Chapter 5

Unix & Linux Security

Chapter2-WhistleBlowers

Dr Rudi Rusdiah
T1005
25 Maret 2017
 Focus on Unix/Linux Security
Unix/Linux / FreeBsd, AIX refer as Unix. Ongoing debate among System Admin
whether Windows or Unix is more vulnerable OS ? Why attacking Linux ?
(1). Linux available with (open) source code to rebuild or recompile. Major target for
security threat ? Hacker can get a head start on finding security issue by examining
the codes, but required times to scan thru thousand of line codes. However when a
flaw is identified, it is easily fix by community as well; (2). Unix installation easy to
obtain & free; (3). Most hackings & networking tools first available for Linux &
FreeBsd; (4). Good environment for hackers to exchange hacks & codes. Hackers:
Platform for exchanging tools, source code & recompile apps.
Some example of free network tools to exploit vulnerability in Linux or Unix:
Tcpdump a low level traffic capture application that sniffs traffic OSI model layer 2,3
& 4. Layer 2 media. Used as Input to traffic analysis tools.
Ethereal- Network traffic sniffing apps can works with tcpdump
Tcpreplay allw for traffic captured in tcp dump to be put back on the wire.
Permit hackers analyze traffic better & debug their apps.
Nmap Port scanning tools. Check status of ports on a system from the network by
attempting to connect to the ports.
Nessus A vulnerability scanner that call nmap to discover open ports, then test the
port for possible vulnerabilities. Nessus has 500 tests can detect older vulnerability
Perl, sh and ksh Scripting langguage, for automating procedure tools.

Also fully functional development tools to rebuilt kernels: Library, Compilers & Codes
HackerDev. Tools Produce Kernel Module Kits Attacking Tools.
 Focus on Unix/Linux Security
Unix/Linux as a poor target for security attack: (1). Too many
versions &builds (ie: Kernel root kits Linux Red hat 2.4.20-8 must
be tested for Debian; (2). User are more expert & specific for
server, embedded systems & security; Windows Outlook VB Script
tightly integrated, not default in Unix mail 3. Scripts are not easily
run & many Perl; Bourne shell; 4. File ownership limits malware
spreads on executable program only limited to root & admin level
access. A common user is restricted to alter executable fileVirus
Attack difficult
Open Source Issue exploited by Hackers: Hackers will look for
embedded password or backdoor.
Hackers may identify places in the code where input is not properly
check or out of range input. Exploit & result in unpredict manner
Hackers will look for code which the user input is used as code of
instructions & process directly: ie: SQLquery
When code is open there is hundred extra eyes of white hat hackers
check the code & the user community will help to make a fix.
Physical Security: (1). Limit access during boot operation. (2). Detect
hardware changes. (3) Disk Partitioning can reduce list.
 Limiting Access
Reboot: If the workstation can be reboot with a floppy or CD, an
attacker can boot the OS & has full control of the resources
Data Collections: Installing keystroke capture
Theft: Remove Harddisk
BIOS Attack: If attacker able to reboot and install a BIOS Password so
nobody can enter the systems.. Similar to DOS (Denial of Services):
Bios Control: 1.BIOS Password should be enable ; 2. BIOS change to
prevent booting from external device (Floppy,CD, Flash); 3. Set the
boot loader password Linux Loader (LILO) or Grand Unify
Bootloader (GRUB).
Linux can be boot directly into root account using : (1) linux single. To
prevent in the fille /etc/inittab after the initdefault line insert:
~~:S:wait:/sbin/sulogin

For the 2nd case: using : linux init=/bin/sh , Linux is booted & run
Bourne shell to access root ,instead of init process:
For LILO Prompt File: /etc/lilo.conf file insert:
restricted ; password=<root password>
 Detecting Hardware Changes
Apps kudzu detect & configure new H/W changed on Linux system. When started
kudzu will check against database store in /etc/sysconfig/hwconf
If new H/W found, the user will be prompted to configure the H/W. If H/W not found,
can be remove from the database file.
Kudzu also look at /etc/modules.conf; /etc/sysconfig/network-scripts/ or
/etc/X11/XF86 Config.
Type #kudzu -p
 Disk Partitioning/File System
Old Partition disk on Unix platform can be a physical security issue. New
Journaling file system: ext3 in Linux to make reliable recovery damage
file and fast file system restart in the event of system crash.
/usr directory contain fixed (no change) OS Files. /usr/local directory for
applications
Put on Partition found in /etc/fstab:
/dev/hda6 ; /usr/local ext3 defaults 1 2
/home directory put on separate partition. This hold user home directory that
log in. Hold individual configuration user.
Advice: Special partition for data /data directory.
Why? So if you want to upgrade the Unix O/S, do not need to forward, copy
and backup the /data directory.
Advice for DOS attack: /tmp and /var can be attacked & filled up should be
put in other partition other than / (root) directory. If not it will hang if /
(root) directory is filled up.
 Prepare for the eventual attack incident response
See Ch17 on Disaster Recovery (DR):

