1 / 47

UNIX/LINUX II Final Presentation

UNIX/LINUX II Final Presentation. Security. Juan Ortega 12/05/08 CIS214. Being a multi-user system - UNIX and Linux have a tremendous amount of security to offer; many being open source, which can be validated and modified to meet anyone’s needs.

raisie
Download Presentation

UNIX/LINUX II Final Presentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. UNIX/LINUX II Final Presentation Security Juan Ortega 12/05/08 CIS214

  2. Being a multi-user system - UNIX and Linux have a tremendous amount of security to offer; many being open source, which can be validated and modified to meet anyone’s needs. With live system patch upgrades, open source customized firewalls, encrypted disk and swamp space, one super-user account, MAC permissions, salted passwords, checksum packages, system monitoring, chroot and jail system services, limited known viruses and worms, and hundred more features; UNIX/Linux tops security on any other operating system.

  3. List of things to go over… • MAC/ACLs Permissions • Salted Passwords • Secure Level • Patches • Checksum • Chroot/Jail (Sandbox) • Linux/SELinux • BSD/SEBSD/TrustedBSD • Daemon/Services • Harden • Encryption • RAM • Swap • Hard Drive Encryption • PAM • Viruses/Worms • OpenBSD Security • Linux Firewalls • OpenBSD PF • OpenBSD Projects • Buffer Overflows • Packet Sniffing • GPG/PGP • SAMBA • Limits • Shell Restrictions • Bandwidth • Logging • IDS • NFS • Monitoring • Shell Scripts • Backups • Secure Deletion • Map Each have 1-3 slides… try not to fall asleep! =)

  4. MAC/ACLs Permissions Most basic level of security - giving users permission of what files they can: read, write, or execute. Access Control List Mandatory Access Control More sophisticated form of permissions handling. This is more like application patching, it limits what permission each program is given. MAC programs include: AppArmor, SELinux, SEBSD, GrSecurity, Trusted Solaris and Trusted BSD. Almost modern files systems, include ACLs to give unprivileged access to only certain users. Permissions are separated by owner, group, and others. On UNIX systems permissions are displayed as rwxrwxrwx With a few more special settings, Desktop environments also provide GUI settings for easy modifying.

  5. unmask – Sets default file permissions. You can set files to have same permissions as you create them. Special files have symbolic notations in front of the first ‘r’ in their permissions, these include… - Denote regular file d Denote a directory b Denote a block special file c Denote a character special file l Denote a symbolic link p Denote a named pipe s Denote a domain socket Permissions are set in Octal --- --x -w- -wx r-- r-x rw- rwx rws rwu rwt 7 6 5 4 3 2 1 0 +s +u +t SUID – chmod a +s to a file to make the program run as the owner. SGID – chmod a +u to a file to make the program run as the group. Sticky – chmod a +t to files or directories prevents anyone except the owner from renaming of deleting them. Note* - Attributes and flags can also be made to certain files but this differs from file system and OS used.

  6. Examples… $ ls -l /usr/bin/passwd -r-sr-xr-x $ umask  Default Permissions 0033 $ umask –S  Human Readable u=rwx,g=r,o=r $ touch ok  Create empty file $ ls -l ok  Look permissions -rw-r--r-- 1 root wheel 0 Dec 5 05:08 ok $ chmod a+x ok  Give all execute permissions $ ls -l ok -rwxr-xr-x 1 root wheel 0 Dec 5 05:08 ok $ mkdir ok  Make a directory $ ls -ld ok  Directory permissions drw-r--r-- 2 root wheel 512 Dec 5 05:13 ok The ‘passwd’ on all UNIX systems have a SUID +s because only the root account can change your password, running this program as ‘root’ even being a normal user will enable anyone to change their own password. Denote ‘d’ means it’s a directory.

  7. Salted Passwords UNIX/Linux all have salted hashes, which make rainbow tables completely useless especially with more powerful encrypted hashes available today. The location of the passwords differ from UNIX operating system, and weather the user has changed the default location or not. In addition to the location, the files are separated into two ‘passwd’ and ‘shadow’. Only the root can access the ‘shadow‘ file. Using a program like ‘unshadow’ one can use both files to get a list of users and their encrypted passwords. Having this is only half the challenge. A typical ‘unshadow’ file looks like this… UserName:SaltID:Saltedhash:EncrypedPassword:UserID:GroupID:Complete_Name:home_dir:shell_bin That’s assuming you have both ‘passwd’ and ‘shadow’ files which includes root privileges.

