Solaris Security Summary
From: RRG (rigoberto_at_sunguru.com)
Date: 11/18/03
- Next message: Rich Teer: "Re: Basic Solaris Questions"
- Previous message: Mark M: "Re: grep in multiple binaries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 18 Nov 2003 09:56:22 -0800
Administering Security on the Solaris OE
Resume
By Rigoberto Rodriguez G.
Oct. 2003
Module 1: Exploring Security.
Confidentiality: Preventing users from reading sensitive information.
Integrity: Is concerned with unauthorized writing. Every piece of data
is as the last authorized modifier left it.
Availability: Ensuring that attackers cannot prevent legitimate users
from accessing the system.
Trusted Computing Base: Defines the protection mechanisms that are
inside the computer tha implement the security policy.
Reference Monitor: A piece of software that controls access to objects
by subjects.
Secure Kernel: Hardware and Software of the TCB that implements the
reference monitor concept.
Seven Layers of Trust:
D. Minimal protection is provided.
C1. Discretionary access control and access permissions. Logins with
passwords are required.
C2. Auditing and authenticacion events are audited. Authentication
events are kept in a secure place.
B1. Mandatory access control and labeled output. Access is based on
labels.
B2. Configuration control, facility management, and system
configuration must be documented and controlled. All administrative
security and operator functions are separated.
B3. Access control lists and full system documentation are provided.
Access is based on lists of users plus labels.
A. Formal proff of the security of the system is required.
Identification: Letting a third party know who you are.
Authentication: The ability to prove who you are.
Authorization: Act of approving or sanctioning a process.
Classifying Security Attacks:
1.Fraud and Theft: Electronic financial and commercial systems. Theft
of information have monetary value. Intellectual property.
2.Terrorism and Sabotage: For revenge. Viruses, Bombs, Network cables.
3.Privacy Violation:
a. Targeted Attacks: The attacker wants to know everithing about an
individual, a company, or an organization.
b. Data Harvesting: Collecting names of people who might be
susceptible to illegal scams.
4.Publicity Attacks: Attract attention. Can cause loss of credibility.
5.DoS: Stop something from working.
6.Natural Causes and Environmental Influences.
Motivations of an Attacker:
1.Destruction of data.
2.Theft of data
3.Changing data
4.Just for fun, or the challenge
5.As a springboard to other activities.
Definitions of Hackers:
1.An individual who experiments with the limitations of systems for
intellectual curiosity or sheer pleasure.
2.An expert at a particular program, or one who frequently does work
using it or on it; as in 'a UNIX hacker'
3.A malicious meddler who tries to discover sensitive information by
poking around.
Types of attackers:
1.Script Kiddies: Obtain and use hacking tools without understanding
how the tools work.
2.Terrorists: Recognition is often their own reward.
3.Criminals: Target commercial and financial systems. Can be Lone or
Organized.
4.Employees: Malicious insiders are potentially dangerous adversaries.
Top Enterprise-Wide Vulnerabilities:
1.Routers
2.Remote Access
3.Trusted Relationships
4.Users Accounts
5.Passwords
6.Standard Accounts
7.Software
8.Security Policy
9.Sharing Data
10.Unauthenticated Services
11.Internet Servers
12.Firewalls
13.Unnecesary Services
14.Information Leakage
15.Inadequate Loggings
Intrusion Detection System (IDS): Type of security tool. Network
monitor that scans for suspisious behavior. An IDS can:
1.Alert you while the attack is still taking place.
2.Help you track down where the attack is coming from.
3.Make recommendations on what action to take.
Secujrity Policy: Contains a description of allowed and prohibited
operations. Can never be static. Define the limits of acceptable
behavior. Require a Risk Assesment and Cost-Benefit Analysis.
Module 2: Using Solaris OE Log Files
Hints on managing log files:
1.Back up or copy the log files on a regular, preferably a daily,
basis.
2.Reset the size of log files to zero after a backup.
3.Review the log files reulary
4.Use filters to manage the amount of data to review
5.Send the log files to a separate, secure log host.
Standards Solaris Log Files:
1./var/adm/lastlog: Records each time that a user logs in to the
system.
2./var/adm/loginlog: Records unsuccessful login attempts, but only
after five consecutive failures.
3./var/adm/utmpx (users that are currently logged into the system) and
/var/adm/wtmpx (information every time users log in and when they log
out.)
4./var/adm/sulog: Records all of the attempts that users make to
change their identity to that of another user.
5./var/adm/messages: By default, all messages that are sent to the
console are also stored in this file.
syslog Utility: A host-configurable, uniform system logging facility.
syslog message fields:
1.Program name
2.Facility
3.Priority
4.Message Text
syslog Facilities
1.kern
2.user
3.mark
4.auth
5.daemon
6.mail
7.syslog
8.lpr
9.news
10.uucp
11.cron
12.local 0-7
syslog Priorities
1.emerg
2.alert
3.crit
4.err
5.warning
6.notice
7.informationdebug
8.none
/etc/syslog.conf file: controls where messages are logged. Format:
facilitiy.priority [TAB] action. The action field causes the syslog
utility to do one of the following:
1.Append the message, with time stamp, to a specified log file or a
device. (specifying the path)
2.Forward the messages to users (specifying the username)
3.Forward the messages to the syslogd daemon of another network host.
(specifying @hostname)
logger utility: send entries to the syslogd daemon from the command
line. The default facility.priority for the logger is user.notice, but
you can change it with -p option. Examples:
# logger "System rebooted"
#logger -p auth.notice "This is a test of auth.notice level"
swatch tool: freeware log monitoring tool. To use the swatch tool to
continuosly monitor a log file: #swatch -t /var/adm/messages
$HOME/.swatchrc: Default swatch configuration file, but you can use -c
option to use different configuration file: #swatch -c
/etc/swatch.sulog.conf -t /var/adm/sulog
Each non-comment line defines either:
1.A pattern expression to watch for, starting with the keyword
watchfor
2.Actions to be performed if the previous expression is matched; these
lines must start with tab character.
3.A pattern expression to ignore, starting with the keyword ignore.
swatch Actions:
1.echo: Causes the log line to be echoed to the swatch tool's
controlling terminal or to the /dev/null file, if it is started from
the system startup files. Support differents formats: normal, bold,
underscore, blinking, inverse, red, blue, etc.
2.bell: sends a bell signal
3.ignore: Causes the swatch tool to ignore the current line of input.
4.write: Uses the write command to send a copy of the line to a user
list
5.mail: Uses the mail command to send a copy of the line to a user
list
6.pipe: Runs a user command with pattern matched lines as input to the
particular comand
7.exec: Runs a command on the system.
swatch configuration file example:
watchfor /INVALID|REPEATED|INCOMPLETE/
echo inverse
bell
write root
ignore /sendmail/, /nntp/, /xntp|ntpd/, /faxspooler/
Solaris Monitoring Tools
1.who
2.whodo
3.w
4.last
5.finger
6.ps
7.prstat
8.sdtprocess
9.kill
10.vmstat
top tool: program that provides continual reports on the state of the
system.