1. Backup (Daily; Incremental& Full backup Monthly);

2. Inventory: System Admin: keyfile /etc/password & startup script
(/etc/rc.d/init/* & database); 3. Detection
Backup without Detections: Attackers compromised several number of backup.
Inventory & Weak Detections: Inventory of status of key files in response to
incident. These files may be compromised.
Detection without inventory & Backup.

Controlling the Configuration Network Security

Even stripped down & hardened, Unix WS can be powerful tool to launch
attack on the Net or other Host.
The Configuration will be addressed in two areas:
Installed Packages or apps eliminating unneeded apps. & upto date patch
Defense in depth strategy.
Kernel related issue: Kernel as root level control over resources & process
critical part of UNIX
 Installed Packages
If PC is overtaken, the usefulness of it to the atackers will be reduced if there is less application
to bare minimum. The following packages should be installed only when is needed:
1. Mail Server Sendmail default in Unix is useful tools for an attacker if it control the
systems.
2. Automatic update servers should be off ie: Red Hat systems, rhnsd is a daemon process
runs in the background & periodically pools Redhat Network to see if there is any queued
action available for update.
3. File Sharing Services: On Unix Smbd (Server Message Block daemon) for File sharing &
printing service to Windows clients. The server provides filespace & print services to client
using SMB or Common Internet File Systems (CIFS) protocol or LanManager Protocol.
4. File Transfer Services FTP is a program that allows a user to transfer files to/from remote
site. Attacker could activiate FTP capabilities.
On Linux use command rpm qai to list all installed rpm packages.:
 Kernel Configurations (1/3)
Kernel program that controls the most critical resources on the system (Device
Driver): H/D, Memory; Video Card. Apps access these resources via System calls.
90% of kernel (device driver) not needed . Usually installation of Linux does not
include a compilation of the Kernel. Generic Kernel wide variety of
architecture/hardware config
Unix has 2 mode: Supervisor & User mode (Library functions are used via system call).
Kernel options: > 1300 in Linux 2.4 Kernel. Some security related options:
Iptables powerful firewall for unix @ kernel level
Ipforwarding: if turn on, workstation acts as Gateway or Router.
Traffic send to a workstation but destined for a different IP will be routed to other PC
according to the PC route table security risk.
Certain network safeguard to circumvent traffic appear to come from the PC instead
of the originator (ip masquerade ). Multihome Server with two NIC card can
route trafic to different network. To circumvent this routing use Firewall or Proxy.
IP forwarding can be disable at the kernel, or after system booted.
To disable in Linux : the file /proc/sys/net/ipv4/ip_ forward = 0
Source Routed Frame: Packet with (source route) info to traverse network to reach
destination should be disable by dropping it to prevent from larger attacks.
Typical Unix Kernel comes with many options & most features enabled must be
rebuilt the kernel & eliminate these options.
 Kernel Configurations 2/3
Kernel Modules: Dynamic extension to a kernel that can be added without requiring a
kernel rebuilt or even a reboot. Kernel module allows:
-The dynamic extention of Kernel capability after detection of a new hardware:Ie if a
Flashdisk or PCMCIA card is inserted in a Unix laptop, the OS can load the
appropriate Kernel modules. Ie add a USB device/Flash etc.
- The rapid testing & modification of Kernel capabilities under development.
- The size of Kernel at boot time can be kept small.

The lsmod command list kernel module that has been loaded.

System Calls: - Supervisor mode: A request to the OS Kernel for access to critical
resources application program. a routine based on system level function on
behalf of a process or apps. All Systems operations are allocated, initiated,
monitored, manipulated thru systems call.
On Linux: use Strace or ktrace command a system call tracer tool that print out a
trace of all the system call made by a proces or application.

