December 23rd, 2001, 11:13 AM
Testing the security of your Unix box
Those who run a Unix variant are fortunate to have so many tools at our disposal to check the security of the system.
All systems have holes, and all software has a flaw somewhere, that is reality. Another part of reality is that those of us who use Unix tend to get complacent about the security of our systems. The old attitude that Unix is so much more secure than any other OS is exactly what ends up being what allows hackers to break in. What I mean is that you can never be too paranoid or too vigilant in your security measures.
The double edged sword of Unix security is that it is at the same time both secure by nature, and a favorite of hackers searching for a system to compromise. Hacking tutorials for Unix are all over the net, a quick skim through the docs and http://blacksun.box.sk and http://www.phrack.org is a sobering reminder that Unix attacks are well documented and have been quite popular.
So... with that in mind allow me to suggest a few things that can be done to improve the chances that your box will not be one of the compromised.
1. setuid and setgrpid programs
These two have been responsible for many a security nightmare. One of the best things that you can do to improve security is to audit these and remove the setuid or setgrpid bit from anything that does not have to have it. If you don't know how to determine this please ask someone before doing anything.
We can find all of these using the `find' command and redirect the output to a file for later review and audit.
# find / \( -perm -02000 -o -04000 \) -ls > setXid.txt
2. Crack Download URL: http://www.users.dicron.co.uk/~crypt...ad/c50-faq.htm
Crack is a password guessing program that is designed to quickly find weak passwords that exist within the password file using several common techniques.
3. COPS "Computer Oracle and Password System"
Download URL: http://ciac.llnl.gov/ciac/ToolsUnixSysMon.html
COPS is a set of scripts and programs that monitors Unix sytem security. If a problem is discovered, the Sys-Admin receives and email notification. Among the things that COPS tracks and reports on are:
> User home directories that have write access
> The permissions and contents of the password and group files
> The modes and permissions for files, directories, and devices.
> The crontab entries and all system startup files.
4. SATAN "Security Analysis Tool for Audting Networks"
Download URL: http://ciac.llnl.gov/ciac/ToolsUnixNetSec.html#Satan
SATAN gathers as much information about remote hosts and networks as possible by examining such network devices as finger, NFS, NIS, FTP, tftp, rexd, and others. It searches for incorrectly configured devices, bugs in network utilities, and poor or ignorant policy decisions that might have been made. It also collects this data for analysis in .html format in a web browser.
Download URL: http://www.nessus.org/download.html
Nessus is the king of security scanners in my opinion. It can make use of a large variety of port scanners including NMAP and all of it's features. NULL scans, xmas tree scans, and rpc scans etc. The real power of nessus is it's plugins. These plugins can simulate just about any well known attack for just about any OS. The list of functionality is very long, yet it is very simple to set up and run. Nessus has a GUI interface, can scan multiple hosts at the same time, and has very professional looking pie chart .html output if chosen for showing the boss how insecure those boxes are.
6. I recommend getting a copy of RFC 1244 "Site Security Handbook"
and go over that. http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1244.html
7. This is the AUSCERT Unix Secuirty Checklist which is an informative Unix security read. http://www.inforeading.com/archive/t...ychecklist.txt
8. It would be a good idea to check out the CERT Unix Security Checklist 2.0 http://www.cert.org/tech_tips/usc20_full.html
9. Here is a good doc on finding evidence of your attacker. http://www.linuxgazette.com/issue36/kuethe.html
10. A whole bunch of related links at infosyssec http://www.infosyssec.com/infosyssec/unixsec1.htm
11. Improving the Security of Your Site by Breaking Into it
12. A couple of tools that I love but somehow left out on the first edit of this post are portsentry and logcheck. Both can be found at http://www.psionic.com.
portsentry can do a variety of port monitors to catch vaious scans and connection attempts. One of it's strongest features is the ability to drop offending hosts in /etc/hosts.deny and ignore any further attempts from that ip/hostname.
logcheck is excellent. It parses logs for security related informationa and emails the person specified with the report. I use this in a cron job that executes hourly. If logcheck has nothing to say, it does not send an email.
13. Here are some great security related books, I have not read them all, it is an ongoing pet project of mine at the moment though.
Building Internet Firewalls
D. Brent Chapman, Elizabeth D. Zwicky (1995)ISBN: 1565921240
Computer Security Handbook
Arthur E. Hutt, Seymour Bosworth, Douglas B. Hoyt
Firewalls and Internet Security: Repelling the Wily Hacker
William R. Cheswick, Steven M. Bellovin
Hacker Proof: The Ultimate Guide to Network Security
Lars Klander, Edward J. Renehan
Maximum Security: A Hacker's Guide to Protecting Your Internet Site
and Network Anonymous (1997)ISBN: 1575212684
Practical Unix and Internet Security
Simson Garfinkel, Gene Spafford
Secrets of a Super HackerKnightmare, the Knightmare
UNIX System Security Essentials.
Christoph Braun and Siemens Nixdorf.
Yet another very long post from UberC0der, oh well, just trying to get a little security in *nix security
Merry Christmas everyone.
Know this..., you may not by thyself in pride claim the Mantle of Wizardry; that way lies only Bogosity without End.
Rather must you Become, and Become, and Become, until Hackers respect thy Power, and other Wizards hail thee as a Brother or Sister in Wisdom, and you wake up and realize that the Mantle hath lain unknown upon thy Shoulders since you knew not when.