Solaris Accounting Package: Suite of programs that provide information
about system use, which allow users to be billed. It help security
administrators with the following:
1.Monitoring system usage
2.Troubleshooting
3.Monitoring system capacity and performance
4.Ensuring data secujrity
/var/adm/pacct: Each time that a program exits, the accounting kernel
places an entry in this file. This file doesn't exists by default. It
contains the following information:
The UID and the GID
The process start and end times
The CPU time that is split between the user and the kernel space
The amount of memory that is used
The number of characters that are read and written
The command name (eight characters)
The process's controlling terminal
Accounting Programs
1.ckpacct: Prevents excesive growth (more than 500KB) of the
/var/adm/pacct file to avoid unnecessarily high compute times during
summarizing. Accounting is halted when free space drops below 500 KB
in the /var/adm directory.
2.dodisk: Scans the disk and generates a summary of the disk space
currently in use.
3.runacct: Summarizes the raw data collected over the day, deletes the
raw data files, and calls the prdaily command to create a report of
the previous day's activities.
4.monacct: Generates an overall total from tha day's totals, and
creates s summary report for the entire period.
Accounting Commands:
1.lastlogin: Lists all of the known users names and the date when
these users last logged in.
2.prdaily: Generates the daily report from the summaries that were
created by the runnact and dodisk commands. The report is located in
the /var/adn/acct/sum/rprtmmdd file.
3.acctcom: Takes input in the format that is in /var/adm/pacct file
and generates a report on the standard output.
4.lastcomm:Displays command execution information from the
/var/adm/pacct file in reverse chronological order.
The shell scripts and binaries are located in /usr/lib/acct directory,
and the data and report analyses are stored in the /var/adm/acct
directory.
Setting Up Accounting:
1.Install the /etc/init.d/acct script as the start script and at run
level 2.
# ln /etc/init.d/acct /etc/rc2.d/S22acct
2.Install the /etc/init.d/acct script as the stop script and at run
level 0, 1, and S
# ln /etc/init.d/acct /etc/rc0.d/K22acct
# ln /etc/init.d/acct /etc/rc1.d/K22acct
# ln /etc/init.d/acct /etc/rcS.d/K22acct
3.Modify the crontab files for users adm and root so that the dodisk,
ckpacct, runacct, and monacct programs (if required) start
automatically.
# crontab -l root
30 22 * * 4 /usr/lib/acct/dodisk
# crontab -l adm
0 * * * * /usr/lib/acct/ckpacct
30 2 * * * /usr/lib/acct/runacct 2> /var/adm/acct/nite/fd2log
30 7 1 * * /usr/lib/acct/monacct
4.Execute the /etc/init.d/acct start command line
Starting and Stopping the Accounting Package
/usr/lib/startup
/usr/lib/acct/shutacct ["reason for stoping"]
Module 3: Solaris Basic Secujrity Module (BSM)
BSM put Solaris on C2 level of trust.
BSM Components:
1.Security auditing:
Depends on identification and authenticacion
Assigns a unique audit ID per session
Records user activities
2.Device allocation:
Controls access to devices
Prevents unauthorized reading of, or writing to, physical media.
Components of security auditing:
1.The audit daemon (/usr/sbin/auditd)
Opening and closing aujdit log files in specified directories
Extracting audit data from the kernel and recording it in an audit log
Communicating administrative or operational failures using the
/etc/security/audit_warn script
2.The aduit events (/etc/security/audit_event)
Kernel events (1-2047) Names start with AUE_ followed by uppercase
letters.
User-level events (2048-65535) Names start with AUE_ followed by
lowercase letters
3.The audit classes (/etc/security/audit_class)
Each audit event belongs to one or more audit classes. 32 possible
classes can be defined. 18 classes are defined by default.
4.The audit data (/var/audit/audit_start.audit_terminated.hostname):
Binary file that contains the audit records. The logs are
ususallykept in /var/audit directory.
Each audit record contains the following information:
What user initiated the action or events
What action was attempted
Which files were affected
Where and when the event occurred
Enabling the BSM
1.Execute the /etc/security/bsmconv utility
# cd /etc/security
# ./bsmconv
2.Edit the /etc/security/audit_startup file, if required. Use the
auditconfig utility to set the kernel policy +cnt. Processes are not
suspended when audit resources are exhausted. Instead, audit records
are droped.
#cat audit_startup
#!/bin/sh
auditconfig -setpolicy +cnt
3.Reboot your system.
Disabling the BSM
1.Use the /etc/security/bsmunconv utility
2.Reboot your system
SettingAudit Flags:
/etc/security/audit_control file: System-wide defaults for all users.
/etc/security/audit_user file: What gets audited at the user level.
Audit Control Parameters
1.dir: The directory in which to store audit logs. This can be
specified multiple times to define alternate audit log directories
2.minfree: The remaining percentage of free space that is allowed in
an audit directory before switching to an alternate directory
3.flags: A comma-separated list of audit flags that are enabled for
actions that can be assigned to a specific user
4.naflags: A comma-separated list of audit flags that are enabled for
actions that cannot be assigned to a specific user.
Audit Flags
Short Full name Description
1.fr file_read Reading data, opening a file for reading, and so on
2.fw file_write Writing data, opening a file for writing, and so on
3.fa file_attr_acc Access of object attributes: stat, pathconf, and
so on
4.fm file_attr_mod Change of object attributes: chown, flock, and so
on
5.fc file_creation Creation of an object
6.fd file_deletion Deletion of an object
7.cl file_close A close(2) system call
8.pc process Process operations: fork, excec, exit, and so on
9.nt network Network events: bind, connect, accept, and so on
10.ip ipc System V IPC operations
11.na non_attrib Non-attributable events
12.ad administrative Administrative actions: mount, exportfs, and so
on
13.lo login_logout Login and logout events
14.ap application Application auditing
15.io ioctl A ioctl(2) system call
16.ex exec A system call
17.ot other Everything else
18.all all All flags are set
19.no no All flags are unset
Audit Flags Modifiers
^- Turn off this type of auditing for failed attempts
^+ Turn off this type of auditing for successful attempts
^ Turn off this type of auditing for both failed and successful
attempts
Examples:
all,^ad - Audits all eventesexcept administrative actions
-lo,+fd - Audits all failed login events and successful file deletions
Example of /etc/security/audit_control file
dir:/var/audit
dir:/etc/security/audit
flags:lo
minfree:20
naflags:lo,nt
/etc/security/audit_user file format:
username:always_audit:never_audit
Example of /etc/security/audit_user file
root:all:fr
audit.log Files: Are created in the directory named in the
audit_control file. Format:
time_auditing_started . time_auditing_terminated . host_name
20010813214321.20010813221842.gromit
If the file has not terminated, it is named:
20010813214321.not_terminated.gromit
Interpreting and filtering audit data
auditreduce: Allows you to choose sets of records to examine
praudit: Allows you to display audit records interactively and create
very basic reports.
Auditreduce options:
-A : Selects all of the records from the input files regardless of
their timestamp.
