=Users Basic Security Guide= =Unix Security= Assembled/Written by reptile Revisions by gr1p The c0re team [ www.c0re.org ] 8/10/98 Note: This paper on Unix security was written for the newbie in mind. Someone who has heard of Unix and never used it, ot perhaps the Unix administrator who needs some tips on Unix Security. ---------> Users Basic Security Guide : Unix Security <----------- 1. Introduction to Unix 2. Unix Accounts 3. Unix Shell 4. Understanding Unix Passwords 5. Unix Commands and File & Directory Structure 6. Daemons 7. Unix Vulnerabilities 8. File Encryption in Unix Section 1: -> Introduction To Unix Originally developed by AT&T, Unix O/S has been the backbone of the internet and Web servers since the 1960's. Berkeley Unix is the most modern-day tool of Unix. There are also many different versions of Unix. Linux, OpenBSD, IRIX are to name a few. Unix is a text-based Operating System rather than a Graphical Users Interface such as Windows95/NT OS/2 etc, however the X-Window system, turns Unix into a graphical User Interface with the stability of Unix. Section 2: -> Unix Accounts The Unix Operating system supports only two types of accounts- user and superuser accounts. Basically the user account is a standard account with few privileges. Superuser accounts are system operator accounts. This account has full privileges. So basically an account has either full privileges or limited privileges. Those with full privileges are not bound to a file or directory. Unix Systems come initially configured with several accounts, some with super user or userprivileges. root is the system administrator account which has access to everything. Its basically at the top of the directory tree. makefsys is a superuser account which is for specific purpose of creating a new file-system storage device. mountfsys is a super-user account which mounts the operating system. It also runs the startup daemon. umountfsys is used to un-mount the file system from a drive. Finally checkfsys is used to examine and debug the file-system. Usernames: Unix supports usernames up to 14 characters long. Usernames can contain almost any character. A hacker could log into your system as an Innocent user and use what is known as su or Switch User Command to change to a superuser account. Here I will list some of the basic defualt user accounts that you should be aware of when securing your system: ip is a user level account which logs the line printer into the server. daemon is a user level defualt account which is an all purpose account. trouble is a user level defualt account which is a system debugging account. uucp is the Unix-to unix copy protocol account. nuucp is another account which is the new Unix-to-Unix copy protocol account. Section 3: -> Unix Shells A Unix shell is a program that translates commands to the OS that accepts your input and carries the commands. Its the interface between the user and the Operating System. Sort of like a Window. Its actually just another program that the Operating system executes when you login. When you end the Shell it logs you out of the system. You can also execute multiple shell levels. This can cause a significiant problem. This opens significant attack routes for hackers. Below I will list the official shells in user on Unix machines. csh: This command executes the C shell, developed by Berkeley University Science Dep. This type of shell has different shell programming control structures and unlike sh it supports aliasing. It also keeps a history of the commands you enter. user level accounts will see a "%" and the super user accounts will see a "#" sh: This command executes the Bourne Shell. This is the standard shell of Unix System V. On System V. "$" represents the prompt for user level accounts. If you had a sh shell account on a system the $ will look familiar. "#" represents a super user account. ksh: This command executes the ksh shell, or the new Korn shell. The Korn Shell combines features of the two shells listed above. It has command aliasing, command history, and the easier shell programming. There is also a shell program which is a restricted Bourne Shell. To execute this use the rsh command. It basically lets users execute commands outside their searchpath and will not let the users change directories or change the shell. Section 4: -> Understanding Unix Passwords In Unix when you create a new account the account has no password. It will not have a password until a super user or the accounts owner sets one for that specific account. You should have a standard password sequence which apply to the accounts you create. The maximum amount of characters a unix password may have is 11 characters. It may contain any character, and unlike DOS the system the unix system takes upper-case and lower-case as perceive as being different. My advice as well is to set a password and expiration date for your user passwords. Section 5: -> Unix Commands and File & Directory Structure In Unix, files a directories are identified with path names. Unlike Windows, paths use a foreward slash ("/") rather than a backslash. "/" represents the root directory in Unix. Much like "\" represents the root directory in Windows95/NT. It is the top directory in the directory tree. This directory has two SubDirectories located in it. usr and happy. in the usr directory there is another subdir named source and a file called junk. in happy there are 2 files, memo and degrees. Getting around: Ok so lets assume you are at the top of the directory tree and you want to get to the usr directory. You could use the command "cd /usr" cd meaning Change Directory and /usr being the directory you want to change to. Remember that