UNIX SYSTEM SECURITY AND ADVANCED ADMINISTRATION
(SÉCURITÉ SYSTÈME SOUS UNIX ET ADMINISTRATION AVANCÉE)
A.Davous, 01/02/2009 1Unix Security Advanced Admin
FOREWORD
“No absolute security as long as system is accessed”
“In system administration, the evil is in details”
• For questions, contact is [email protected] • with [ESGI] in subject field – otherwise, mail will be
considered as spam by server rules.
A.Davous, 01/02/2009 2Unix Security Advanced Admin
INTRODUCTION
• UNIX FLAVORS• COMMON SENSE RULES OF SECURITY• HOW SECURITY IS COMPROMISED• UNIX DAEMONS, SERVICES AND SERVERS• HANDS-ON : SUN VIRTUAL BOX
A.Davous, 01/02/2009 3Unix Security Advanced Admin
WELL-KNOWN EXAMPLES
• Sendmail debug commands modeas sendmail runs with setuid rootso user can run any command with root power(try sudo and vi !...)
• Command passwd –f : no control of entered GECOS fieldso user can add any new line in password file
• Buffer overflow is a variantUser can execute shellcode (to get run root shell) previously saved at some memory address for programs that accepts any entry without control (exploit)
• SYN flooding : by sending high rate of TCP open session requests (SYN), server is filling its queue with half-open sessions data
• SQL-injection : SQL request to database may be forged to execute malicious code
A.Davous, 01/02/2009 Unix Security Advanced Admin 4
FOR INFORMATION – UNIX RELEASES
UNIX Solaris Linux
1969 AT&T Labs Unix
1977 Berkeley BSD Unix
1983 System V From BSD & SysV : From scratch :
1991 Solaris 1.0 (= SunOS 4) Linus Torwalds Linux
1992 FreeBSD, OpenBSD
1993 Slackware ; Debian
1994 Kernel 1.0 stable – RedHat
1995 Solaris 2.5 (= SunOS 5.5)
2000 Solaris 8 (= SunOS 5.8)
2001 Solaris 9 (= SunOS 5.9) Kernel 2.4
2003 Fedora Core – Kernel 2.6
2005 Solaris 10
2008 Fedora 10
A.Davous, 17/09/2008 5Solaris vs. Linux
FOR INFORMATION – UNIX FLAVORS
• Unix time line http://www.levenez.com/unix/
• Linux distributions time line http://futurist.se/gldt/gldt76.png
A.Davous, 01/02/2009 Unix Security Advanced Admin 6
REMINDER – UNIX MANDATORY
• Read, read again documentationman, man –k, makewhatis -u
• vi – what else could be expected ?vim but config and security
• Shells : sh – best choice for scriptingthen tcsh or bash… (current : ps)
• find, diff, touch, sort [-n]• xargs• grep, egrep, awk, Perl, expect
A.Davous, 01/02/2009 7Unix Security Advanced Admin
WELL-KNOWN ATTACKSName Category Definition
Sniffing Network Get information from network transactions
Spoofing or masquerading
Network Take identity of someone else
Denial of service
Network Try to stop or degrade service – usually by flooding technique
Replaying Authentication Replay abusive authentication or transaction
Repudiation Authentication Reject authentication or transaction
Spam Mail Undesirable mail
Phishing Mail Disguised mail to get confidential data
Hoax Mail Joke with more or less consequences
Dictionary Password Test with list of most current words
Brute force Password By trying a large number of possibilities
Social engineering
All Getting personal information by any mean (physical, social network, …)
A.Davous, 01/02/2009 Unix Security Advanced Admin 8
MALICIOUS PROGRAMS (MALWARES)Name Definition
Virus Insert malicious code on machine
Worm Separate process that exploited security holes in network
Trojan horses Malicious program disguised as something innocuous or desirable
Backdoor Method to bypass normal authentication procedures
Rootkit Software set installed to get abusive rights, install backdoor and stay hidden
Spyware Gather information for commercial purpose
Key logger Copies down the user’s keystrokes
Bomb Crash the system at a given time
Exploit Exploit a security breach of a software
A.Davous, 01/02/2009 Unix Security Advanced Admin 9
Most of these can be detected locally (by signature) – except some exploits that can be detected at network level (firewall)
SECURITY KEY CONCEPTS
• Security goals: confidentiality, integrity, availabilityauthentication, non-repudiation
• 3 usual answers to threats: ignore, improvise or try to ‘over’ secure
• Right answer: determine field, identify and evaluate cost of resources (financial, confidentiality or production), determine security risks and strategy, monitor, upgrade
A.Davous, 01/02/2009 Unix Security Advanced Admin 10
STRATEGIES• Strategies :
Accept threat – but have a recovery planReduce threat – by appropriate meansTransfer threat – to a vendorBypass threat – by blocking access
• Understanding is key:Example of mail user privilegeProtect all layers – example of firewallsReduce exposed surfaceProtect but detect and answer – administrate !