-c : Selects records that belong to the listed aucit class
-u : Selects records that belong to the listed aucit user
Example:
# auditreduce -a 20011201 -b +31d -u eve -c lo | praudit
BSM Device Management
The BSM device-allocation mechanism makes it possible to assign
certain devices to one user at a time so that device can be accessed
only by that user while it is assigned to that user's name.
Allocation Mechanism Components
1./etc/security/device_allocate file: Contains devices that can be
allocated. It is a per-system file.Format:
device-name;device-type;reserved;reserved;alloc;device-clean
device-name: The device name such as st0, fd0, or audio
device-type: The generic device type (the name for the class of
devices such as st). Logically groups related devices.
reserved: Reserved for future use.
alloc: Comma-separated list of authorizations that is required to
allocate the device. "*" = device is not allocatable, "@" = no
explicit authorization is needed to allocate the device.
Device-clean: Pathname of a program to be invoked for special
handling, such as cleanup and object-reuse protection during the
allocation process.
Example of the /etc/security/device_allocate file:
audio;audio;reserved;reserved;solaris.device.allocate;/etc/security/lib/audio_clean
sr0;sr;reserved;reserved;solaris.device.allocate;/etc/security/lib/sr_clean
2.allocate, deallocate, dminfo (report or update information about a
device entry in device_maps file), and list_devices commands
3.Lock files that exist for each allocatable device in tha
/etc/security/dev directory
4./etc/security/device_maps file: Associates all physical devices with
a device name. Format:
device-name:device-type:device-list
device-name: The device name such as st0, fd0, or audio
device-type: The generic device type (the name for the class of
devices such as st). Logically groups related devices.
device-list: A list of the device files associated with the physical
device. Can be the names under /devices or under /dev
Example:
fd0:fd:/dev/fd /dev/fd0a /dev/fd0b /dev/rfd0 /dev/rfd0a /dev/rfd0b:
st0:st:/dev/rst0 /dev/rst8 /dev/rst16 /dev/nrst0 /dev/nrst8
/dev/nrst16:
5.Device-clean scripts for each allocatable device: Ensure that any
data that is associated with a device is removed from the system
before the device is allocated to another user.
Authorizing users to access devices
/etc/security/auth_attr : Defines authorizations
# usermod -A "solaris.device.*" alice
allocate command: Assigns a device to a user. Example: #allocate st0;
# allocate -F st0 -U fred
deallocate command: Releases a previously allocated device. Example:
#deallocate st0
list_devices command: Lets you view a list of all of the allocatable
devices, devices that are currently allocated, and allocatable devices
that are not currently allocated.
dminfo command: Reports and updates information about a device in the
device_maps file.
Module 4: Preventing Security Attacks
Trojan Horse: Software that performs an expected funtion, but also
executes additional commands that subvert the security measures that
are in place, or cause damage to the system.
Logic Bomb: Intentionally inserted programing code that is designed to
execute (or explode) under circumstances such as the lapse of a
certain amount of time or the failure of a program user to respond to
a prgram command.
Back Doors: Ways to access a system without going through the normal
authenticacion process.
Detecting and Preventing Trojan Horse and Back Door Attacks
Solaris Fingerprint Database: Lets you verify the integrity of files
distributed with the Solaris OE. Ensures that you are using a true
file.
TripWire: Freeware product that monitors file changes, verifies
integrity, and notifies you of any violations of data located on
networks servers.
Checklists, File Digest, and Checksums: # ls -ild /usr/bin/* >
/usr/adm/filelist ; #find /usr/bin -type f|xargs sum >
/var/security/filechecksum
BSM Audit Trail.
Rootkits: Utiulity programs to
1. Hide the presence
2.Give the back door access in the future
Rootkits Trojan Horse Programs:
ls, find, du: Doesn't display or count the attacker's files.
ps, top: Doesn't display the attacker's processes
netstat: Doesn't display the attacker's traffic
killall: Doesn't kill the attacker's processes.
iconfig: Doesn't display the word PROMISC when sniffer is running
crontab: Hides the attacker's crontab entry.
tcpd: Doesn't log attacker's connections listed in the
/etc/hosts.allow and /etc/hosts.deny configuration files.
syslogd: Doesn't log attacker activity
7 Recommendations to detect rootkit use:
1.Most of the files in the /dev directory are symbolic links, and the
/dev directory is the default location for many rootkits configuration
files, so check there for any normal file.
2.Look at modification times of all programs. #find / -mtime -N -print
3.Inside each modified directory, compare the output of echo * with
the ls file.
4.Run the strings command on system binaries and look for any shell
declaration (/bin/sh)
5.#file /usr/sbin/inetd . If the output of file command says that the
program is not stripped, it has been tampered with.
6.You should become familiar with the /proc file system.
7.The best defense is a clean set of statically linked binaries for
your system. Keep a copy of common programs such as ps, ls, and
ifconfig stored on a CD-ROM of floppy disk.
Kernel Rootkits: Exploits the use of loadable kernel modules (LKMs) to
modify the running UNIX OS kernel.
Kernel Rootkit Utilities
1.hidef, unhidef: Hides and unhides files on the system.
2.ered: Performs exec redirection, which allows Trojan horse programs
to execute.
3.nethide: Hides connections by the attacker from other systems
4.testhack: Changes the UID, GID, or both, of a running process
(/bin/sh, for example)
5.rootme: Gains root access without running SUID programs.
*** To ensure that LKMs are reloaded after a system reboot, the
attacker mist hide the module either in the standard locations for
loadable modules or in the /etc/init.d startup scripts. ***
DoS Attacks: Result of users using more system resources ( such as
disk space, memory, or the number of processes running) than they
should.
Malicious Dos Attacks
1.Internet Worms: self-replicating programs that copy themselves
within a system, or from system to system.
2.Fok Bombs: Processes that duplicate themselves, sometimes
exponentially, until the maximum number of system processes is
exceeded and no new processes can start.
3.Toll-Free Number Attacks: A computer that repeatedly dial the number
and hang up.
4.Network Attacks:
1.TCP SYN: Take advantage of the TCP three-way handshake to overload
the server.
2.Ping of Death: Send an IP packet that is larger than the legal size
to a server.
3.Smurf: ping request is broadcast to all of the machines on the
network. The return address for the request is altered to the machine
being attacked.
Module 5: Administering User Accounts Securely
#logins -s : Lists system accounts
#logins -u . Lists user accounts
#logings -d : Lists duplicate accounts
#usermod -f 15 username : user's account expires if the user has not
logged in for 15 days or longer.
#usermod -e 12/31/2001 username : automatically expire an account on a
particular date
#usermod -e " " username : reactivate an account with a set expiration
date.
#passwd -l : locks an account.
#passwd -e username : cgange the shell, which prompts you for a new
shell program.
#usermod -s /usr/bin/false username : change a user's shell
/etc/shells file : Lists of valid login shells that are used by the
passwd -e command.
Restricted Shells: /usr/bin/rksh, /usr/lib/rsh. Limitations enforced
by restricted shells:
The user can't change the working directory
The user can't execute the PATH environment variable
The user can't execute commands that contains a slash character, so
teh user is restricted to:
Built-in shell commands that are not restricted
Aliases that don't expand to commands containing the / operator
Commands on the defined search path
The user can't redirect output.