  8. Cracking the password - Even getting the ‘unshadow’ file with every user ‘s encrypted password and name, cracking it these days is extremely difficult, even by brute-forcing. NSA has created the sha-2 functions which have a very large encryption bit. $1$... md5 $5$... sha256 $6$... sha512 How to identify an ‘unshadow’ file…. Salt ID $6$ means the password is encrypted in salted base64 sha512. The random base64 generated salt. Ends in ‘$’ root:$6$9ydl1tvS/ivnSGdp$Tr.dWu07FAQN/uPHkKAYaUm7sJ1DEH11488oUcfQLA8LAIsjT.zBrUwuTl8oQt7kOJBVi4W.1eESHagKJ2Wc71:100:100:root:/root:/sbin/sh Name of the user. The encrypted base64 sha512 hash. Note* - There is no password cracker that handles sha384/512 salted hashes at the moment. UserID:GroupID:Complete_Name:Home_Directory:Shell

  9. Secure Level Maximum Security - Every UNIX OS has a security level in its kernel, the higher it is, the more secure your system is. Be aware having the level higher than ‘1’ will probably produce problems in the future. Situation… Lets say you went in the logs /var/log and changed the attribute of ‘auth.log’ to append only so an attacker getting root privileges can’t delete his trace. You type.. $ chattr +a auth.log In Linux and $ chflags sappnd auth.log In BSD. An attacker gaining root can easily just type $ chattr -a auth.log or $ chflags nosappnd auth.log After removing the attribute/flags the attacker can remove his trace, so what's the use? That’s where the secure level comes in. BSD has securelevel and Linux has ‘capabilities model’ to prevent this.

  10. Linux BSD To prevent even the ‘root’ account from doing this, Linux needs to remove the CAP_LINUX_IMMUTABLE capability. BSD ‘s securelevel its incredibly more secure! Unlike Linux where it’s set at every start up, once you raise the securelevel in BSD, it can never be changed back, careful! You will need a program called ‘lcap’ from http://packetstormsecurity.org After unzipping and compiling… ./lcap CAP_LINUX_IMMUTABLE ./lcap CAP_SYS_RAWIO First command removes the ability to change the append-only flag, second command removes the raw I/O to prevent anyone from modifying the block device the file resides on. Adding the script above to /etc/rc.local To issue the command at every startup. In /etc/sysctl.conf You can see kern.securelevel=1 That is the current system level, FreeBSD by defauly is -1 NetBSD is -1 OpenBSD has it to 1 Once the system has been restarted with the new level, your stuck with it! Having the level higher than 0 X11 won’t work. The max level is 2 which is well.. Lets just say you can’t change ANYTHING! You can’t even change the clock at level 2! Nor can you mount new disks. Go to http://wiki.netbsd.se/Kernel_secure_levels for more information on securelevels.

  11. Patches Security Threats - Most major Linux distribution have their own package manager from: dpkg, rpm, source packages, and yum. BSD has either has a port collection or pkgsrc. With a simple system update, an entire system can be patches with the latest security threats, some distribution require you to restart like ‘Ubuntu’ and others like.. BSD! Can perform “live” updates. Patching a system is a simple task, most Linux distributions have “user-friendly” ways, while BSD users need to use ‘portmanager’ or recompile the program from source. Every UNIX OS project has security threats that need patching, and most display them on their web site. Others let you know in a nice friendly popup. All packages are checksum (I’ll talk more on the next slide) to make sure none of the installing packages has been modified from an intruder and tricking you in installing their own packages.

  12. Checksum Checking Packages - Making sure your installing the right packages can be crucial. All UNIX systems have a sha256 and MD5 checksum which check every binary bit for any alteration. Linux md5sum [file] $ md5sum “ok” Md5sum (“ok”) = 444bcb3a3fcf8389296c49467f27e1d6 For BSD use ‘md5’ $ visprint | md5 “ok”  See Image A program called ‘visprint’ can also be used. It creates a visual representation of an image using a any checksum. Since every file has a completely different hash, the image is always different.