• Security is or must be part of :conception, operation and deployment
A.Davous, 01/02/2009 Unix Security Advanced Admin 11
RISKS AND STRATEGY
Risks• Human – malicious but often from authorized users• Technical – hardware (physical access), software• This is up to sysadmin to decide what are they and right
level of protection
Strategy• Security and comfort is a compromise• Have a security policy especially recovery procedure
A.Davous, 01/02/2009 Unix Security Advanced Admin 12
HOW TO DO
In-depth (passive) protection• (Physical – premises access)• Network filtering• Passwords• Encryption• Backup
(Active) security process• Monitor and add corrections• Full audit• Upgrade
A.Davous, 01/02/2009 Unix Security Advanced Admin 13
SECURED DESIGN• Open design or secret design debate
(hidden flaws, issues discovered by community, provocation to exploits)
Common breaches• Least user access (chroot as solution)• Buffer overflow• Printf function (insert conversion keys into string)• Web programming (URL forging)• Transactions, client/server (man-in-the middle,
encryption, hashing as solutions)
A.Davous, 01/02/2009 Unix Security Advanced Admin 14
SOME TABLE LAWS…• If someone can execute something on your computer or if someone can
modify your OS, or if someone can physically access to your computer, it will not belong to you anymore
• As well, if someone can execute something on your web site, it will not belong to you anymore
• Weak passwords leads to security breach• System is as secured as sysadmin wants• Encrypted data are as secured as the used key to encrypt• An anti-virus not updated is as useful as no anti-virus• Anonymity is not useful but confidentiality is• Technology is not be-all• Security measures works well when they are simple to use for
sysadmin and transparent to users
A.Davous, 01/02/2009 Unix Security Advanced Admin 15
REMINDER : PROCESSES
• Processes have four identities : real (for accounting) and effective (for access permissions) UID and GID ; usually the same except with setuid or setgid bit set
• Command ps• Find setuid and setgid files over the system:
find / -type f –perm /u+s,g+s -ls
Kinds of processes• Interactive – controlled with & (run in background), ^Z (stop job), bg (restart
in background), jobs (list current jobs)• Batch• Daemons
A.Davous, 01/02/2009 Unix Security Advanced Admin 16
DAEMONS, SERVERS, SERVICES
• Daemon, server, service concepts• Daemon : programs not part of kernel ; process that performs a
specific function or system-related task• Start at boot time or on demand
Specific system daemons• init primordial process
• cron that schedule commands• inetd that manages some of them
A.Davous, 01/02/2009 Unix Security Advanced Admin 17
WELL KNOWN DAEMONS
Name Description
init First process
syslogd, rsyslogd Syslog logging
sendmail Mail MTA – Mail Transfer Agent
lpd, lpsched Print scheduler
crond Cron process scheduler
getty, mingetty Terminal support
syncd, fsflush, bdflush, pdflush Disk buffer management
pagedaemon, swapper, kswap Swap management
inetd Main daemon to start on-demand TCP/IP services as telnetd, ftpd, rshd – see /etc/inetd.conf
named Bind DNS – Dynamic Name Resolution
routed, gated TCP/IP routing daemons
dhcpd DHCP – Dynamic Host Configuration Protocol
portmap, rpcbind Port service resolution for RPC – Remote Procedure Call
nfsd NFS – Network File System