If the user runs a subshell, yhe subshell is also restricted if it is
the same shell as the current one.
Configuring a Restricted Shell:
1.Create the user with the restricted shell. #useradd -m -s
/usr/bin/rksh alice
2.Delete all existing files in the user's new home directory.
3.Create a new .profile with the following two lines
PATH=
SHELL=/usr/bin/false
4.Create empty files for all the configuration files that you can
think of. (.kshrc, .cshrc, .login, .logout, .rhosts, .exrc, .mailrc,
.netrc)
5.Change the ownership of the user's home directory and all of the
files that are created to be root files, and set them as read-only
files.
#chown -R root ~alice
#chmod -R a-w, a+r ~alice
6.Create a separated directory for the restricted user's commands, and
set the directory files to read-only. There are two approaches:
1.For a single user, create a bin directory in the user's home
directory and set the PATH in .profile to: PATH=$HOME/bin
2.For multiple users, create a directory called /usr/rbin and set the
PATH in .profile to: PATH=/usr/rbin
7.Decide on the list of commands that the user must have, and create
links to those commands from your restricted binary directory. #ln
/usr/bin/ls /usr/rbin
8.Create a local working directory for users to work and reside in.
#mkdir ~alice/work
#chown alice ~alice/work
chmod u=rwx,og= ~alice/work
9.Place users automatically in this directory when they first log in
by adding the following to the end of the .profile file: cd $HOME/work
10.Tighten the profile by using the trap and umask commands:
trap "" 2 3
umask 077
PATH=/usr/rbin
SHELL=/usr/bin/false
cd $HOME/work
trap 2 3
11.set the password for the user account, and force the user to update
the password after the first login
#passwd username
#passwd -f username
Module 6: Administering Password Secujrity
Managing Password Aging:
#passwd -x : Sets the number of days from when the password was last
changed to when it will espire
#passwd -w : Sets how many days' warning is given to the user before
the password expires
#passwd -n : Sets the minimum number of days before the password can
be changed
#passwd -f : Forces users to change their passwords when they next log
in
#passwd -l : Locks an account
#passwd -s : Lists the current parameters on an account password
#passwd -n 115 -x 122 -w 7 username
#logins -p : Check if any user on the system is without password.
Password Checking Programs: Test user passwords to identify those
users who are easy to guess. The Crack tool, John the Ripper, monkey,
l0pht for Microsoft Windows.
The Crack Tool: Is only useful to an intruder who has access to the
/etc/shadow file. Applies thousands of rules. Produces more useful
output if the /etc/passwd and /etc/shadow are merged to create a file
with the format of an old UNIX OS C1 password file.
Tools for Setting Good Passwords: Freeware that strengthen the passwd
program by not allowing users to pick easy-to-guess passwords.
Examples: npasswd, passwd+, anlpasswd.
AntiCrack : A password-checking program, that uses the same rules and
dictionaries as the Crack program. You use this tool to check a "raw"
(non-encrypted) UNIX OS password, so it is faster than the Crack tool.
Module 7: Securing Root Access
RBAC Concepts
role: special type of user account that performs a set of
administrative tasks. The roles command can be used to view a list of
a user's roles. #roles alice
profile: grouping of one or more commands that simplifies the
allocation of a single block of commands to multiple users. The
profiles command can be used to view a lis of a user's profiles.
#profiles alice
authorization: a name associated with the right to access restricted
funtionality. The auths command can be used to view a list of a
user's authorizations. #auths alice
RBAC Commands
1.roleadd: Creates the roles and associates a role with an
authorization or a profile using the -A and -P options, respectively.
2.rolemod an roledel: Provide support for modifying and deleting roles
3.useradd and usermod: Provide support for associating users with
roles, profiles, and authorizations using the -R, -P, and -A
respectively
4.roles, profiles, and auths: List user's allocated roles, profiles,
and authorizations, respectively
RBAC files
1./etc/security/exec_attr: Defines which commands belongs to a profile
and the security execution attributes for that commands.
2./etc/security/prof_attr: List the existing profiles and their
respective authorizations
3./etc/security/auth_attr: List the existing authorizations
4./etc/user_attr: Defines and associates a role to an user or a
profile.
Profile Shells: a shell assigned to a role. Must be one of the
following: /usr/bin/pfsh, /usr/bin/pfksh, /usr/bin/pfcsh
To create a role: #roleadd -P "Printer Management" Printers; passwd
Printers
To assign a role to a user: #usermod -R Printers -P All alice
To assume a role: $ /bin/su Printers
sudo Utility
/usr/local/etc/sudoers: Default configuration file. Defines the rules
that you want to implement.
sudo -l : To see which commands the user can execute.
sudo Tickets: When users invoke a sudo command and enter the correct
password, yhe system grants them a ticket for five minutes.
Subsequents permitted commands do no require a password as long as the
ticket remains valid.
visudo: Utility for edit the configuration file which checks the
syntax when you exit.
sudoers Format:
user host=commands [:host=commands] ...
where:
user: is the login ID of the user pr alias (or group name if precede
by a percent sign, for example %nogroup)
host: host name or alias of the computer.
Commands: comma-separated list of commands (or alias) that the user
can invoke using the sudo utility.
sudo Aliases: Must be specified in all uppercase letters. An
exclamation mark (!) is a logical not operator. Example:
Cmnd_Alias DOWN=/usr/sbin/shutdown,/usr/sbin/reboot
Host_Alias WORKSTATIONS=grommit,wallace
User_Alias ADMIN=alice, bob
alice ALL=/usr/sbin/init
bob penguin=DOWN
ADMIN ALL=DOWN
sudo -L : Lists all of the defaults available
Default Values:
Defaults secure_path=/bin:/usr/bin:/usr/sbin:/usr/local/bin Sets the
PATH variable.
Defaults:ADMIN !lecture Doesn't display warning messag
Defaults:alice !authenticate Doesn't ask for password
Defaults syslog=auth
Defaults logfile=/var/adm/sudo.log
** Successful sudo logins are flagged at the notice priority and
invalid logins are flagged at the alert priority. **
**The sudo log contain the following information:
date and time that the sudo command was executed
who executed the sudo command
whether the user was privileged in the sudoers file to execute the
command
the command line that was used
Module 8: Preventing File System Attacks
How to detect SUID or GID files
#find / \( -perm -u=s -o -g=s \) -type f -print or
#ncheck -s /dev/dsk/c0t0d0s0
crypt: Utility to encrypt data. Supplied on every Unix. Uses a
symmetric key ( apassword or phrase), input to an encryption
algorithm, wich encrypts a file into a coded form.
To encrypt:
#crypt swordfish < salaries > salaries.encrypted
To unencrypt
#crypt swordfish < salaries.encrypted > new_salaries
Checking for Unauthorized Device Files:
#find / \(-type c -o -type b \) -ls
Module 9. Auditing File Systems
Auditing Techniques:
1.A file system auditing tool usually creates a database that
represents the current state of the file system. At some later time,
you run the tool again to compare the new state of the file system
with the database recorded the first time that the tool was run.