  13. Chroot/Jail (sandbox) SandBoxing a user or daemon - The mistake most administrators do is run daemons and services as the ‘root’ account. That’s incredibly insecure and any security threat can get anyone root privileges to an entire system. If an attacker is able to buffer overflow a POP3 server for instance and gain root privileges. While He/She will be confined in the sandbox, and cannot run any other process. Although there are many ways to get out of the sandbox, they rely on how well you construct it. FreeBSD is the only OS that includes the jail() command. It’s a more sophisticated than chroot() and more secure. Almost all UNIX/Linux OS’s include a mechanism to sandbox environments. What is a Sandbox? A sandbox offers various levels of isolation between a host and the sandbox. In other words… Running a daemon like a web server as root is dangerous, chroot() only lets the daemon run the files “it needs” and restrict everything else.

  14. Examples… $ mkdir -p /chroot_test/bin  Create a sandbox $ cp /bin/sh /chroot/bin/  Copy a shell $ chroot /chroot_test /bin/sh  Enter the Sanbox $ echo /*  ls won’t work only ‘echo’ /bin As you can see, your confined in a small box, the only commands you can use are the default shell commands, if you want to use ‘ls’ or anything else, You need to copy the entire program in the sandbox. Jail() is much more secure, and it creates more like a virtual server with its very own IP address! $ mkdir -p /jail_test/bin $ cp /bin/sh /jail_test/sh $ jail /jail_test jail_test 192.168.0.40 /bin/sh $ echo /* /bin

  15. Linux/SELinux Linux and SELinux working together? - Linux on its own already includes many open source security features, the biggest one is SELinux was created by the NSA to enhance security on Linux by creating more system patches. SELinux is complex and somewhat hard to understand to new Linux users, as a result, most disable it because it interferes with their programs to often. Other than that, its basically NSA’s implementation of MAC into the Linux kernel. It’s a list of policies every user is force to follow, although this prevents users from malicious intent, its just patches; once a user gains ‘root’ privileges, this is relatively useless.

  16. BSD/SEBSD/TrustedBSD BSD’s version of SELinux - FreeBSD having a Linux compatibility, implemented SELinux modules into its kernel as well. Although this is optional and unless you’re an administrator for many security sensitive servers, this is an overkill. FreeBSD has the TrustedBSD project, which is a collection of advance security programs and features available for other BSD’s and Linux as well. Some of these projects include… file system extended attributes and UFS2, Access Control List, OpenPAM, security even auditing with OpenBSM, mandatory access control and the TrustedBSD MAC Framework, and the GEOM storage framework

  17. Daemon/Services Daemon’s are nice! - Daemons or Services provide others to access resources your pc/server has weather it’s a web server, SSH, telnet, ftp, or any other useful resource. Running a daemon without your notice can create a security problem. • Scanning your own system for services running must be a daily process. • It can be done using the any of the following commands… • netstat -na • lsof • nmap localhost • sockstat -4 -l (FreeBSD only) • A list of all listening ports will appear, all the “LISENING” ports mean their open; make sure you “know” its exactly the services your running. Inetd and xinetd are super-servers. If their started at start-up, they read off a configuration file, usually in /etc which starts all the daemons listed. BSD has all the daemons except the domain off by default, learn how to configure the inetd super-server… http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-inetd.html To run your choice daemons in a nice organized list, just uncomment them!

  18. Harden We need to secure Linux? - Unfortunately although Linux can be relatively secure, it can do a lot better. BSD’s can also be harden although OpenBSD is the only one, you might want to skip. Their secure by default philosophy doesn’t lie. IBM has a well documents how to on Hardening Linux http://www.ibm.com/developerworks/linux Get ready to read a lot! Hardening Linux to make it secure, it’s a long and painful process, so I won’t discuss how to here. Many distributions today: fedora, redhat, SUSE, and Ubuntu are relatively secure by default, but if your not lazy you can make it better! FreeBSD and NetBSD can be harden a little, for example its master.shadow file is still in FreeBSD md5 salted algorithm which almost any password cracker like john-the-ripper can easily crack. FreeBSD’s handbook describes all the security you can add… http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security.html

  19. Encryption UNIX/Linux has cyber text friends - Almost anything can be encrypted: files, RAM, hard drive, swamp, network transmission, passwords, emails, web sites, everything ‘should’ be encrypted. Asymmetric-key encryption is used most often to transfer data across a network. This requires a different key for encryption and decryption known as a public and private key. Examples include…. Symmetric-key encryption involves only one key, this can be a password of some sort. Great for compress file encryption, hard drive encryption, or local encryption, hashes include… • Diffe-helmen • DSS • ElGamal • Elliptic Curve • Password-authentication • Paillier • RSA • Cramer-Shoup • GPG - OpenPGP • IKE • PGP • ZRTP • SSL • SSH • SILC • Twofish • Serpent • AES • Blowfish • CAST5 • RC4 • TDES • IDEA

