Professional Documents
Culture Documents
Dr Rudi Rusdiah
T1005
25 Maret 2017
Focus on Unix/Linux Security
Unix/Linux / FreeBsd, AIX refer as Unix. Ongoing debate among System Admin
whether Windows or Unix is more vulnerable OS ? Why attacking Linux ?
(1). Linux available with (open) source code to rebuild or recompile. Major target for
security threat ? Hacker can get a head start on finding security issue by examining
the codes, but required times to scan thru thousand of line codes. However when a
flaw is identified, it is easily fix by community as well; (2). Unix installation easy to
obtain & free; (3). Most hackings & networking tools first available for Linux &
FreeBsd; (4). Good environment for hackers to exchange hacks & codes. Hackers:
Platform for exchanging tools, source code & recompile apps.
Some example of free network tools to exploit vulnerability in Linux or Unix:
Tcpdump a low level traffic capture application that sniffs traffic OSI model layer 2,3
& 4. Layer 2 media. Used as Input to traffic analysis tools.
Ethereal- Network traffic sniffing apps can works with tcpdump
Tcpreplay allw for traffic captured in tcp dump to be put back on the wire.
Permit hackers analyze traffic better & debug their apps.
Nmap Port scanning tools. Check status of ports on a system from the network by
attempting to connect to the ports.
Nessus A vulnerability scanner that call nmap to discover open ports, then test the
port for possible vulnerabilities. Nessus has 500 tests can detect older vulnerability
Perl, sh and ksh Scripting langguage, for automating procedure tools.
Also fully functional development tools to rebuilt kernels: Library, Compilers & Codes
HackerDev. Tools Produce Kernel Module Kits Attacking Tools.
Focus on Unix/Linux Security
Unix/Linux as a poor target for security attack: (1). Too many
versions &builds (ie: Kernel root kits Linux Red hat 2.4.20-8 must
be tested for Debian; (2). User are more expert & specific for
server, embedded systems & security; Windows Outlook VB Script
tightly integrated, not default in Unix mail 3. Scripts are not easily
run & many Perl; Bourne shell; 4. File ownership limits malware
spreads on executable program only limited to root & admin level
access. A common user is restricted to alter executable fileVirus
Attack difficult
Open Source Issue exploited by Hackers: Hackers will look for
embedded password or backdoor.
Hackers may identify places in the code where input is not properly
check or out of range input. Exploit & result in unpredict manner
Hackers will look for code which the user input is used as code of
instructions & process directly: ie: SQLquery
When code is open there is hundred extra eyes of white hat hackers
check the code & the user community will help to make a fix.
Physical Security: (1). Limit access during boot operation. (2). Detect
hardware changes. (3) Disk Partitioning can reduce list.
Limiting Access
Reboot: If the workstation can be reboot with a floppy or CD, an
attacker can boot the OS & has full control of the resources
Data Collections: Installing keystroke capture
Theft: Remove Harddisk
BIOS Attack: If attacker able to reboot and install a BIOS Password so
nobody can enter the systems.. Similar to DOS (Denial of Services):
Bios Control: 1.BIOS Password should be enable ; 2. BIOS change to
prevent booting from external device (Floppy,CD, Flash); 3. Set the
boot loader password Linux Loader (LILO) or Grand Unify
Bootloader (GRUB).
Linux can be boot directly into root account using : (1) linux single. To
prevent in the fille /etc/inittab after the initdefault line insert:
~~:S:wait:/sbin/sulogin
For the 2nd case: using : linux init=/bin/sh , Linux is booted & run
Bourne shell to access root ,instead of init process:
For LILO Prompt File: /etc/lilo.conf file insert:
restricted ; password=<root password>
Detecting Hardware Changes
Apps kudzu detect & configure new H/W changed on Linux system. When started
kudzu will check against database store in /etc/sysconfig/hwconf
If new H/W found, the user will be prompted to configure the H/W. If H/W not found,
can be remove from the database file.
Kudzu also look at /etc/modules.conf; /etc/sysconfig/network-scripts/ or
/etc/X11/XF86 Config.