2.Another approach to file system auditing is the use of large
databases containing file signatures. With this approach, you use a
program to obtain the signature of a file, and then you use this
signature to query the database.
File System Audit Tools
1.Checksum Algorithms: This tool generates a small value from the
file, and this value is used for monitoring files against casual or
random modifications. A determined intruder can modify a file and
still keep the size and checksum unchanged. This algorithms are
extremely fast.
2.File Digest Algorithms: Are cryptographic one-way has functions. Are
extremely complex. Can be very slow. MD5 and Secure Hash Algorithm
(SHA) are two examples.
3.Solaris OE Fingerprint Database: You must enter a file's MD5
signature on the Sun Web Site to obtain a report on the file.
TripWire Tool: Freeware file system auditing tool that creates a
database of information about files on a file system. If there are
changes on files, TripWire notifies you using email.
tw.config file: Default TripWire configuration file to fit the
requirements of the system.
TripWire Attribute Characters
Attribute
Meaning
Attribute
Meaning
p
The permission and file mode bits
0
A null signature
i
The inode number
1
MD5, the RSA Data Security, Inc. Message Digesting algorithm
n
The number of links (the inode reference count)
2
Snefru, the Xerox Secure Hash Function
u
The UID of the owner
3
CRC-32, POSIX 1003.2 compliant 32-bit Cyclic Redundancy Check
g
The GID of the owner
4
CRC-16, the standard 16-bit Cyclic Redundancy Check
s
The size of the file
5
MD4, The RSA Data Security, Inc. Message Digesting Algorithm
a
The access timestamp
6
MD2
m
The modification timestamp
7
The NIS SHA
c
The inode creation or the modification timestamp
8
Haval, a stron 128-bit signature algorithm
9
A null signature
TripWire Configuration Templates
Template Description Attributes
R Read-only +pinugsm012-a3456789
L Log file +pinug-samc0123456789
> Growing log file +pinug-samc0123456789
N Ignore nothing -pinugsamc0123456789
E Ignore everything +pinugsamc0123456789
By default TripWire uses R template
tw.config file example:
/etc/passwd +pugs1m-a
/etc/shadow +pugs1m-a
/usr/sbin +pugs1m-a
/usr/bin +pugs1m-a
/var/log/messages >
To Create a New TripWire Database: #tripwire -initialize
Running the TripWire Tool to Identify Changed Files:
#cp databases/tw.db_grommit /var/tripwire
#tripwire
To Update the Database: #tripwire -update filename
Module 10: Attacking Network Data
network sniffer: Program or special device which monitors your network
and collectes some or all of the data that it finds.
Detecting Sniffers:
1.Is almost impossible
2.cpm tool (check promiscuous mode). Must be run on the host
concerned.
3.Logging mechanism detecting great traffic.
4.Regular monitoring.
Tools to Detect Sniffing:
Antisniff: Runs on Windows only.
Sentinel: Runs on Unix boxes.
Defending Against Network Sniffer:
1.Encrypt all network traffic
2.Secure Socket Layer (SSL)
3.IPsec
4.Secure Shell (ssh)
The snoop Utility:
-o : collect network data to a file
-i : examine the results on the file
-N : creates a names file when capturing data, similar to /etc/hosts
-n filename : uses the named file for ip resolution.
-r : doesn't map network address to names
-S : includes the packet size on the summary line
-V : verbose summary mode
-v : verbose mode
-x start[,length] : Includes the packet data in the output, starting
from the given offset for the specified number of octetcs
#snoop -rSx 0
snoop Packet Filters:
#snoop host hostname
#snoop address
#snoop net address
#snoop to host hostname
#snoop from address
#snoop port service
#snoop port service and host hostname
dsniff : freeware network and password sniffer tah obtains passwords
off of the network. It handles ftp, telnet, SMTP, HTTP, POP, SNMP,
LDAP, rlogin, NIS, X11, Symantec pcAnywhere, Microsoft SMB, Oracle
SQL*Net, SyBase, Microsoft SQL
#dsniff -w filename : write the data on file
#dsniff -r filename : read this data file
#dsniff host hostname : only packets to and from the named host
#dsniff net address : only packets to and from the specified address
#dsniff to host hostname : only packets from the named host
#dsniff from host address : only packets from the specified address
#dsniff port service : only packets for the specified port number
Network Service Attacks:
1.Packet Replay Attacks: packets of data wich have been sniffed from
the network are replayed back to a server , usually with different
source address, trying to fool a server into providing information.
Every TCP/IP packet has a sequence number which increments as packets
are sent. Repla attacks can predict the next valid sequence number and
spoof the network packets. In the /etc/default/inetinit you can set
different initial sequence number generation parameters using the
TCP_STRONG_ISS variable:
Value Meaning
0 Old-fashioned, sequential, initial-sequence number generation.
1 Improved sequential generation, with random variance in increment
2 RFC 1948 sequence number generation, unique per-connection ID
2.Buffer Overflow Attacks: occurs when the programmer writing the
network server fails to limit the amount of data that the client can
enter into the program. When buffer overflow occurs, several problems
can happen:
The excess data corrupts part of the program and the server crashes.
The excess data overwrites valid data in the program, which can
corrupt the data.
The excess data overwrites part of the server program with a program
of its own which, when executed, can enable an intruder to break into
the system.
3.Network DoS Attacks: Can lead with money and business lose, bad
publicity, spoof, rebooting
1.TCP SYN Flood Attack: Three-way handshake must take place for every
TCP service:
1.client send a SYN message to server
2.server responds with SYN/ACK message to client
3.client complete the initialization of the TCP session by sendind and
ACK back to the server.
TCP initialization generally requires more kernel resources than when
the session is established. It might only be able to support a few
tens of connections in the initialization phase.
2.Ping of death: Sending an IP packet that is too large to be legal
packet (more than 65535 bytes). The reassembly stage on the remote
machine overflows memory because so many larger-tahn-expected packets
are received in a short period of time.
3.Smurf Attack : Falsifies the reply address in the ping ICMP packet
by setting it to the address of the system under attack. The client
then sends the ping message to the broadcast address for the network
containing the system under attack. The solution is to disable ping
replies to broadcast addresses, adding this lines to the
/etc/init.d/inet:
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
ndd -set /dev/ip ip_forward_directed_boradcasts 0
nmap Utility : Attempts to connect to every port on your server. If
the nmap makes a successful connection, it attempts to identify the
service on that port by analyzing any data sent out by the server.
Module 11: Securing Network Data
SSL (Secure Socket Layer) : Provide privacy and reliability between
two communicating applications. Is application protocol independent.
Is composed of two layers:
1.The SSL Record Protocol: encapsulates the various higher level
protocols
2.The daemon that is on top of the SSL Record Protocol that
encapsulates the SSL Layer.
Applications can continue to use open and nonsecure ports, but those
ports are actually fully encrypted by the SSL daemon.
SSL three basic properties.
