work For,and What is My Job?
I work for Secured Infrastructure Design Corporation.
I am a Security Analyst, and Administrator for various BSD / Linux servers
Why I Am Talking About This?
I believe that administrators should be more concerned about the well being of their servers.
I want to try and share some of my basic views on security.
Overview
My Definition of security Operating system level security Security via log monitoring Interactive security Administrator security measures
My Definition of Security
Making intelligent choices Being educated, and always
learning Perceptiveness Adaptation Care and attention
Operating System Level Security
Proper application management Keeping proper tabs on users’
interactions with the operating system
Noticing inconsistencies between the administrator and the user logins
Noticing inconsistencies in the file systems
Proper Application Management
Distribution Method ExplanationFreeBSD CVS/portupgrade FreeBSD uses a CVS
system to keep its operating system and dependencies up to date.
Debian apt-get update Debian uses the apt package management system to keep up to date
Gentoo emerge sync You can update the Gentoo portage tree with the emerge sync command.
Fedora Yum update Yum is a great alternative to use alongside the RHN.
Keeping Proper Tabs On Users
Watch login times, if you know said user was not in the office at a particular time, but appears to be logged in, check the logs further to see what this user did
Watch your own logins, if you notice an inconsistency with administrator logins, this would also warrant digging further into the logs.
Noticing InconsistenciesIn The File Systems
Is a file moved, deleted, or copied somewhere else on the system, and you don’t remember doing it?
Are there symlinks from logs to /dev/null.
Are there extra directories created with files in them you have never seen?
Watch for differences in the file system from the last time you logged in.
Security via Logging
Don’t be afraid to use tools like sed, awk, uniq, sort, to better navigate.
Interpret the logs, look for inconsistencies
Apache logs; look for file transfers from personal directories
FTP logs; look for suspicious transfers
Look for SSH authentication errors
Using Text Parsing ToolsTo Make Life Easier
Examples here are all based off FreeBSD 4.9’s default logging system.Log Example
Cron An easier way to view differences in the entries, using different text parsing methods.
Secure/Auth.log Watching the Secure/Auth log for anything sketchy.
Message/Syslog Looking for possible compromise.
Lastlog Just looking for inconsistencies.
Apache – httpd-access Use sed/awk/grep to condense logs.
Interpret The Logs, Look For Inconsistencies
Examples of this, in cron, 1000 entries
sed s/[0-9]/#/g cron.ot | sort | uniq
Secure/Auth Log Analysis
There are similar lines, parse them out better using awk and grep.
Secure/Auth Log Analysis
cat auth.log | grep Failed | awk '{print $3" "$6" "$7" "$11" "$13}‘
Using simple grep/awk, weeded out a lot of useless information.
Messages Log Analysis
There are similar lines, parse them out better with grep.
Messages Log Analysis
Using grep to parse better
Going even further
cat messages | grep root | grep BAD
With those simple instructions, your viewing time can be cut substantially.
More Security via Logging
Watch the last log, using the last command
The httpd-access and httpd-error log can be handy in tracing a possible compromise. Use the same methods as in the other examples to better parse the httpd logs.
More Security Via Logging
Monitor logs on a regular basis Learn the logging system for the
particular operating system at hand
To save time, skim logs looking for said inconsistencies; if found then probe deeper.
Watch for inconsistencies in log file sizes
Interactive Security
What do I consider interactive security?
Why would someone use this method?
What Do I ConsiderInteractive Security?
Perceptiveness. Know your system. Customize your server or
workstation to better suit you. Understand that proper mindset
can increase security substantially.
Why Would Someone Use This Method?
Cut down on man-hours used maintaining systems; less time will have to be spent by administrators on tedious tasks.
Enhance knowledge about basic functions of the operating system.
Less stressful work environment.
Administrative Measures
If a server has been compromised, learn from this, and adapt accordingly.
Segregation Common sense
Conclusions
Administrators work closest with the actual infrastructure that needs the most attention.
Better education of administrators could lead to less of a chance of being compromised.
Questions?
Special Thanks to:Richard S. Keirstead
Lars MaulSteve Manzuik