# strace .a/a.out or #strace ping c 1 192.168.131.131

 Kernel Configurations: / proc directory 3/3
/proc a Unix Directory (pseudo file System) Read only, but can be used to change
Kernel variable value or parameter a pseudo file system used as an interface to
kernel data structures rather than reading and interpreting kernel memory.

If IP forwarding is to be turn on, a 1 /proc/sys/net/ip4/ip_forward.

Network Security Admin to change parameter of Kernel modele by System Call:

- Process ID Many subsidiary for each running process contain cmdline & cwd
- Kcore represent system physical memory.
- Net this subdirectory described the status of network layers.
- Sys this subdirectory contain kernel variables. Can be read/modify.
- Kernel/ctr-alt-del if 1 allow reset system & init program & restart.
- Domain name & host name.
 Operating Unix Safely
Unix: Powerful OS. Even has been configured & hardened still a security risk if user &
process are not properly controlled & monitored.
Any network security attack on a workstation ultimately will running code category:
1. Malcode: Viruses, Worm Troyan. This code run by user or on behalf of some
scripting application such as Web brouser, email attachment.
2. Host Services The attacker come in from a network and remotely gets a foothold
or access to the PC by exploiting an open port or its associated services.
3. Social Engineering: People Insider

To protect against malcode :

1. Use Anti virus protection
2. dont engage in risky behaviour: dont open, launch, download or executer
anything from unknown source. dont talk to stranger. the weakest link
principles;
3. Disable scripting capabilities on email clients, and office program; use encryption.
 Services to Avoid
System Admin be kept abreast of all process running. Many apps in Unix operate in a
daemon or server mode can be ready target for attackers to exploit.
Applications should be careful:
FTP (vsftpd or wuftpd) . Use more secure sFTP or scp
NFS (Network File Systems) designed for sharing files over a network. NFS is a remote
procedure call (RPC) service using portmap. NFS may spread malcode such as
Troyan .
Nfslock To lock Nfs so that it is not used
RPC this protocol has security problem & should be avoided.Not used today.
Portmap
R command (rsh, rcp, rlogin) These protocol has weak authentication and pass
information in the clear (unencrypted). Use ssh or scp instead
Telnet Very simple service allow remote access to a Unix workstation. Information
passed not encrypted. Telnet sessions can easily hijacked & redirected
 Useful Services
IpTables Kernel resident packet filter input & output. Iptables adds another layer of
security (DID) to Unix.
Keytable script loads keyboard maps during boot
Kudzu Hardware detection of process run during boot
Network Network interface
Print Daemon (cupsd, lpd)
Dll See page 176-180.

Xinetd (inetd) a service start other service on demand or small networking daemons.

Finger a service that display info about a user

Ipop3 - a service that allow remote users to access their mail using pop3 client ie
Netscape communicator or fetchmail.
Ktalk a service chatting on KDE (k desktop environment)
Rlogin remote login authenticate based on port numbers from trusted host
Detecting Services
Netstat command:
Can check network connection
Routing Tables
Interface Stats.

Can display list of open societ

Identify by port no or service
Assigned as listed in
/etc/service
Nmap command: Good Port Scanner for SysAdmin to scan host to determin what service are
running.
You can see below : 1. nmap against host external interface and 2. against local host interface I
Internal avoiding firewall so that port 631/tcp is visible.
For Example if /etc/inittab file contain:

Id:5:initdefault:

In this case the default is runlevel 5 or

X Windows then the kernel will boot
Into the run level in the initdefault line
 Chroot
Chroot command runs a sercie with an alternative root
directory other than / directory.
Kernel has 2 mode: 1. Root access supervisory (root) & 2.
Normal (user)
User with root acces can change config & alter security
controls that the sysadmin put.
User may open PC to potential attack
Limit access to root mode. Can be bypass using su
command. (root login shell /sbin/nologin - /etc/passwd file).
Sudo command allow normal user to execute certain
command normally limited to root.
Ie: sudo mount /dev/fd0 /mnt/floppy
 Encription & Certificate
In Defence in depth strategy: use encription to improve
security.
If PC is compromised & taken over by attackers, previous
encripted file are protected.
Encrypting traffic on LAN.
GNU Privacy Guard (GPG) Unix implementation of Pretty Good
Privacy (PGP) encryption program by Phil Zimmerman. GPG
use public key & private key method of encrypting data
(asymetric) .
Secure Shell (ssh support logging into & executing command
on remote machine. Replace rlogin & rsh and provide secure
encryption communications over network. Xwindows & TCP/IP
port can also be forwarded via secure channel.