  20. One-way hash (checksum) - are mathematically irreversible algorithms to create a random string corresponding to the plain text. These are useful like the checksum slide to check for any alterations. Its most commonly used for password hashing. Password crackers try to use every possible combination either brute-force or dictionary attack, which the string is hashed and checked for comparison against the original hash. One way hashes include… • HAVAL • MD2 • MD4 • MD5 • PANAMA • RadioGatun • RIPEMD • RIPEMD-128/256 • RIPEMD-160/320 • SHA-0 • SHA-1 • SHA-256/224 • SHA-512/384 • Tiger(2)-192/160/128 • WHIRLPOOL

  21. RAM RAM needs protection? Wah?.. - Protecting RAM from processes using more than its intended allocated space is embedded on all modern OS’s including UNIX, but protecting their data is something else. Normally RAM can be access by any program looking at the /dev/mem OpenBSD has many new features that prevent this. strlcpy() and strlcat() in C/C++ guardPages, randomzied malloc() randomized mmap() atexit() and stdioprotection All UNIX/Linux system have their own way to secure RAM, maybe not as much as OpenBSD but without this anyone can read passwords you entered in your RAM without randomizing.

  22. Swap Swamp should always be encrypted if its used - During installation of any UNIX/Linux system it should also set apart a Swap partition incase the RAM ever runs out. It’s a good way not to freeze a system, but just like RAM, it should be protected and always encrypted. Searching ‘encrypted swap’ on Google, will show some tutorial on how to do this on Ubuntu and Fedora and a few others. For the BSD systems, OpenBSD should already have it by default, FreeBSD has a tutorial on their site http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/swap-encrypting.html NetBSD should have one too. Having the swap partition encrypted prevents others from reading it just like RAM.

  23. Hard Drive Encryption Why do I need to encrypt my hard drive? - This is always an optional choice for any user. Depending of critical your files are, you might or might not need it at all. Full disk encryption Encrypt an entire partition, except for the MBR (Master Boot Record) unencrypted. Uses symmetric key encryption, you it encrypts/decrypts with a single password. Hardware-based full disk encryption Full hard drive encryption, including the MBR all encrypted. The symmetric key are only stored in the BIOS using Pre-Boot Authentication. Filesystem-level encryption Encrypts individual files and folders within a running file system. I can use symmetric or asymmetric encryption depending on the software. There are over 40 encryption software available. http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software

  24. PAM Pluggable Authentication Modules - Added authentication rules used for application. Example, What if you wanted to limit the users that can log in from a specific hosts. Firewall Rules? What if you wanted to allow only ‘some’ users at specific from a specific host, at different times and dates for maintenance purposes? PAM! PAM is usually set up only on services like: SSH, ftp, telnet, that can be dangerous for potential attacks.

  25. Start… • Adding • ‘account required pam_access.so’ • To the /etc/pam.d/login file. • Will enable the module. • Configuring /etc/security/access.conf • Takes in the form of • permission : users : origins • (permissions are either + or -) or • : root : unkown@unkown.com • Will lock the account ‘root’ from the hostname. PAM Examples… pam_access = Module limits where a user or group may log in from. pam_time = Module limits when then user or group may log in. File /etc/pam.d/login Includes all the available modules. File /etc/pam.d/system-auth Is the configuration file. File /etc/security/access.conf Controls how the modules behave. File /etc/security/time.conf Controls how the time module behaves. Add ‘account required /lib/security/$ISA/pam_time.so` Will enable the module. Configuring /etc/security/time.conf takes the form of ‘services;devices;users;times` sshd:ttyp*;!root;Fri1900-0700 - Limits the SSH logging from 7PM-7AM. Note* - $ ls -1 /etc/pam.d Lists all the PAM supported daemons.

  26. Viruses/Worms I thought UNIX doesn’t get a virus? - Although UNIX are rarely a prime target for viruses, due to the low market share. Doesn’t mean you can’t be prepared. The problem most viruses have is lack of ‘root’ privileges. Worst case scenario, all your personal files get deleted, leaving the system still running. Due to the popularity of UNIX increasing, the amount of UNIX viruses doubled since last year. Most of them being for Linux. Some commercial and free UNIX virus scanner are available. • F-prot • CamAV • Avast! • AVG • Eset • Sophos • Avira • Others… UNIX systems tend to have regular up to date upgrades removing new vulnerabilities and most require no restart from the user.

