The End!

Unix for Advanced Users

17. Light Sysadmin Tasks

17.7 Security

In Unix, "security" almost always means network security. Unix machines have traditionally been used to run multiple network services. Because they are available to the whole Internet by default, these services are the easiest point of entry to an insecure box.

On the one hand, the daemons that provide these services usually run with root priveleges (i.e. setuid root). Therefore, if one of these daemons has a vulnerability, it is a simple matter for an intruder to exploit it and perform operations as root, perhaps even obtaining a root shell.

On the other hand, the most common Unix services, like telnet and ftp, use password authentication. If these passwords are not encrypted, they may pass through many insecure servers, where they can be "sniffed" by hostile programs. Then the owners of these "sniffers" can use the passwords to log on as the users to whom they belong. Once in, they can exploit local (i.e. non-network dependent) vulnerabilities to gain greater power.

Fortunately, both vulnerabilities are easy to address.

Patching your Operating System

The best way to fix these problems is to ensure that they never occur. The easiest and most basic form of defense is keeping an up-to-date operating system. As services develop, subtle bugs in security are constantly discovered. The same is true of local programs. Unix vendors elease fixes to these and other bugs in the form of patches. To alert sysadmins as quickly as possible, they also post announcements on popular security mailing lists like Bugtraq and CERT. IU's Information Technology Security Office subscribes to several such lists and provides digests of announcements, organized by operating system.

It is always a good idea to keep your operating system up to date. To keep list traffic manageably, ITSO alerts report only security problems. There are many other kinds of bugs. For this reason, the UWSG recommends downloading and installing your OS's recommended patches at least once a month.

Disabling Unneeded Network Services

Patches can go only so far. Some services are intrinsically insecure. Unfortunately, a slew of insecure and seldom-used services is enabled at installation time. A just-installed Unix box is never secure. As soon as the installation process is complete, you should disable all but the services you will use by editing /etc/inetd.conf.

Each line in /etc/inetd.conf specifies a named service, the low-level network protocol it should use and some options for that protocol, the effective uid with which the service will run, and the executable file that is the daemon for that service. The generic Internet daemon, inetd, reads this file when it is first started so it knows which services to provide. Then it responds to requests for a particular service by either forking a copy of the daemon for that particular service (the entry in the executable file field) or refusing the request. You want it to refuse requests for insecure servives. For example:

chargen       stream  tcp     nowait  root    internal

This is the chargen service, used only for testing. Leaving it enabled is just asking for trouble, especially since people seldom expend much effort in testing obsolete protocols like this for security holes. Get rid of it. To do so, just edit the file (as root) and put a # (hash mark) in front of that line. This makes the line into a comment, so that the master daemon responsible for running the chargen daemon will not read that line when it starts up. That master daemon is called inetd. To make the # take effect, we must re-start that daemon by finding its process ID and running kill -HUP on it.

Before you kill -HUP the daemon, you should comment out all the unneeded lines in /etc/inetd.conf. As a rule, if you don't recognize a service, comment it out. You probably do not need it. If you are uncertain as to whether you need a service, consult this list. The only inetd services in very common use are ftp and telnet. Even these are somewhat insecure and can be replaced or improved.

The rsh and rlogin programs, provided by the shell and login services, are widely used, but they are extremely insecure. (They do not require password authentication at all; all a hostile host has to do to break into an account is to lie about its IP number.) Disable them.

Using ssh

telnet and ftp are standard and useful Internet services. However, they use plain-text (i.e. unencrypted) passwords, so they suffer from vulnerability to sniffing.

This is an intrinsic vulnerability. The only way around it is to use a different service that does encrypt passwords. Until recently, such services existed, but were very hard to configure. In response to this problem, two college students, now the heads of the Finnish company F-secure, developed ssh, a turnkey replacement for both telnet and ftp. ssh uses a configurable public-key encryption scheme (RSA by default) to make sure no one can read passwords as they traverse the net. The UWSG highly recommends using ssh instead of these older, less secure services. The source code for SSH is freely available (though not freely distributable). However, the UWSG regularly compiles and makes available binaries for recent ssh versions on all UWSG platforms, along with instructions for installation. The Information Technology Security Office licenses ssh clients for Windows and the Macintosh. If you want copies for machines you adminster, send a formal request to the ITSO.

tcp_wrappers

Sometimes it is necessary to run a somewhat insecure service. For example, many people frequently need to use a computer with no ssh client installed. These people still need to use telnet. Others like the Unix talk service, an inefficient but simple way to hold conversations over the network. talk has potential vulnerabilities, and telnet has very real vulnerabilities. However, a large part of the risk in either case stems from the fact that these services accept connections from any host on the Internet. If we could restrict these services to a few trusted hosts, the risks of a break-in would be dramatically reduced.

tcp_wrappers, written by famed security expert Wietse Venema, allows for just such restriction. The "wrappers" in the name means that the included executables simply call the standard Internet service in the normal way after doing host authentication. The "tcp" refers to the , meaning that only TCP/IP-based services can be wrapped. (This implies, for example, that NFS cannot be made more secure with tcp_wrappers.)

Because of their wrapper design, Venema's programs are very simple to set up. The generic wrapper program is run from a service's line in /etc/inetd.conf, instead of the generic inetd. For example:

telnet stream  tcp  nowait  root  /usr/sbin/tcpd  in.telnetd

/usr/sbin/tcpd is substituted for /usr/sbin/inted. (The actual paths may vary; these are the right ones for a Linux system.) Once it has performed its form of authentication, tcpd passes off control to a forked in.telnetd just as inetd would do. In addition, tcp_wrappers keep logs of every request for a service, so that attempts to break in are easier to track.

The UWSG provides fuller instructions for installing tcp_wrappers, along with actual binaries to install. In addition, tcp_wrappers source code is freely available, modifiable, and distributable.

Secure passwords

Even if passwords never go out across the net unencrypted, it is always possible for an intruder to guess a user's password. There are numerous programs that take a dictionary and a username and try to log on as that user with every word in the dictionary. Many use clever ploys like trying words backwards or making common substitutions like "1" for "I" and "0" for "O". Most users choose simple words as their passwords, unaware of the prevalence of dictionary attacks. The dangers are very real: In 1999, over one-fourth of the passwords on Steel were guessed, compromising many people's work and e-mail.

To avoid falling subject to these attacks, you must keep users from choosing simple passwords. By default, the passwd program will change any user's password, so the only way to prevent bad choices is to test them automatically, using the same tools intruders will use.

crack was invented with this strategy in mind.

PGP

PGP (short for Pretty Good Privacy) is a public-key encryption program written by Phil Zimmerman. Zimmerman was concerned about pending U.S. federal legislation that would make exporting encryption software illegal. He quickly coded and distributed the first PGP version out of devotion to the idea of civil liberties, starting distribution of its source and binaries before the law could take effect.

The purpose of PGP is to encrypt documents. It uses the same basic algorithm as SSH but on static pieces of data rather than streams of data across the network. This makes it ideally suited for e-mail. In general, there are two sets of circumstances in which you should encrypt your e-mail: Either you are sending passwords, for instance to new users of a system or to the UWSG for help in tracking a problem, or you are sending reports about intruder activity. In the first case, your e-mail is in danger of being intercepted, just as a password can itself be sniffed. In the second case, you are in even greater danger, for an intruder may well be monitoring your e-mail to find references to nasty activities and altering or deleting it, sabotaging your defenses.

If you find yourself in one of these two circumstances, or if you are simply sending e-mail of a private nature, you should read up on the details of PGP and download the precompiled binaries.

contents

The End!