1.The connection is private between the two systems
2.The peer's identity can be authenticated using asymetric
cryptography
3.The connection is reliable
SSL uses an asymetric (public key) cipher to define a secret session
key. Symetric cryptography (for example, the Data Encryption Standard
(DES or RC4) is used for actual data encryption, because symetric
encryption is faster than an asymetric encryption.
stunnel Program : convenient method of providing SSL between clients.
Is an SSL wrapper daemon which, when running between systems, provide
an encrypted portal.
IPsec : provides both encryption and validation of data. IPsec
encrypts all traffic irrespective of the application using the stunnel
program without the knowledge of the application. You configure Ipsec
for the system with a suite of command line utilities. The socket
layer implementation requires programming expertise.
IPsec doesn't currently support automatic security association
management.
IPsec provides two types of IP packet protection:
1.authentication header (AH)
2.encapsulated security payload (ESP)
ipseckey : Utility to configure the authentication and encryption
keys. Useful ipseckey commands are:
add - Adds new key definition
flush - Removes all existing definition
dump - Outputs stored key definition
ipseckey options:
-f filename : reads commands from file
-s filename : saves commands to file
the add command cannot be used on the command line and it must be read
from file.
Example SA key management file - encryption
add esp spi 0x2112 src <this host> dst <other host> \ # outbound
encralg des encrkey be02938e7def2839
add esp spi 0x5150 src <other host> dst <this host> \ # inbound
encralg des encrkey 8bd4a52e10127deb
#### spi = security parameters index
#### esp = encapsulating security payload
#### encralg = encryption algorithm
Example SA key management file - authentication
add ah spi 0x2112 src <this host> dst <other host> \
authalg md5 authkey bde359723576fdea08e56cbe876e24ad
add ah spi 0x5150 src <other host> dst <this host> \
authalg md5 authkey 930987dbe09743ade09d2b4097d9e93
** it is common practice to store the keys in a file called
/etc/inet/ipseckeys, and load the keys as part of the system boot
process.
IPsec Policies : Regular host configurations are held in the
/etc/inet/ipsecpolicy.conf file. You can add entries to this file
with the ipsecconf configuration utility, but there are not preserved
after a shutdown. Add Ipsec configurations to the /etc/inet/ipsecinit
file, which is read during the system boot process.
IPsecconf utility options:
None Queries the current configuration status. Entries are shown with
an index number.
-a file Adds one or more new policies listed in file to the system
-d index Deletes the policy identified by the index number from the
system.
-f Flushes the policies
-l Provides a listing of the policy entries
-n Displays the network addresses and their associated ports. You must
use the -n option with
the -l option
-q Prevents the display of the warning and banner messages (the quiet
mode)
IPsec Configuration File Syntax: {pattern} action {properties}
where:
pattern :name value
action : policy action
properties : policy propertie
IPsec patterns:
saddr source address. daddr is optional if you want to complete the
pair.
daddr destination address
smask source mask to allow subnet addresses.
dmask destination mask to allow subnet addresses
dport destination port to be controlled
IPsec actions:
apply applies IPsec to the datagram (valid outbound only)
permit permits the datagram if it matches the constrains (inbound
only)
bypass bypassses any policy checks if the datagram matches the
pattern.
IPsec properties:
auth_algs , encr_auth_algs MD5, HMAC-MD5, SHA1, OR HMAC-SHA1, ANY (no
preferen)
encr_algs DES, DES-CBC, 3DES, NULL (no encryption)
Rules for Parsing the Configuration File
bypass action always has the highest precedence.
An ESP policy is stronger tahn an AH policy
When a policy defines a stronger level of prot further in the file,
the stronger policy has higher precedence.
The strongest rules contain ESP and AH components.
Examples of IPsec Configurations
#
#Decrypt data from hostA to HostB
#
{
saddr hostA
daddr hostB
}
permit
{
encr_algs 3DES
encr_auth_algs SHA1
}
#
# Authenticate 134.56.x.x
# Allow any authentication scheme
#
{
saddr 134.56.0.0 # Network address
smask 0xffff0000
}
permit
{
auth_algs any
}
#
# Protect the outbound TCP traffic between machines
# using ESP and use DES algorithm
#
{
saddr hostA
daddr hostB
ulp tcp # only TCP datagrams
}
apply
{
encr_algs DES # Use DES to encrypt
SA shared # Use shared SA
}
skip utility : Builds an encrypted channel between two hosts, and
authenticates every network packet using ana authentication algorithm.
To initialize the skip local ID database:
# skiplocal -i
To perform a skip key generation:
# skiplocal -k
< 50 or more random keystrokes are entered here >
To list the keys:
# skiplocal -l
To save the current ACL
# skipif -s
To update the system:
# skipif -a
# init 6
To output the key information
# skiplocal -x
(This output must be entered in the partner host )
To enable skip for encrypted transmissions
# skiphost -o on
To disable skip:
# skiphost -o off
Module 12 : Analyzing Network Services
SAINT : Second generation tool for probe system network services and
to determine whether these services are configured in a secure way.
SAINT Run-Time Configuration Options
1.SAINT home Selects the startup screen
2.Data Management Selects the SAINT database for storing data
3.Target Selection Selects the hosts which will be annalyzed
4.Data Analysis Displays the results of running SAINT analysis
5.Configuration Selects the attack level and other parameters
Management
6.Documentation Provides HTML documentation for configuring and using
SAINT
7.Troubleshooting Provides help with common SAINT problems
saint.cf : saint configuration file where the default information is
stored.
Setting the Attack Level:
$attack_level variable: defines the extent to which SAINT attempts to
infiltrate the target system.
0.= light: simple, quick, and largely non-intrusive. Difficult to
detect.
1.= normal:
2.= heavy: slow, more informational,easy to detect
3.= heavy+:dangerous, can crash the target system
4.= top10: detect top 10 security threats os SANS
5.= custom:
probes : Are modules which are run under each attack. If a probe has a
? at the end of its name, it runs conditionally.
Setting the Level of Password Guessing:
$password_guesses variable: defines the number of passwords to guess
for each account identified by rusers or finger.
Setting Time-Outs:
$timeout variable: specify the time-otu for certain probes.
0.= short
1.= med
2.= long
Determining Values for Proximity Variables
$max_proximity_level variable: Defines the number of hosts that SAINT
scans.
0 = initial target host
1 = machines adjacent to target host
$proximity_descent variable : Defines how much to reduce the strength
of the attack as the attack propagates farther from the initial
target system.
Detecting Network Analyzer Attacks
Gabriel :
Netman: full network monitoring package
NOCOL: detects and monitor all network activity.
Courtney: warns administrators of SAINT or SATAN attacks.
Module 13 : Securing Network Services
chroot command : changes the root directory for the duration of a
program's execution lifetime. chroot presents a very restricted view
of the system. You must configure a complete environment for the
executing program including:
executables command files
shared directories
device files
Integrating Services Using PAM
The PAM framework allows new authentication technologies to be plugged
in without changing system services such as login, ftp, telnet, and so
on.