  27. OpenBSD “Secure by default” - Putting security above everything else. • Although hard to use, and probably not intended for a home user. OpenBSD has impressive security from its core up. • Features: • Own firewall called PF • Only OS with emulated Data Execution Prevention • Integrated cryptography • Only OS that’s secure by default • Auditing code from core up, for bugs and security issues. • Resistant to buffer overflows • New security technologies being developed • Has contributed many smaller projects like: OpenSSH. OpenBGPD, OpenNTPD, and OpenCVS.

  28. Linux Firewalls Iptables - Linux firewalls, are configured manually (unlike a bar in windows). There are simple GUI firewalls, even though you don’t get much control over them. • Most Linux distributions don’t include a firewall by default, which poses a security problem. • Firewall protects you from: • Port Scans • OS fingering • Denial-of-Service attacks • Ping of death • Ping flooding • UDP flooding • Fragmentation bombs • ICMP direct bombs “Inclusive” Only allow specific packets. “Exclusive” Allow all packets but block specific packets.

  29. Iptables Syntax iptables <option> <chain> <matching criteria> <target> iptables.sh #!/bin/sh IPT=“/sbin/iptables” # Location of iptables INTERNET=“eth0” # Internet-connected Interface LOOPBACK_INTERFACES=“lo” # Loopback Interface LOOPBACK=“127.0.0.0/8” # Reserved loopback address range CLASS_A=“10.0.0.0/8” # Class A private networks CLASS_B=“172.16.0.0/12” # Class B private networks CLASS_C=“192.168.0.0/16” # Class C private networks CLASS_D=“224.0.0.0/4” # Class D private networks CLASS_E=“240.0.0.0/5” # Class E private networks BROADCAST_SRC=“0.0.0.0” # Broadcast source address BROADCAST_DEST=“255.255.255.255” #broadcast destination PRIVPORTS=“0:1023” # well-known, privileged ports UNPRIVPORTS=“1024:65535” # unprivileged ports $IPT --policy INPUT DROP $IPT --policy OUTPUT ALLOW Firestarter is a GUI firewall. Much easier to use, no script making involve, except you put all your confidence on a program, you have no idea what its actually doing…

  30. OpenBSD PF BSD only firewall - Fast, sophisticated, easier, PF is the ideal firewall for any BSD based operating system. If your planning in running services like “SSH” you must add rules, the last rule always wins! Macros Unlike iptables where every single thing is entered manually, PF can be all be configured with just three lines to /etc/pf.conf… services = {telnet, ssh, rlogin, http, finger} Pass in quick proto tcp to any port $services block in all pass in quick proto tcp to any port ssh pass out all set skip on lo0 block in all pass out all Macros can be used to pair up ports or daemons. Of course these are SMALL samples, PF is very powerful and can be a large topic to cover. The second line allows TCP connections to the local SSH. The `quick` stops from other rules from being seen, so this is the last rule. That’s it! Then just $ pfctl -f /etc/pf.conf To enable it, and you have a desktop firewall. * First line skips checks on lo0

  31. OpenBSD Projects OpenBSD is full of projects - With emphasis on security, OpenBSD’s projects have made its replacements almost now obsolete. OpenNTPD OpenSSH NTP is a daemon that synchronizes your local clock to remote NTP servers. Protocol rlogin/telnet rcp ftp telnetd Replacement SSH scp sftp sshd OpenBGPD BGPD is a Border Gateway Protocol (BGP) daemon which manages the network routing tables. OpenCVS Concurrent Versions System not yet released, its intended to replace the current CVS which many have found vulnerabilities. OpenSSH embedded cryptography on all these protocols for same communication.

  32. Buffer Overflows What is it exactly? - When a process tries to store data beyond the boundaries of a fixed-length buffer. Using the NOP sled typing something like this on a i386 machine, you will gain ‘root’ privileges.. Trying to run a C program like this: vul.c Int main (argc, char** argv[]) { char buffer[500]; strcpy(buffer, argv[1]); return 0; } $ ./vul `perl -e ‘print “\x90”x202;’``cat shellcode``perl -e ‘print “\x78\xf9\xff\xbf”x88;’` root# who am I root Compiling it, and adding the +s as root will make it vulnerable. The vulnerability lies when trying to store more bytes than it can handle. Most of the time it’s a segment fault, others you might be able to execute a command, if done correctly.