smbd, nmbd Samba
httpd Apache HTTP server
timed, ntpd, xntpd NTP – Network Time Protocol
A.Davous, 01/02/2009 Unix Security Advanced Admin 18
init DAEMON
• First process to run after system boot• Always have PID 1 and is ancestor of all other processes• After startup, init consults /etc/inittab (or for BSD
/etc/ttys) to determine on which physical ports it should expect users to log in (getty processes – even tough large use of network daemons today, or xdm for graphical interface)
• Also take care of zombie processes (not running but listed)• Init defines run levels (passed as argument to it from boot loader) : 0
to 6 and s (single-user)• Additional layer is given with startup scripts in /etc/init.d, linked
to startup and stop scripts in /etc/rcX.d
A.Davous, 01/02/2009 Unix Security Advanced Admin 19
REMINDER : BOOTING – SHUTTING DOWN
Solaris SPARC Solaris x86/64 Linux (Fedora Core)
Boot PROM(device detection)
Access with STOP-Aboot –s : single-userboot –r : reconfigure
See ls –l /dev/rdsk/c0t0d0s0
ROM BIOS
MBR of boot device
Boot loader (GRUB since 5.10,
see /boot/grub/menu.lst)
Boot loader (GRUB see /boot/grub/menu.lst)
Kernel loading and initialization
Device configurationtouch /RECONFIGURE
Device detection and configuration
Execution of startup scriptsLevel 0 : shut down (init 0) - Level 1 or S : single user (init –s) - Level 6 : reboot (init 6)
Scripts management none or see 5.10 Configuration : /etc/default
Execution of startup scriptsLevel 0 : shut down (init 0) - Level 1 or S :
single user (init –s) - Level 6 : reboot (init 6)
Scripts management : chkconfigConfiguration : /etc/sysconfig
Multiuser mode
Shutdown/usr/sbin/shutdown –g secs –i6/usr/sbin/shutdown –g secs –i0/usr/sbin/shutdown –g secs –iS
Shutdown/usr/sbin/shutdown secs –r/usr/sbin/shutdown secs –h
/usr/sbin/shutdown secs –f
A.Davous, 17/09/2008 Solaris vs. Linux 20
Solaris SPARC Solaris x86/64 Linux (Fedora Core)
Boot PROM(device detection)
Access with STOP-Aboot –s : single-userboot –r : reconfigure
See ls –l /dev/rdsk/c0t0d0s0
ROM BIOS
MBR of boot device
Boot loader (GRUB since 5.10)
Boot loader (GRUB see /boot/grub/menu.lst)
Kernel loading and initialization
Device configurationtouch /RECONFIGURE
Device detection and config.
Execution of startup scriptsLevel 0 : shut down (init 0) - Level 1 or S : single user (init –s) - Level 6 : reboot (init 6)
Scripts management none or see 5.10 Configuration : /etc/default
Exec. of startup scriptsLevel s : the same
Scripts management : chkconfigConfiguration : /etc/sysconfig
Multiuser mode
Shutdown/usr/sbin/shutdown –g secs –i6 (reboot)/usr/sbin/shutdown –g secs –i0 (shut down)/usr/sbin/shutdown –g secs –iS (single user)
(skip scandisk)
Shutdown/usr/sbin/shutdown secs –r/usr/sbin/shutdown secs –h
/usr/sbin/shutdown secs –f
OTHER CONCEPTS
• Command dmesg• Core dump : ulimit –c• Path :
- try not modify root profile PATH variable- do not set empty or ‘.’ in PATH variable- in scripts (and configurations like cron), always use full path for commands (as variables at beginning)
• Disk quotas may be use to isolate an application (vs. original purpose)• vi and other editors dump files feature• History of shell commands• who –r• cp -p
A.Davous, 01/02/2009 Unix Security Advanced Admin 21
ANSWERS TO QUESTIONS - 1
• Gentoo (2003)Visible on time line ; derives from Enoch (1999) which was build from scratch.