unix used foreward slashes rather than backslashes. Since /usr is in the root directory the user only needs to issue the command "cd usr". So if the directory you want to change to is currently in the directory you are in, all you need to do is issue the base name. You can also reference the file directory above your current directory in the system tree as ".." and you can reference the current directory you are in as "." . File names and Directory names: Unix file names and directories may be 14 characters long in length. It may contain ascii characters except a space. Also unix does not use filetype extensions such as Windows or Netware. A filename extension is like .txt or .doc. File names that begin with a period are hidden files so that you must issue a special command to reveal the file. Unix File Types: The three type of files Unix uses are: text files, device files and binary. Text files are self explanitory although there is such a thing as a executable Text file. Binary files are executable machine code files. Device files are files that represent the systems input/output devices. Unix File/DIR Protection: When a Unix account is created the OS assigns the account with a specific user number and group number. The system uses these to identify the user. Unix uses the user/groups numbers to determine a user's file and directory access privleages. There are three types of permissions to a file. read lets a user view the contents of the file. Write permission lets a user change the contents of a file. execute lets a user execute a file. Unix divides users into three classes, user, groups and other. In Unix you can specify what permissions to a file for each user or group. The CHMOD command lets you change a file or directory permission. When you use this command you can change a file or directorys permissions symbolically or absolutely. The chown command is the format for symbolic permission changes. chown [u, g, or o] [+ or -] [rwx] [file/directory name] is the format for this permission change. Unix Command Set: Wildcard: Say you want to specify a pathname, and you wish to reference files in other parts of the system. A wildcard is a character you use when referencing files and directories. "?" which is the question matk wildcard tells the Unix program to accept and single character in the place of the question mark. For example if you used "m?an" it would include both mean and moan. "[]" which is a double brackets tells Unix to accept and characters within the position of the brackets. For instance, "n[eoa]at" woulc include "neat", "noat" and "naat". "*" is the asterisk wildcard which tells the Unix program to accept ANY character, group or no characters in the position of the "*". Command-Line Options: The majority of Unix Commands have more than one option to them. In Unix you are able to specify the option when using the command. For example, say you had a program named Xpepper and there was an option called s. In order to use this option you would issue the command "Xpepper -s". Also if the program has more than on option (which is most likely the case)and the other option is called f. You could issue the command, "Xpepper -sf. You still can specify the options seperately. Ping Command: To check to see if a remote server is running before you start sending commands to it you would use the PING program. It will be used in this case to send ICMP (Internet control Message Protocol) packets from one host to another. Basically the ping program transmits packets using the ICMP ECHO_REQUEST command. The the program waits for a ICMP ECHO_REPLY to each packet the program transmits. Below is the PING programs set of options -c count : This switch tells ping to continue sending packets until it has sent count number of packets and received count number of responses. -d : This switch turns on the debug option for the socket that ping uses to transmit data -f : instructs the ping program to generate a flood ping; ping outputs packets as fast as the remote server returns packets, or 100 times per second. When ping is flood pinging ping shows each request with a period and each response prints a back space. -s seconds : This option tells the ping to wait a number of seconds after wach packet transmission. -n : This switch tells ping to only return the hosts IP address and not host names. -q : This tells the ping program to run in quiet mode. Which means you dont see anything untill the program has finished the packet tranmissions. -s packetsize : This option lets you set the size of the ping packet to packetsize bytes. This could be used as a type of DoS, but im not going to get into that in this paper. The following is an example of the Ping program. $ ping msn.com PING msn.com (207.68.179.111): 32 data bytes 32 bytes from msn.com (207.68.179.111): icmp_seq=0 tt1=254 time=10ms 32 bytes from msn.com (207.68.179.111): icmp_seq=0 tt1=254 time=10ms 32 bytes from msn.com (207.68.179.111): icmp_seq=0 tt1=254 time=10ms 32 bytes from msn.com (207.68.179.111): icmp_seq=0 tt1=254 time=10ms - msn.com ping statistics - 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 10/10/10 ms $ Finger Command: The Finger command is a user-information protocol to obtain level of information about remote computer such as who is connected to that remote server, where the person logged in from and kind of what there doing. Project. From the unix terminal you use issue the finger command and it will return a list of currently logged in users at the target of the server. You will usually get some information or watever the server knows about the person. Rlogin: This program lets a user log into a remote host from a local server by