  33. Packet Sniffing Spy on others - This is actually pretty easy to do, although most transmission is encrypted now, back in the dinosaur age all transmission was unencrypted: telnet, ftp, rlogin. Using an interface device only receives information by its unique identity, setting your interface device to ‘promiscuous’ mode meant, your interface device will be able to receive all packets, most not even meant for your computer. Many people don’t know is setting your device to ‘promiscuous’ mode won’t give you a lot of information. To really spy on someone, make your MAC address the same as theirs, (some routers allow you do to that, some don’t) you can do this by scanning your local network and getting a list of all IPs. The only catch is they must be running an unencrypted daemon like telnetd or ftpd. If it’s a switch, you won’t be able to see them logging in, unless do you a Man-In-Middle attack. They way of doing this varies from OS but some packet sniffers like Wireshark do all this for you.

  34. GPG/PGP GNU Privacy Guard and Pretty Good Encryption - Although this can be used to transmit data across a network, its mostly use is for email. OpenGPG has been ported in many email clients for safe email transmission. Using asymmetric encryption, the sender uses the private key to encrypt the message, the receiver owns the private key to see them message. To see a Signature you will do this… $ gpg -import KEYS $ gpg -verify [packages] This is almost like checksum but instead of checking the file itself, you can download a package with the right checkup but how do you know it’s the real thing? Anyone can change the checksum. This will very if the package its from the owner itself.

  35. Samba The reason why we don’t need Windows anymore - Samba comes from Server Message Block (SMB) used my Microsoft Windows to share files. Samba allows you to share files for window clients to read. It also allowed you to view windows server shares through the use of ‘smbclient’ or mounting with the file system ‘smbfs’ Samba has dozens of implementations: WINS, NETBIOS, SMB, CIFS, DCE/RPC, and MSRPC and including Active Directory log on. Samba makes it so UNIX users can share files and printers with window users. This is important because almost all UNIX and UNIX-like system have this: Mac OSX, Linux, BSD, Solaris, AIX, and others

  36. Limits The users are using up all the resources! - With the all powerful multi-user system UNIX can set limits using PAM to certain users or groups, so they won’t be able to hog the entire 100% CPU. Adding to the /etc/security/limits.conf guest soft nofile 1000 guest hard nofile 2000 The ‘nofile’ can be cpu, memlock, nproc, maxlogins, or fsize, they all limit them on certain things, right now it says guest can only have open 1000-2000 open files. $ Su - guest $ ulimit -a  will list the limits $ ulimit -n 2000  Have the hard limit $ ulimit -n 2001  will receive an error The configuration file for setting the limits is called /etc/security/limits.conf domain type resource value Soft limit - the default value of how much resource the user can use. They may want more and raise the level, but only to the hard limit. Hard limit - the maxim limit the user can achieve, they can’t go any higher than this.

  37. Shell Restrictions Sometimes a sandbox is an overkill - Restricting users in a shell, isn’t so effective. They can break out of it if they were savvy users. Nonetheless it’s a great way if your to lazy to use chroot(). The command to restrict users, varies on what shell. For bash, typing $ bash -r Will bring up a restricted shell. These shells, you can’t use ‘cd’ nor can you change your PATH and some other restrictions. You can do this permanent by adding ‘+r’ to the .profile page. Note* - make sure they can’t edit their own .profile page, and use PATH=. with symbolic links to specify what commands they may use. $ bash -r bash: SHELL: readonly variable bash: PATH: readonly variable bash-2.05b$ ls bash: ls: No such file or directory bash-2.05b$ /bin/ls bash: /sbin/ls: restricted: cannot specify ‘/’ in command names bash-2.05b$ exit $ ln -s /bin/ls . $ bash -r $ bash-2.05b$ ls -la  list your stuff