Compile on installation taking into account processor’s instruction set.• ESCAPING TO SHELL WITH VI, MORE, …
Type : (semi column) to get into command modeThen ! (exclamation mark) to run any shell commandType any command
• locate – updatedbSearch of a pattern ( *file* ) instead of a filename ( file )locate ntp == find / -name ”*ntp*”locate –b ’\ntp’ == find / -name ntp
• History length : on sh or bash this is set with $HISTSIZE (tcsh $HISTORY). See following profiles slide and hands-on (depending on shell, use man, setenv or printenv)
A.Davous, 01/02/2009 Unix Security Advanced Admin 22
ANSWERS TO QUESTIONS - 2• grep
# egrep pattern file(s) Shows filenames & lines that match [ filename: line ]# egrep –L pattern file(s)Lists files that does not contain any line matching
• awk
# ifconfig -a | awk 'BEGIN {printf "%-4s %-19s %-15s\n","If","MAC","IP"} / Link/ {a=a+1 ; printf "%.4s %17s",$1,$5 ; getline ; printf "%15s\n",substr($2,6,15)} END {print "Total nbr:", a}'
If MAC IP
eth0 00:09:5B:BD:FA:D2 192.168.0.1
eth1 00:0E:A6:9F:7C:AA 89.156.6.39
lo 127.0.0.1
Total nbr: 3
A.Davous, 01/02/2009 Unix Security Advanced Admin 23
USERS ADMINISTRATION - PROFILES
Main shells
Startup Upon termination Other
sh /etc/profile (login shells)
.profile (login shells)
Any command or script specified using trap ″command″ 0
tcsh /etc/csh.cshrc (always)
/etc/csh.login (login shells)
.tcshrc (always)
.cshrc (if no .tcshrc file is present)
.login (login shells)
.logout (login shells) .history (saves history based on "$savehist")
.cshdirs (saves directory stack)
bash /etc/profile (login shells)
.bash_profile (login shells)
.profile (login if no .bash_profile file is present)
.bashrc (interactive non-login shells)
$ENV (non-interactive shells)
.bash_logout (login shells)
.inputrc (readline initialization)
A.Davous, 01/02/2009 Unix Security Advanced Admin 24
Nothing specific to OS but to shell. However, it is worth to know !
PASSWORD CRACK TOOLSUsage of these tools are illegal on computers where you have not been explicitly authorized to do it.
But it is recommended to test your own password files – anyhow, crackers will do it with them.
Crack• Locations: /usr/share/crack ; /usr/libexec/crack ; /usr/bin• Quick-start commands:
# umask 077# ~/scripts/shadmrg.sv /etc/passwd /etc/shadow > /root/unshadp# Crack –nice 5 /root/unshadp# CrackReporter
• Results in ~/run directory
John the Ripper• Locations: /usr/share/john ; /usr/libexec/john• Quick start commands:
# umask 077# unshadow /etc/passwd /etc/shadow > /root/unshadp# john [--rules --wordfile=FILE] /root/unshadp
• Results in ~/john.pot
A.Davous, 01/02/2009 Unix Security Advanced Admin 25
EXAMPLE FOR JOHN - 1
A.Davous, 01/02/2009 Unix Security Advanced Admin 26
EXAMPLE FOR JOHN - 2
...New UNIX password: 12345...12345 (essai1)
guesses: 1 time: 0:00:00:05 8% (2) c/s: 4880 trying: Sunshine1 ^C
...New UNIX password: cathy...cathy (essai1)
guesses: 1 time: 0:00:00:04 6% (2) c/s: 4891 trying: decembers ^C...New UNIX password: djk7sdf...
guesses: 0 time: 0:00:00:34 37% (2) c/s: 4886 trying: blondie? ^C
A.Davous, 01/02/2009 Unix Security Advanced Admin 27
SOME PHYSICAL ATTACKS
• Physical access must be protected – if not, attacker can open the case and reset EEPROM (where BIOS password is saved) or can steal hard disk…
• BIOS (or boot PROM for Sun) level must be protected (with password) – if not, attacker can boot on its own CD/DVD
• If partitions are not encrypted, booting with a CD/DVD gives access to data (with mount command) and so to /etc/passwd (this is an official recovery procedure of lost root password)
• For backup purpose, recovery CD (or software installation CD) are usually needed# mkbootdisk `uname –r`
• Network may need to be redundant (High Availability) by duplicating network interfaces, switches, routers. Multiple redundant interfacing is named channel bounding (or IP multipath for Sun) – otherwise, DoS
A.Davous, 01/02/2009 Unix Security Advanced Admin 28
ROOT PASSWORD RECOVERY
Simplest procedure using single user mode – case of Fedora 10• When Grub screen, edit current boot line (e)• Edit kernel line (e) by adding ‘single’ at end (single user mode)• Save and boot (b)• Command passwd can be entered with root privileges to reset root
password
GRUB protected if :• GRUB bootloader have a timeout (/boot/grub/menu.lst) –