PAM Runtime Modules:
1.Authentication modules- allow credentials to be set, refreshced, or
destroyed. Are useful as an administration tool.
2.Account modules-check for password aging, account expiration, and
access time restrictions. Determine if the user is allowed access.
3.Session modules-opening and closing of an authentication session.
Can log activity or clean up after a session is over.
4.Password modules-mechanism for changing a password.
UNIX OS login service
|
|
V
-----
| P |
| A |
| M |
-----
|
|
V
-------------------------
| | |
DCE GSS KERBEROS
(SEAM)
/usr/lib/pam : library that provides the framework to load the
appropiate modules and manage the stacking process.
/etc/pam.conf : Configuration file that defines:
which PAM modules to use
in what order to use modules with each application
pam.conf Sintax:
service_name module_type control_flag module_path
module_option
service_name : (ftp,login, telnet, etc.)
module_type : (auth, account, session, or password )
control_flag : (requisite, required, sufficient, or optional)
module_path : path to the library object that controls the service's
function. default=/usr/lib/security/$ISA
module_option : module-specific options.
pam.conf Control Flags: indicates how to handle a successful or failed
attempt through each module.
requisite : the module must return success for additional
authentication to occur.
required : the module must return success for the overall result to be
successful.
optional : if this module fails, the overall result can be successful
if another module in this stack return success.
sufficient : if this module is successful, skip the remaining modules
in the stack, even if they are labeled required.
SEAM: client-server authentication mechanism based on Kerberos version
5. SEAM is a single sign-on system which authenticates the user once
and then grants access to authorized network resources automatically.
SEAM doesn't transmit unencrypted passwords across the network.
Kerberos: authentication system which uses DES cryptography to protect
sensitive information such as passwords on an open network.
Module 14 : Automating Server Hardening
Common Hardening Tools
1.COPS (Computer, ORACLE, and Password System): set of programs that
attempts to automate security checks that are often performed
manually. COPS doesn't correct problems, but issues a report for the
administrator. Run on most major UNIX.
2.Tiger: set of scripts that scans a UNIX OS looking for security
problems. The main purpose of many of the Tiger checks is to protect
the superuser account.
3.Titan: collection of programs that fixes or tightens security
problems in the setup or in the configuration of a UNIX. Titan is a
system hardening and intruder detection tool.
4.SST (Solaris Security Toolkit) Formerly JASS. Simplifies and
automates the process of securing Solaris OE systems.
5.YASSP: used to harden the system to a configuration that is suitable
for an exposed server such as a firewall, a web server, or an ftp
server in which you need to limit your security exposure.
Hardening the System Using SST.
The goal : To automate and simplify building secured Solaris OE
systems.
Hardening: Is the modification of Solaris configurations to improve
the security of the system.
Minimization: Is the removal of unnecesary Solaris packages from the
system (to improve security in the case of SST)
SST Two Modes:
1.Standalone Mode:
Run from the command line
Use when you cannot reinstall the operating system
Use after patch installation
2.JumpStart Mode
Hardening during installation
JumpStart finish scripts call SST toolkit scripts
Ultimate function of system dictates the nature of system hardening
SST Directories:
1.Documentation: Set of pdf files with BluePrints documentation.
2.Drivers: configuration information that specifies what finish
scripts will be executed and what files will be installed as a result
of the SST's execution.
3.Files: Repository for various configuration files that perform
recommended changes to standard system files.
4.Finish: Contains the scripts that perform system modifications and
updates during installation. There are 10 Categories of scripts:
1.disable
2.enable
3.install
4.minimize
5.print
6.remove
7.s15k
8.set
9.suncluster30
10.update
5.OS: Contains only Solaris OE images used by the JumpStart.
6.Packages: Contains software packages that can be installed with a
finish script.
7.Patches: Should contain Recommended and Security Patch Cluster for
Solaris.
8.Profiles: Contains all the files with the configuration information
that is used by JumpStart to determine Solaris installation, disk
layout,etc.
9.Sysidcfg: Contains the files used by JumpStart to identify the
systems.
jass-execute Script Sintax:
jass-execute {-d driver | -u [-n] } [-r root_directory] [-o
output_file] [-h]
-d driver Specify the driver script that is to be run in the
standalone mode.
-u Used to undo the modification that are made during the previous SST
hardening runs, which could have been done either in the standalone
or
JumpStart modes.
-n Used with -u. During a hardening run in both modes SST generates a
cryptographic checksum of each file modified file.
-r root_directory change the root directory during execution of SST.
-o output_file redirect the output of SST to output_file
-h dispaly the jass-execute help message.
Module 15 : Authenticating Network Services
TCP Wrappers: small daemon programs that wrap around the standard
network daemons. The Wrappers report the name of the client host and
the requested service using the Syslog program.
tcpd : program that surround the service daemons to logs the incoming
request and optionally provides access control.
Configuring TCP Wrapper :
1.Hidden: replacing the network service daemons.
#mkdir /usr/save
#mv /usr/sbin/in.ftpd /usr/save
#cp tcpd /usr/sbin/in.ftpd
2.Visible: changing the /etc/inetd.conf file.
from:
ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd
to:
ftp stream tcp6 nowait root /usr/local/sbintcpd in.ftpd
tcpdchk : check program which validates the TCP Wrapper installation,
examines the access control files, and validates the entries in these
files against entries in the network configuration files.
To get a comprehensive report:
#tcpchk -av
To check an individual host for access to a specific service:
#tcpdmatch in.ftpd grommit
Configuring Client Access Logging
TCP Wrapper uses the syslog mail facility with the following:
info - successful network connections
warning - denied network access
error - incorrect configuration files
Configuring Host Access Control
/etc/hosts.allow - an entry here grants client access
ALL: ALL
/etc/hosts.deny - an entry here denies client access
in.fptd: 192.168.1., 192.168.2.
in.telnetd, in.rlogind: wallace, grommit, sean
If the files are empty or do not exists, access is allowed
Access File Format:
service : client : options
service name of the service to allow or block. ALL = all services. Use
commas to separate.
client hostname, IP address, network address or domain name of the
clients to allow or block. ALL = all clients. Use commas to separate.
options allow the definition of banners and spawning of commands.
Using Banners With TCP Wrappers
You can configure banner as options for any entry in the hosts.allow
and hosts.deny files
:banners message_directory
ALL : ALL: banners /etc/tcpd.deny
#more /etc/tcpd.deny/in.ftpd
220 Sorry but you are not authorized...
Building Banner Files
#mkdir /etc/tcpd.deny
#cd /etc/tcpd.deny
#cp /usr/local/doc/tcp_wrappers/Banners.Makefile makefile
#cat > prototype
Service unavailable
#make
Customizing a Banner Message:
%a - client's IP address %s - server daemon and hostname
%c - client's canonical host name %u - client user
%d - server's daemon %A - server' IP address
%h - client's hostname %H - server's hostname
%n - client's name %N - server name
%p - process ID %% - a percent sign
Using Banners Without TCP Wrappers
Banner for FTP:
#more /etc/default/tcpd
BANNER="This is a secure host!"