  38. Bandwidth Restrict bandwidth usage - Allowing people to hog all the internet can be restricted so only you can have the entire bandwidth all to yourself! A program called AltQ, which is now ported into OpenBSD PF, can restrict bandwidth usage as well. Although it can be a bit complicated. Here’s a script, that sets the limit to 2MB of transfer data. The %% means how much of that limit can the daemons have. altq on $ext_if cbq bandwidth 2MB queue {main, ftp, udp, web, ssh, icmp} queue main bandwidth 18% cbq(default borrow red) queue ftp bandwidth 10% cbq(borrow red) queue udp bandwidth 30% cbq(borrow red) queue web bandwidth 20% cbq(borrow red) queue ssh bandwidth 20% cbq(borrow red) {ssh_interactive, ssh_bulk} queue ssh_interactive priority 7 bandwidth 20% queue ssh_bulk priority 0 bandwidth 80% queue icmp bandwidth 2% cbq

  39. Logging You must know everything! - Every OS has its own logging thing. They help the administrator see what’s going on. The only problem is, most of them are to busy or lazy to actually read it. In the system level slide, I discussed how the log files can be safe from tampering. Checking the /var/log/auth.log File daily, you might be surprised, if your running a SSH server, a lot of people try to brute-force it and it ends up in there! Everything is in the /var/log directory, from Samba errors, system errors, print errors, and X11 errors.

  40. IDS Intrusion Detection System - A firewall might prevent a packet from entering, but most don’t detect attempted break ins. A popular open source software called Snort can keep track of any attempts in a desktop or server system. Snort can be places behind or in front of the firewall, to detect possible break ins. It can also be used as a separate server, using ‘promiscuous’ mode to log and scan traffic for any suspicious activity.

  41. NFS Network Files System - Who needs Windows Shares when UNIX has its very own file sharing system. In order to run NFS successfully, a client must have these daemons running… nfsd NFS clients daemon mountd Mounts the remote nfs share rpcbind daemon to discover what port nfs is using. Due to the design of NFS, a user can easily spoof an IP address and gain access to an unprivileged resource in the NFS server, since they rely on the identify of the host. Also NFS does not encrypt network traffic, so your basically just using telnet (so to speak). SFS was created to solve this and many other security issues. Its basically the same as SSH is to telnet, it uses public-key encryption to share files securely with passwords. After reading the how-to on setting up a NFS client or server http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-nfs.html There are some security issues.

  42. Monitoring See what your users are up to - Logging is a good way to track users, but what if your online and curious to see what their up to? There are many monitoring software that allow you to see real-time data. OpenBSD has ‘ftop’ which lets you see virtually anything of the firewall itself. All UNIX system have ‘top’ simple monitoring of the CPU and programs. Nagios is network-monitoring application, which lets you monitor virtually anything, even a 3D representation of your own network.

  43. Shell Scripts An administrators easy-to-use tool - Scripts can be made for simple programs. Their basically a list of commands with a little logic programming. Shell Scripting is basically a very simple programming language, useful for doing a lot of nifty things. MAX_NO=0 echo -n "Enter Number between (5 to 9) : " read MAX_NO if ! [ $MAX_NO -ge 5 -a $MAX_NO -le 9 ] then echo "I ask to enter number between 5 and 9, Okay" exit 1 fi clear for (( i=1; i<=MAX_NO; i++ )) do for (( s=MAX_NO; s>=i; s-- )) do echo -n " " done for (( j=1; j<=i; j++ )) do echo -n " $i" done echo "" done for (( i=1; i<=MAX_NO; i++ )) do for (( s=MAX_NO; s>=i; s-- )) do echo -n " " done for (( j=1; j<=i; j++ )) do echo -n " ." done echo "" done echo "Hello, $LOGNAME“ echo "Current date is `date`“ echo "User is `who i am`" echo "Current direcotry `pwd`" Little scripts like this.

  44. Backups Making sure you have something after a crash - Backing up important files to tapes, drives, disks daily is a good idea to make sure you still ‘have’ them after a system crash. ‘cpio’ command creates tar files, which makes files compress so they you don’t end up waiting a lot of space. ‘cpio’ can restore backup files, tar them, backup to floppy disk or any drive. Copies files to a remote location automatically. There are many other open source tools, used for backups. Backing databases like MySQL is also a good idea.

  45. Secure Deletion Beat forensics - Even deleting and overwriting a file 10x it can still be recovered even on a UNIX system, there are several software to prevent this. One of many useful ways to securely delete a file made by THC called ‘secure_delete’ This is secure delete the entire contents of a file system, file, folder, swamp space, memory and many other drives from forensic activity. After installation, the easiest way to delete a file is type ‘srm’ instead of ‘rm’ and that’s it, file security deleted. http://freeworld.thc.org/releases.php?s=12&q=&o=

  46. The End

More Related