issuing the command rlogin and the host you want to connect and log into. Section 6: -> Daemons Daemon is a simplifiedterm for daemon process. Its a system wide process that performs functions for the operating system, such as administration and control, network services, print services and execution of time-dependant activities. In order to qualify as a daemon process the operating system canot associate the process with a user's terminal session, and the process must continue after user logs off the server. Basically they accept user requests and process them. LPD Daemon: lpd daemon manages print services, and listens for a print request. Once there is a print request the daemon prints to printers on the network. INIT Daemon: This is the parent process for all proccesses on the system. The main process is to boot the operating system, so withought this the system will not boot. Sendmail Daemon: command Mail Transport Agent for Unix systems which listend across TCP/IP ports for email connections from other systems, and once it recieves the electronic mail it delivers the message to local or remote users. Section 7: -> Unix Vulnerabilities Unix Passwords: A password is used to verify the authenticity of user logins and the database is in /etc/passwd. When the user issues the password to the Unix system, it is converted into a byte series, and uses a one-way hash algorithm to convert the password into a one-way hash value. The server checks the generated hash value in the password database. If the values match the server logs the user into the system. Unix systems are VERY susceptible to sniffing attacks because the Unix operating system doesnt encrypt passwords by defualt. The password file is NOT hidden from users unlike NT or netware and it is word readable which makes it more susceptible to Brute force attacks. If a person has access to the network itself they can gain access to this file with only minimal access rights to the server, and worse if there is a bounce flaw. Shadowing your password file is used for greater protection against attacks such as these. A third-party daemon is used to implement. The /etc/passwd is replaced with a special token and the passwords are stored in a seperate file which is not readable to normal system users. A large amount of servers do not incorporate the passwd shadowing suite and incorrectly chmod their /etc/passwd do that it is readable to every user on the system. If the passwd shadowing suite is present make sure that /etc/shadow is chmod 600 and therefore only readable via root. If shadow passwds are active the /etc/passwd will effectively become useless to users trying to gain access to others accounts by attempting to crack their passwds using passwd cracker programs such as john the ripper. Password Attacks: One method of attacking a system is Brute force attacks. In Unix a user is not locked out of the system if there has been too many failed attempts to login to the server. Usually a low-level password is targeted and the password database is attacked. Once the /etc/passwd is accessible the hacker may brute force attack to get a accepted password to log into the network. Basically Brute Force tries and tries throwing passwords until every legal character combination is used. Some of the most important files in a Unix system are important to know when you want to secure your system. Below i will list the most important files in the Unix system. /etc/passwd -password file, info on accounts for the system is here /etc/group -group file. lets super user give accounts group access. /dev/tty## -this is the device files for systems terminals. /dev/console -device file for the system console /usr/adm/loginlog -log of all logins to the system. includes time/accounts username. mbox -these files are located in the home directories of the system users. /dev/null -null device file. /tmp -This provies storage space for temp files programs and other processes create. The vulnerabilities within Unix systems is high considering it has been the major installed base of systems on the internet. .rhosts file contains a list of network approved remote hosts. The security problem with .rhosts is that any user can create an rhosts file. As a Unix Administrator make sure no user in /home has the rhost file. Unix Tips Unix Security - /ETC/HOSTS.EQUIV I recommend removing this file but if you must have it, and whether or not your network lets users use r commands for access you should still consider deleting it. First you should check and see if the file /etc/hosts.equiv is required. rlogin can be used to log on the the same account on your machine from a trusted machine with no passwd. If you dont use the r command you should definately consider deleting this file because there is no need for it. If you should have this file below is some rules ive gathered to use host.equiv to minimize exposure risk: 1: DO only trust hosts within your domain or under your management. 2: Make sure that you list only small number of trusted hosts within the file. 3: Also make sure you dont have a '+' entry by itself in the file. if you do users might get access to the system. 4: Make sure there is no '!' or '#' in the file. 5: Ensure that the first character of the file is not '_'. 