suppress it (0)• Or a password (add line password –md5 PASSWORD in menu.lst)
Encrypted password is given by command# grub-md5-cryptwhich returns a PASSWORD that can be pasted
A.Davous, 17/09/2008 Solaris vs. Linux 29
ROOT, sudo AND SECURITY
• Never log as root directly• su – (minus to inherit root environment instead of user’s one)• Never change root shell• Package sudo used to give some determined root rights to standard
users (with their own passwords !)- Configuration file : /etc/sudoers (440) editable only with visudo command – see man sudo, man sudoers- Never configure shells or utilities that escape to shell as commands (more, less, vi,…) because commands will be executed as root !- sudo –v , restart timeout- sudo may be integrated to PAM- passwords are not encrypted ; SSH is the solution- usage can be forced by replacing su command to a symbolic link to sudo
A.Davous, 01/02/2009 Unix Security Advanced Admin 30
SUDO CONFIGURATION LINES EXAMPLES
Host_Alias FILESERVERS = fs1, fs2User_Alias ADMINS = antoine, johnCmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/yumDefaults requiretty
root ALL = (ALL) ALLantoine fs1 = /sbin/mount, /mnt/cdromADMINS FILESERVERS = SOFTWAREdgb fs2 = (operator) /bin/ls
• The most important : sudoers config should be set to span over multiples servers (by simple file transfer and copy)
• Last : the user dgb may run /bin/ls, but only as operator eg,# sudo –u operator /bin/ls
A.Davous, 01/02/2009 Unix Security Advanced Admin 31
REMINDER : TELNET, (T)FTP, R* SERVICES
• Started by (x)inetd server• Reminder telnet : useful for (tests not only port 23)
# telnet host [port]• TFTP : used for X terminals startup : no authentication at all• telnet, FTP : security problem with clear-text passwords shown…• R* services
Commands : rlogin, rsh, rcp, ruptime, rwhoConfiguration : /etc/hosts.equiv , ~/.rhostsSyntax : user@hostAuthentication is done without password if succeeded (handy for rcp)But security problem : if one listed host is unsecured, local host is unsecured ! This is because with r* services authentication scheme, local authentication is based on remote one.
So use rsync for file transfer (nothing to do with r* services) or better SSH/SFTP for everything.
A.Davous, 01/02/2009 Unix Security Advanced Admin 32
INETD AND XINETD
• Extended Internet services daemon• Unique daemon that waits for incoming connections for a number of other services and
start corresponding server (echo, telnet, FTP, r* services… most are standard and/or well-known Unix services – but not all)
• Process : inetd or xinetd (reminder : kill –HUP)• Startup for xinetd : /etc/init.d/xinetd• Log by syslog – but configurable• Old style configuration (inetd) :
/etc/inetd.conf (reminder : /etc/services)• Configuration (xinetd) in :
/etc/xinetd.conf/etc/xinetd.d/* (one config file per service)
• Even tough (x)inetd is a mandatory service (think about installing embedded servers with no SSH package installed yet), controlled services are more and more disabled for security reasons …
• … why ? For example, telnet and FTP are sending clear-text passwords !• Other : installation with core, verbose mode
A.Davous, 01/02/2009 Unix Security Advanced Admin 33
TCPWRAPPERS
• Package that secure connections to given well-known services – those handled by (x)inetd for sure, but others (SSH)…
• …which ones ? For sshd example :# strings –f /sbin/sshd | grep hosts_access/usr/sbin/sshd: hosts_access (YES ! If no line returned, no)
• TcpWrappers is transparently inserted between network and service ; adds access control and logging features
• Binary: tcpd – but not a daemon (invoked at connection). This is why no service to restart after configuration modification
• Configuration files:/etc/hosts.allow/etc/hosts.deny
• Syntax of configuration linesservice_list : host_list [ : (command to log) ]host_list may be an hostname, a list, an IP address or network, a keyword (ALL, LOCAL) – but never use EXCEPT as shown in documentation
A.Davous, 01/02/2009 Unix Security Advanced Admin 34
ROOT LOGIN DEVICES
Kinds of terminals• console # console• ttyn (tty1,..) # serial terminals• vc/n (vc/1,..) # virtual consoles
Where root can directly login to• Configurable in /etc/securetty
Security• Should be all disabled (by commenting with #) except console