Type #kudzu -p
Disk Partitioning/File System
Old Partition disk on Unix platform can be a physical security issue. New
Journaling file system: ext3 in Linux to make reliable recovery damage
file and fast file system restart in the event of system crash.
/usr directory contain fixed (no change) OS Files. /usr/local directory for
applications
Put on Partition found in /etc/fstab:
/dev/hda6 ; /usr/local ext3 defaults 1 2
/home directory put on separate partition. This hold user home directory that
log in. Hold individual configuration user.
Advice: Special partition for data /data directory.
Why? So if you want to upgrade the Unix O/S, do not need to forward, copy
and backup the /data directory.
Advice for DOS attack: /tmp and /var can be attacked & filled up should be
put in other partition other than / (root) directory. If not it will hang if /
(root) directory is filled up.
Prepare for the eventual attack incident response
See Ch17 on Disaster Recovery (DR):
Even stripped down & hardened, Unix WS can be powerful tool to launch
attack on the Net or other Host.
The Configuration will be addressed in two areas:
Installed Packages or apps eliminating unneeded apps. & upto date patch
Defense in depth strategy.
Kernel related issue: Kernel as root level control over resources & process
critical part of UNIX
Installed Packages
If PC is overtaken, the usefulness of it to the atackers will be reduced if there is less application
to bare minimum. The following packages should be installed only when is needed:
1. Mail Server Sendmail default in Unix is useful tools for an attacker if it control the
systems.
2. Automatic update servers should be off ie: Red Hat systems, rhnsd is a daemon process
runs in the background & periodically pools Redhat Network to see if there is any queued
action available for update.
3. File Sharing Services: On Unix Smbd (Server Message Block daemon) for File sharing &
printing service to Windows clients. The server provides filespace & print services to client
using SMB or Common Internet File Systems (CIFS) protocol or LanManager Protocol.
4. File Transfer Services FTP is a program that allows a user to transfer files to/from remote
site. Attacker could activiate FTP capabilities.
On Linux use command rpm qai to list all installed rpm packages.:
Kernel Configurations (1/3)
Kernel program that controls the most critical resources on the system (Device
Driver): H/D, Memory; Video Card. Apps access these resources via System calls.
90% of kernel (device driver) not needed . Usually installation of Linux does not
include a compilation of the Kernel. Generic Kernel wide variety of
architecture/hardware config
Unix has 2 mode: Supervisor & User mode (Library functions are used via system call).
Kernel options: > 1300 in Linux 2.4 Kernel. Some security related options:
Iptables powerful firewall for unix @ kernel level
Ipforwarding: if turn on, workstation acts as Gateway or Router.
Traffic send to a workstation but destined for a different IP will be routed to other PC
according to the PC route table security risk.
Certain network safeguard to circumvent traffic appear to come from the PC instead
of the originator (ip masquerade ). Multihome Server with two NIC card can
route trafic to different network. To circumvent this routing use Firewall or Proxy.
IP forwarding can be disable at the kernel, or after system booted.
To disable in Linux : the file /proc/sys/net/ipv4/ip_ forward = 0
Source Routed Frame: Packet with (source route) info to traverse network to reach
destination should be disable by dropping it to prevent from larger attacks.
Typical Unix Kernel comes with many options & most features enabled must be
rebuilt the kernel & eliminate these options.
Kernel Configurations 2/3
Kernel Modules: Dynamic extension to a kernel that can be added without requiring a
kernel rebuilt or even a reboot. Kernel module allows:
-The dynamic extention of Kernel capability after detection of a new hardware:Ie if a
Flashdisk or PCMCIA card is inserted in a Unix laptop, the OS can load the
appropriate Kernel modules. Ie add a USB device/Flash etc.
- The rapid testing & modification of Kernel capabilities under development.
- The size of Kernel at boot time can be kept small.
The lsmod command list kernel module that has been loaded.
System Calls: - Supervisor mode: A request to the OS Kernel for access to critical
resources application program. a routine based on system level function on
behalf of a process or apps. All Systems operations are allocated, initiated,
monitored, manipulated thru systems call.
On Linux: use Strace or ktrace command a system call tracer tool that print out a
trace of all the system call made by a proces or application.
Xinetd (inetd) a service start other service on demand or small networking daemons.
Id:5:initdefault: