Table of Contents for
Practical UNIX and Internet Security, 3rd Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Practical UNIX and Internet Security, 3rd Edition by Alan Schwartz Published by O'Reilly Media, Inc., 2003
  1. Cover
  2. Practical Unix & Internet Security, 3rd Edition
  3. A Note Regarding Supplemental Files
  4. Preface
  5. Unix “Security”?
  6. Scope of This Book
  7. Which Unix System?
  8. Conventions Used in This Book
  9. Comments and Questions
  10. Acknowledgments
  11. A Note to Would-Be Attackers
  12. I. Computer Security Basics
  13. 1. Introduction: Some Fundamental Questions
  14. What Is Computer Security?
  15. What Is an Operating System?
  16. What Is a Deployment Environment?
  17. Summary
  18. 2. Unix History and Lineage
  19. History of Unix
  20. Security and Unix
  21. Role of This Book
  22. Summary
  23. 3. Policies and Guidelines
  24. Planning Your Security Needs
  25. Risk Assessment
  26. Cost-Benefit Analysis and Best Practices
  27. Policy
  28. Compliance Audits
  29. Outsourcing Options
  30. The Problem with Security Through Obscurity
  31. Summary
  32. II. Security Building Blocks
  33. 4. Users, Passwords, and Authentication
  34. Logging in with Usernames and Passwords
  35. The Care and Feeding of Passwords
  36. How Unix Implements Passwords
  37. Network Account and Authorization Systems
  38. Pluggable Authentication Modules (PAM)
  39. Summary
  40. 5. Users, Groups, and the Superuser
  41. Users and Groups
  42. The Superuser (root)
  43. The su Command: Changing Who You Claim to Be
  44. Restrictions on the Superuser
  45. Summary
  46. 6. Filesystems and Security
  47. Understanding Filesystems
  48. File Attributes and Permissions
  49. chmod: Changing a File’s Permissions
  50. The umask
  51. SUID and SGID
  52. Device Files
  53. Changing a File’s Owner or Group
  54. Summary
  55. 7. Cryptography Basics
  56. Understanding Cryptography
  57. Symmetric Key Algorithms
  58. Public Key Algorithms
  59. Message Digest Functions
  60. Summary
  61. 8. Physical Security for Servers
  62. Planning for the Forgotten Threats
  63. Protecting Computer Hardware
  64. Preventing Theft
  65. Protecting Your Data
  66. Story: A Failed Site Inspection
  67. Summary
  68. 9. Personnel Security
  69. Background Checks
  70. On the Job
  71. Departure
  72. Other People
  73. Summary
  74. III. Network and Internet Security
  75. 10. Modems and Dialup Security
  76. Modems: Theory of Operation
  77. Modems and Security
  78. Modems and Unix
  79. Additional Security for Modems
  80. Summary
  81. 11. TCP/IP Networks
  82. Networking
  83. IP: The Internet Protocol
  84. IP Security
  85. Summary
  86. 12. Securing TCP and UDP Services
  87. Understanding Unix Internet Servers and Services
  88. Controlling Access to Servers
  89. Primary Unix Network Services
  90. Managing Services Securely
  91. Putting It All Together: An Example
  92. Summary
  93. 13. Sun RPC
  94. Remote Procedure Call (RPC)
  95. Secure RPC (AUTH_DES)
  96. Summary
  97. 14. Network-Based Authentication Systems
  98. Sun’s Network Information Service (NIS)
  99. Sun’s NIS+
  100. Kerberos
  101. LDAP
  102. Other Network Authentication Systems
  103. Summary
  104. 15. Network Filesystems
  105. Understanding NFS
  106. Server-Side NFS Security
  107. Client-Side NFS Security
  108. Improving NFS Security
  109. Some Last Comments on NFS
  110. Understanding SMB
  111. Summary
  112. 16. Secure Programming Techniques
  113. One Bug Can Ruin Your Whole Day . . .
  114. Tips on Avoiding Security-Related Bugs
  115. Tips on Writing Network Programs
  116. Tips on Writing SUID/SGID Programs
  117. Using chroot( )
  118. Tips on Using Passwords
  119. Tips on Generating Random Numbers
  120. Summary
  121. IV. Secure Operations
  122. 17. Keeping Up to Date
  123. Software Management Systems
  124. Updating System Software
  125. Summary
  126. 18. Backups
  127. Why Make Backups?
  128. Backing Up System Files
  129. Software for Backups
  130. Summary
  131. 19. Defending Accounts
  132. Dangerous Accounts
  133. Monitoring File Format
  134. Restricting Logins
  135. Managing Dormant Accounts
  136. Protecting the root Account
  137. One-Time Passwords
  138. Administrative Techniques for Conventional Passwords
  139. Intrusion Detection Systems
  140. Summary
  141. 20. Integrity Management
  142. The Need for Integrity
  143. Protecting Integrity
  144. Detecting Changes After the Fact
  145. Integrity-Checking Tools
  146. Summary
  147. 21. Auditing, Logging, and Forensics
  148. Unix Log File Utilities
  149. Process Accounting: The acct/pacct File
  150. Program-Specific Log Files
  151. Designing a Site-Wide Log Policy
  152. Handwritten Logs
  153. Managing Log Files
  154. Unix Forensics
  155. Summary
  156. V. Handling Security Incidents
  157. 22. Discovering a Break-in
  158. Prelude
  159. Discovering an Intruder
  160. Cleaning Up After the Intruder
  161. Case Studies
  162. Summary
  163. 23. Protecting Against Programmed Threats
  164. Programmed Threats: Definitions
  165. Damage
  166. Authors
  167. Entry
  168. Protecting Yourself
  169. Preventing Attacks
  170. Summary
  171. 24. Denial of Service Attacks and Solutions
  172. Types of Attacks
  173. Destructive Attacks
  174. Overload Attacks
  175. Network Denial of Service Attacks
  176. Summary
  177. 25. Computer Crime
  178. Your Legal Options After a Break-in
  179. Criminal Hazards
  180. Criminal Subject Matter
  181. Summary
  182. 26. Who Do You Trust?
  183. Can You Trust Your Computer?
  184. Can You Trust Your Suppliers?
  185. Can You Trust People?
  186. Summary
  187. VI. Appendixes
  188. A. Unix Security Checklist
  189. Preface
  190. Chapter 1: Introduction: Some Fundamental Questions
  191. Chapter 2: Unix History and Lineage
  192. Chapter 3: Policies and Guidelines
  193. Chapter 4: Users, Passwords, and Authentication
  194. Chapter 5: Users, Groups, and the Superuser
  195. Chapter 6: Filesystems and Security
  196. Chapter 7: Cryptography Basics
  197. Chapter 8: Physical Security for Servers
  198. Chapter 9: Personnel Security
  199. Chapter 10: Modems and Dialup Security
  200. Chapter 11: TCP/IP Networks
  201. Chapter 12: Securing TCP and UDP Services
  202. Chapter 13: Sun RPC
  203. Chapter 14: Network-Based Authentication Systems
  204. Chapter 15: Network Filesystems
  205. Chapter 16: Secure Programming Techniques
  206. Chapter 17: Keeping Up to Date
  207. Chapter 18: Backups
  208. Chapter 19: Defending Accounts
  209. Chapter 20: Integrity Management
  210. Chapter 21: Auditing, Logging, and Forensics
  211. Chapter 22: Discovering a Break-In
  212. Chapter 23: Protecting Against Programmed Threats
  213. Chapter 24: Denial of Service Attacks and Solutions
  214. Chapter 25: Computer Crime
  215. Chapter 26: Who Do You Trust?
  216. Appendix A: Unix Security Checklist
  217. Appendix B: Unix Processes
  218. Appendixes C, D, and E: Paper Sources, Electronic Sources, and Organizations
  219. B. Unix Processes
  220. About Processes
  221. Signals
  222. Controlling and Examining Processes
  223. Starting Up Unix and Logging In
  224. C. Paper Sources
  225. Unix Security References
  226. Other Computer References
  227. D. Electronic Resources
  228. Mailing Lists
  229. Web Sites
  230. Usenet Groups
  231. Software Resources
  232. E. Organizations
  233. Professional Organizations
  234. U.S. Government Organizations
  235. Emergency Response Organizations
  236. Index
  237. Index
  238. Index
  239. Index
  240. Index
  241. Index
  242. Index
  243. Index
  244. Index
  245. Index
  246. Index
  247. Index
  248. Index
  249. Index
  250. Index
  251. Index
  252. Index
  253. Index
  254. Index
  255. Index
  256. Index
  257. Index
  258. Index
  259. Index
  260. Index
  261. Index
  262. Index
  263. About the Authors
  264. Colophon
  265. Copyright