and/or tty1
A.Davous, 01/02/2009 Unix Security Advanced Admin 35
WELL-KNOWN SERVICES AND PORTS
Service Port Service Port
FTP 21 (20), 990 (989) NTP 123
SSH 22 IMAP 143 (v2), 220 (v3), 993 (v4)
telnet 23, 992 SNMP 161, 162
SMTP 25, 992 LDAP 389, 636
DNS 53 LPD 515
DHCP (BOOTP) 67 (s), 68 (c) NFS 2049, 4045/udp
TFTP 69 X11 6000-19, 6063
HTTP(S) 80, (443) SMB 445
Kerberos 88, 749, 750 AD 3268, 3269
POP-3 110, 995
RPC 111
A.Davous, 01/02/2009 Unix Security Advanced Admin 36
PORT SCANNINGTCP ports scanning• Normal handshake, port open : SYN, SYN+ACK, ACK
Normal handshake, port closed : SYN, RST+ACK
(note : this is logged ! )• Half-open SYN scan, port open : SYN, SYN+ACK, RST
Half-open SYN scan, port closed : SYN, RST+ACK(note : this may not be logged … but usually is)
• Anyhow, some systems (FW) will think about SYN flooding. So nmap can be used with –T option to slow down flood
• Probe = malformed TCP packet (i.e. “FIN” probe with FIN flag set, or “XMAS” probe with FIN, URG, PUSH, TCP flags set, “NULL” probe with TCP set)Stealth TCP scan, port open : TCP probe, No response (this is garbage)Stealth TCP scan, port closed : TCP probe, RST+ACK(notes : also named inverse TCP flag ; Windows does not respect standard and does not send RST from a closed port ; nmap can use options for each kind of probe : –sF, –sX, –sN)
• Some other techniques : analysis of ACK probe, TTL field, window field
UDP ports scanning• UDP probe, port open : UDP probe, No response
UDP probe, port closed : UDP probe, ICMP dest port unreachable
(note : nmap can use option –sU)• Using specific UDP service clients to test server – not realistic for large number of ports
A.Davous, 01/02/2009 Unix Security Advanced Admin 37
REMINDER : NETWORK
• TCP/IP layers : application telnet, NFS, DNS, FTP, SSHtransport TCP, UDPinternet (OSI network) IP, ICMPnetwork access (Ethernet, ARP)
• MAC address 48 bits – 24 first OUI (Organizationally Unique Identifier)• Service = transport protocol (TCP or UDP) + port
/etc/protocols – associate internet protocol (OSI network layer) and protocol identifier/etc/services – associate transport protocol (transport layer) and port number
• IPv6 : 128 bits address (48 firsts for FAI - end for MAC)Compatible IPv4 (::FFFF:a.b.c.d) ,loopback is ::1 , broadcast is FF02::1http://www.potaroo.net/tools/ipv4/index.html
A.Davous, 01/02/2009 Unix Security Advanced Admin 38
TCP/IP NETWORK PROTOCOLS MAP (from RADCOM website)
A.Davous, 01/02/2009 Unix Security Advanced Admin 39
(Attached PDF file,available from RADCOM
at www.radcom.com)
TCP/IP NETWORK PROTOCOLS MAP (from protocol.com website)
A.Davous, 01/02/2009 Unix Security Advanced Admin 40
TCP STATE MACHINE
A.Davous, 01/02/2009 Unix Security Advanced Admin 41
TOOL: WIRESHARK - 1
• Other well-known tcpdump (we’ll see it later)• Wireshark can import tcpdump dump file, snoop (Sun) dump file• Open-source and modular conception – you can add your own decoder• Related to sniffing but many other obscure tools are used in real life by hackers• Promiscuous mode – i.e. listen to all frames on LAN (libpcap needed – WinPcap for Windows
environment)• Can be used in text mode without GUI – but not recommended (in line mode use tcpdump instead
with –o option to export dump to Wireshark)• Configurable columns (Edit, Preferences)• Filtering : when capturing (lot of options) or viewing (also…) – can work as ring buffer with triggers • Important options :
Resolutions : MAC, network, transport – network should be avoided as it creates new trafficFragmented IP – are reassembled by default but configurable (Edit, Preferences, IP protocol options)Analyze, Follow TCP stream : useful to present TCP session in one window
• Rich statistics options• Rich export and presentation options
A.Davous, 01/02/2009 Unix Security Advanced Admin 42
TOOL: WIRESHARK - 2
FIELD TYPE MEANING
ip.addr IPv4 address Source or destination IP address
ip.dst IPv4 address Destination IP address
ip.flags.df Boolean Don’t fragment flag
ip.ttl Unsigned integer Time to live
http.request Boolean HTTP request
icmp.type Unsigned integer ICMP command type
ftp.response.data Characters string FTP data
dns.response Boolean DNS response
A.Davous, 01/02/2009 Unix Security Advanced Admin 43
FILTER MEANING