6: Make sure that owner is set to root. 7: Ensure that the permissions are set to 600 8: Check the file again after installation of each patch or O/S. Unix Security - /etc/hosts.lpd For this file make sure that the first character of the file is not '-', permissions are set to 600, make sure that owner is root, and no '!' or '#' in the file. Unix Security - /etc/host.allow Allowing access only to certain trusted hosts is a good way of securing your system from attack, as this will deny telnet access from servers which are not contained within your host.allow file. If you want NO outside access to your server than you could just use the opposite file, the /etc/host.deny file and echo the following line into the file. # echo ALL:ALL >> /etc/host.deny this would result in denial of access from all outside hosts, keeping access local. Unix Security - /etc/services Make sure permissions are set to 644, and the owner of /etc/services is set to root. Unix Security - /etc/aliases Comment out the decode alias with a '#' at the beginning of the line. ENSURE that all programs executable by an alias are owned by root, have permissions 755 and are stored in a systems directory Unix Security - Default Accounts Many systems have default accounts on them and on some older operating system versions these accounts were shipped by default. The common default accounts that can be put to use by a possible intruder include - guest test tester www lynx These could then be brute forced with a few simple passwds which they are usually found to have. These accounts should be removed plainly because they do provide a great security risk of allowing an intruder to gain local access to the server. Another Unix security problem lies in the Sendmail program involving the -d command line option, which lets a user specify a debug level. A person who gained access to the network could specify a very large value to the debug option. This would then overwrite the stack frame, which in turn would cause a OS to executre unexpected commands. My advice is to get 8.7.3 newest version of Sendmail with no vulnerabilities. Sendmail problems: Sendmail accepts connections via port 25, which is known to people and is a favorite target to get into a Unix Host or use the host to forward false mail. Older versions of sendmail are easily exploitable both remotely and locally, it is therefore recommended that people keep up to date with the latest sendmail versions to avoid possible sendmail vulnerabilities - www.sendmail.org is the official resource to keep people up to date which - WITH sendmail issues. FINGERD Program One of the Unix vulnerabilities which the Internet worm exploited of 1988 was a buffer overrun problem with the fingerd daemon. If a user writes a single line of information longer than 512 bytes long, the daemon overwrites the stack frame, letting the hacker create a new shell and execute commands with the new shell. If your version of fingerd is older than than 5 November 1988 replace it with a newer version. Startup and shutdown scripts Make sure that startup and shutdown scripts do not chmod 666 motd. This will let users change the systems message of the day. The line rm -f /tmp/t1 should exist in a startup script to clean up the temporary file used to create /etc/motd. File Permissions 1: /etc/utmp should be set to 644. 2: /etc/state must be set to 644 3: /etc/motd and /etc/mtab should be set to 644 4: Remove access files to users that dont need that access. 5: Make /vmlinux the kernel is owned by root. has group set to 0 and permissions set to 644. 6: CHECK that files which have the suid or sgid bit enabled, should have it enabled 7: Make sure that /dev files are special files. Listening Ports Although this may not seem as obvious as other methods to improve security, the ports that are open on a box can result in its possible security/vulnerability from outside attackers. For example, port 79, the finger daemon port is not always necessary and often provides an attacker with quite alot of information about the system. An possible intruder can use this to find out which users are actually on the system, look for default accounts such as guest, www, test etc. and possibly brute force these with default logins. This should also provide a warning for administrators as already illustrated in a previous section that these default accounts should be removed to ensure that misuse cannot take place. File Encryption Its a good idea for all the users on your Unix system to encrypt sensitive files whenever the user stores the file in a public area, or transmits via public communication circuits Secure methods for programming in Unix Avoid creating a setuid shell script. List complete file name, including the full path, in any system or popen call. Unix Security Tools SATAN: Security Administrator Tool for Analyzing Networks. You can use this tool to determine what holes remain within their networks. They yeild extensive reports about vulnerabilities, trust levels, and other system information. SATAN finds one or more of the following problems with the Unix installation. 1: NFS file systems exported to arbitrary hosts 2: NFS file systems exported to unprivileged programs. 3: NDS file system exported using port mapper 4: REXD access from arbitrary hosts. 5: X-server access control disabled 6: Remote shell access from arbitrary hosts. 7: Writeable anonymous FTP home directorys. 8: NIS password file access from arbirary hosts 9: Outdated sendmail daemon versions, with vulnerabilities. tcp_wrapper: Get and install this program. The name explains it all. There are lot of Unix Security Tools out there. Some are better than others. There are tools available at c0re.org, technotronic.com and other misc sites. OVERVIEW 1: Shells are used to access the Unix Operating Systems 2: The Unix OS uses special programs, called daemons to perform tasks etc. 3: There are only two types of permissions in Unix, user and superuser (root) 4: Unix has well known vulnerabilities but can be secured. 5: Most vulnerabilities can be corrected by careful administration and upkeep the operating system.