Banner for telnet
#more /etc/default/telnetd
BANNER="\nWARNING!\nUnauthorized access will be prosecuted!\n"
Banner for telnet, rlogin, and otehr logins:
#more /etc/issue
This host is monitored at all times. Violations may result in
disciplinary action.
Using TCP Wrappers to Spawn Commands
You can spawn commands as options for any entry in the hosts.allow and
hosts.deny files
: spawn command
#cat /etc/hosts.deny
ALL :ALL :spawn echo "intruder %h(%a) detected at `date`" |
/usr/local/bin/pager 123 876 5432
Module 16: Securing Remote Access
Secure Shell: collection of user programs that ensure secured network
connections to remote hosts. Is an application layer protocol that
provides:
data encryption: ensures that transmitted data is unintelligible to an
attacker who gains access to the data while it is transmitted over the
network.
host authentication: determines the identity of the communivating
partners.
data integrity: supports the delivery of unaltered data at its
destination.
Standard Encryption Algorithms and Cryptography Techniques:
1.Symetric Ciphers: (shared secret keys, single keys, shared private
keys). The same key is used for encrypting and decrypting the data.
Secret Key Algorithms
DES: employs 56-bit key.
3DES: employs 112-bit key.
RC4: employs a variable-sized key and pseudo-random number generator.
Blowfish: employs variable-sized keys. Very difficult to crack.
IDEA: considered the best encryption algorithm.
2.Asymmetric Ciphers: (public keys). Employ a public key and a private
key related mathematically. The public key is distributed to anyone
who wants it, and the private key is kept private. When someone wants
to send you information using asymmetric ciphers, they encrypt it
using your public key. When you receive the encrypted information, you
decrypt it using the corresponding private key. Some public-key
algorithms (RSA-based) can be used for encryption and digital
signatures.
3.Hash Functions: Can be used two-fold:
1.to detect data that has changed because of transmission errors.
2.To detect data that has been intercepted and was modified in
transit.
Hashing Algorithms
MD5 (Message Digest 5): 128-bit hash algorithm.
SHA-1 (Secure Hash Algorithm): 160-bit hash algorithm.
$HOME/.ssh/known_hosts file : keeps a listing of every RSA public key
for each system that should be considered trusted.
ssh-keyscan : program that can create automatically the known_hosts
file.
Client Authentication:
User authentication: a user can be authenticated through either:
Passwords: user suplies the account password as in the login process.
Is the default.
Public keys : the user can create a private/public key pair that is
stored on the local host. The remote hosts are provided with the
public key, that is required to complete the authentication. The
public/private key pair is stored in the user's home directory, in the
following default files:
Private Key, Public Key Cipher and Protocol Version
identity, identity.pub RSA v1
id_rsa, id_rsa.pub RSA v2
id_dsa, id_dsa.pub DSA v2
Host authentication: requires the remote host to have access to the
local host's public key. A copy of the local host's public key is
stored in $HOME/.ssh/known_hosts on the remote host.
PAM modules: can be used to support many other authentication types
such as OTP.
Forwarding TCP/IP Ports Using OpenSSH.
Port forwarding is a Secure Shell process where the ssh program
Connects to a remote server
Listens on various ports on this server
Forwards all traffic to and from ports on the client machine
Secure Shell Tools
1.scp(1): securely copies files betwen machines. Can copy
recursevely, and betwen two remote machines.
2.sftp(1) secure ftp
3.sftp-server(8) secure ftp server
4.ssh(1) secure shell client program
5.ssh-add(1) registers new keys with the authentication agent.
6.ssh-agent(1) authentication agent that hold keys on behalf of the
user. Eliminates the need to constantly enter passphrases to unlock
keys.
7.sshd(8) server program that listens for connections ssh or scp,
performs
authentication and begins serving the client.
8.ssh-keygen(1) creates authentication keys for server and client
authentication
9.ssh-keyscan(1) obtains public keys from servers.
/etc/ssh/sshd_config file : Server Configuration file.
Generating Client Keys
$ ssh-keygen (press enter and then enter a passphrase)
The generated keys resides in two files that are called
identity(private key) and identity.pub (public key), in tha
subdirectory .ssh in the user's home directory.
Creating the Host Key
# ssh-keygen -f /etc/ssh_host_key
You must have the /etc/sshd-config file created and a host key for the
server before you can start the sshd server daemon. The server key is
placed on the /etc/ssd_host_key file.
Stopping and Starting the SSH Daemon
/etc/rc3.d/S89sshd starts at boot time
/usr/lib/ssh/sshd start from command line
sshd -d run the server in debug mode
sshd -d -d -d run the server in three levels of debug mode
$HOME/.ssh/authorized_keys file: grant access to an account. (similar
to .rhosts file). Grant a user acces to your account by copying the
contents of their identity.pub file to your authorized_keys file.
/etc/ssh/ssh_config file: client configuration file.
Module 17 : Securing Physical Access
a lot of bull***....
Module 18: Connecting the Enterprise Network to the Outside World
Firewall: software that monitor all of the traffic betwen two
networks, and block and log inappropiate traffic. The firewall is
based on rules to allow or block packets. Components:
Packet fileters that control access to the network based on the source
or destination IP address of the packet.
Proxies, which hide the real address of a host on yhe corporate
network when the host connects to the outside world
Protocol-based software that uses knowledge of higher-level protocols,
such as TCP or SMTP, to identifydubious network activity.
Logging Features:
1.Log on success: Events that result in passage through the firewall
are logged.
2.Log on deny: Events that result in refusal of passage through the
firewall are logged.
SunScreen Software Firewall:
1.SunScreen Secure Net 3.1: full-feautured. Designed to be deployed
onto the enterprise.
2.SunScreen 3.1 Lite: designed to protect individual servers or very
small workgroups.
SunScreen can support up to 15 separate network interfaces.
Incorporates a useful proxy-server capability. High availability
configuration enables SunScreen to quickly recover to a second screen
(server) without lossing firewall or encryption sessions.
Routers: devices that redirect packets from one network to another
network. The routing tables usually includes the following:
the name of the route
the active status of the route
the destination IP address
the IP subnet mask
the Gateway IP address
Private (true or false)
filters
Proxy Server: The proxy accep clients requests for connections and
forward the connection to the original target, but masking out the
client' IP address to the it's own. At the same time the requests can
be filtered through the proxy, allowing or denying traffic.
DMZ: part of the LAN that is betwen two firewalls. One firewall
separates the DMZ from the internal LAN, while the other separates the
DMZ from the outside world. It is common to site publicly visible
hosts, such as web servers and FTP servers, on the DMZ.
VPN: uses encryption to create a secure channel betwen two hosts (or
networks) as they communicate over an insecure network, usually the
Internet.
Types of the VPN:
1.Hardware VPNs: Are essentially encrypting routers. They have a very
high bandwith and are easy to install.
2.Software VPNs: These range from firewalls that support encryption,
to VPN clients, that run on individual workstations.
- Next message: Rich Teer: "Re: Basic Solaris Questions"
- Previous message: Mark M: "Re: grep in multiple binaries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