ip.addr == 192.168.10.2 All packets coming from or going to 192.168.10.2 host
(ip.addr == 192.168.10.2) && (dns.response)
All packets coming from or going to 192.168.10.2 host which are DNS responses
REMINDER : FILES• In Unix everything is a file (IO from files or from peripherals are the same)• In Unix, a file belongs to a user AND to a group (no mandatory relationship between
both) ; a user can belong to many groups ; so, to give access to a set of files or commands belonging to a group is done by adding the user to the group
• When a file is created, it belong to the user who created it and its group – except if upper directory is setgid (BSD style)
• Commands : chown [-R], chgrp, chmod• Access rights for files (directory) :
r read (can ls it), w write (can supp/rename files into), x execute (can cd into)(to be executable, a script shell needs rx, a binary only x )
• umask 022 command in profile files to set permission of new files• Special access :
t sticky bit (can write a dir but not supp file ; /tmp)s setuid bit (set resources access of process to owner and not to the one that run it)s setgid bit (for a file, set resources access of process to owning group and not the one that run it – for a dir, see upper)find / [-user root] -xdev –perm {-4000 | -2000}
A.Davous, 01/02/2009 Unix Security Advanced Admin 44
SERVICES- COMPLEMENTS
• Commands : init 0, init 6, init sps –ef, kill -<signal>, pgrep, pkill, <service-script> start|stop|restart (service startup script)
• Command chkconfig (specific to Fedora):usage: chkconfig --list [name] chkconfig --add <name> chkconfig --del <name> chkconfig --override <name> chkconfig [--level <levels>] <name> <on|off|reset|resetpriorities>chkconfig header in startup scripts
• And finally, system-config-services GUI applet specific to Linux
• Command service and semi-graphical GUI sysvconfig, both specific to Debian
A.Davous, 01/02/2009 Unix Security Advanced Admin 45
NETWORK COMMANDS
• hostname (nodename)• ifconfig• ping• arp [-n] [-a] ...• netstat [-rn] ...• route [add | del ] ...• traceroute• nslookup, dig
A.Davous, 01/02/2009 Unix Security Advanced Admin 46
NAME RESOLUTION AND ROUTING
Name resolution• /etc/hosts – name resolution
(eventually distributed by NIS, but to avoided)• /etc/resolv.conf – domain definition and name servers location
(suppression will deactivate DNS resolution)• /etc/hosts.conf – name services switch
(or /etc/nsswitch.conf)
Routing• On LAN (hubs) no routing necessary• On small networks, static routes may be necessary• On large networks (WAN), dynamic routing handled by routed and gated
daemons (support of RIP, OSPF, BGP, EGP)• On Linux, static routes may be defined in /etc/sysconfig/static-routes
A.Davous, 01/02/2009 Unix Security Advanced Admin 47
NETWORK FILES: DHCP AS EXAMPLE
Linux SolarisInterface config
/etc/sysconfig/network-scripts/ifcfg_eth0/etc/sysconfig/network
/etc/hostname.hme0/etc/init.d/network
Startup script
/etc/init.d/network(/sbin/ifup)
/etc/init.d/network
DHCP activation
BOOTPRTO=’dhcp’ in /etc/sysconfig/network-scripts/ifcfg_eth0
touch /etc/dhcp.hme0Config in /etc/default/dhcpagent
Daemon dhcpd dhcpagent
Client lease file
/etc/dhcp/dhcpd-eth0.info /etc/dhcp/hme0.dhc
A.Davous, 01/02/2009 Unix Security Advanced Admin 48
Sun xVM VirtualBox - 1• VirtualBox release 2.1.2 found at www.virtualbox.org
(accept installation of USB and network drivers)Host and guest concepts, see manualGuest additions concept
• Fedora 10 found at fedoraproject.org/en/get-fedora (F10-i686-Live.iso, 32 bits although 64 supported by xVM, English edition, installable Live CD)
A.Davous, 01/02/2009 Unix Security Advanced Admin 49
Sun xVM VirtualBox - 2• Installation procedure (example is Fedora)
New machine ; choose OS, select memory size (2 GB but less than host !), add virtual disk (fixed, 10 GB).Mount OS ISO local file as CD/DVD-ROMStart !... (ignore both messages – no additions installed yet)When started, use Install on hard disk icon. Select French keyboard.Shut down, unmount CD/DVD and restart.Upgrade system and application packages (Yum).Install dkms package (Dynamic Kernel Module Support Framework).Install GNU make, gcc packages.Mount Guest Additions ISO with Devices, Install Guest Additions xVM menu.Run Sun’s script (cd /media/VBOXADDITIONS_2.1.2_41885/ ; sh ./VBoxLinuxAdditions-x86.run)Restart.
A.Davous, 01/02/2009 Unix Security Advanced Admin 50
Sun xVM VirtualBox - 3• Installation procedure particularities for Debian 4
Installation of small image via Internet.Disk partitioning without LVM, one root partition.Desktop and system packages.Synaptic Package Manager used for package installation : make, gcc and kernel headers (linux-headers-2.6.18-6 and linux-headers-2.6.18-6-686 ; check release with command uname –a).
A.Davous, 01/02/2009 Unix Security Advanced Admin 51
REMOTE ACCESS TO SYSTEM
• Xming XLaunch utility• But otherwise, X specific, “exporting display” :
Run your X server on PC (nothing required if PuTTY used because X protocol is SSH’d encapsulated - port 22 ; otherwise, ports XDMCP 177 and 6000 should be opened)Then, on client : setenv DISPLAY server:0.0echo $DISPLAY
• Putty
A.Davous, 01/02/2009 Unix Security Advanced Admin 52
REDHAT PACKAGE MANGER COMMANDS
# rpm –qa | grep <package-search-string> Get package name
# rpm –ql <package-name> List files included in package
# rpm –qc <package-name> List configuration files included in package
# rpm –qR <package-name> List required dependant packages
# rpm –qi <package-name> Information on package
A.Davous, 01/02/2009 Unix Security Advanced Admin 53
USEFUL LINKShttp://www.dwheeler.com/secure-programs/ Secure Programming for Linux and Unix HOWTOwww.cpan.org Perl packages and morehttp://www.sun.com/software/security/jass Sun’s JASS Solaris Security Toolkithttp://www.digilife.be/quickreferences/quickrefs.htm Quick Reference Cards – useful for those related to Unixhttp://www.cert.org/cert/ CERT – Security informationhttp://www.auscert.org.au/5816 AusCERT – Unix and Linux Security Checklist v3.0http://www.protocols.com/pbook/tcpip1.htm#MAP RADCOM protocols.com web site (protocols map)
A.Davous, 01/02/2009 54Unix Security Advanced Admin
BIBLIOGRAPHYUnix System Administration Handbook – Evi Nemeth, Garth Snyder, Scott Seebass, Trent R. Hein – Prentice Hall
English. Third edition 2001. Few security aspects. All Unices covered (HP, Aix, Sun, RedHat, BSD). 854 p.
Essential System Administration – Aeleen Frisch – O’Reilly
English, but French version available (Les bases de l’administration système). Third edition 2002. Few security aspects. All Unices covered (HP, Aix, Sun, RedHat, BSD, Tru64). 1172 p.
TCP/IP illustrated volume 1 – Richard Stevens Addison-Wesley
English, but French version available (TCP/IP illustré - Vuibert). A must for TCP/IP matter. No OS privileged but Unix foundations. 592 p.
TCP/IP Network Administration – Craig Hunt – O’Reilly
English, but French version available. Third edition 2002. Covers RedHat and Solaris. 772 p.
Network Security Assessment – Chris McNab – O’Reilly
English. Second edition 2007. Covers Unix and Windows from network services breaches perspective. 478 p.
GNU/Linux Fedora, Spécial Sécurité – Huet-Verhille – ENI Editions
French. First edition 2007. Focuses on Fedora (as it is a native secured OS). 342 p. 39 €. Recommended for this course
A.Davous, 01/02/2009 Unix Security Advanced Admin 55
WINDOWS TOOLS USED DURING THIS SESSION
Wireshark (prev. Ethereal), network protocol analyzer http://www.wireshark.org
PuTTY, SSH client http://www.chiark.greenend.org.uk/~sgtatham/putty/
Xming, PC X server http://www.straightrunning.com/XmingNotes/
VirtualBox, virtualization http://www.virtualbox.org/
EasyBCD, Windows Vista bootloader utility http://neosmart.net/
Apache JMeter, HTTP workbench http://jakarta.apache.org/jmeter/
A.Davous, 01/02/2009 Unix Security Advanced Admin 56