Sun’s NIS+

NIS was designed for a small, friendly computing environment. As Sun Microsystems’ customers began to build networks with thousands or tens of thousands of workstations, NIS started to show its weaknesses:

  • NIS maps could be updated only by logging onto the server and editing files.

  • NIS servers could be updated only in a single batch operation. Updates could take many minutes, or even hours, to complete.

  • All information transmitted by NIS was transmitted without encryption, making it subject to eavesdropping.

  • NIS updates themselves were authenticated with AUTH_UNIX RPC authentication, making them subject to spoofing.

To respond to these complaints, Sun started working on an NIS replacement in 1990. That system was released a few years later as NIS+.

NIS+ quickly earned a bad reputation. By all accounts, the early releases were virtually untested and rarely operated as promised. Furthermore, the documentation was confusing and incomplete. Sun sent engineers into the field to debug their software at customer sites. Eventually, Sun worked the bugs out of NIS+, and today it is a more reliable system for secure network management and control.

An excellent reference for people using NIS+ is Rick Ramsey’s book, All About Administrating NIS+ (SunSoft Press, Prentice Hall, 1994).

What NIS+ Does

NIS+ creates network databases that are used to store information about computers and users within an organization. NIS+ calls these databases tables; they are functionally similar to NIS maps. Unlike NIS, NIS+ allows for incremental updates of the information stored on replicated database servers throughout the network.

Each NIS+ domain has one and only one NIS+ root domain server. This is a computer that contains the master copy of the information stored in the NIS+ root domain. The information stored on this server can be replicated, allowing the network to remain usable even when the root server is down or unavailable. There may also be NIS+ servers for subdomains.

Entities that communicate using NIS+ are called NIS+ principals . An NIS+ principal may be a host or an authenticated user. Each NIS+ principal has a public key and a secret key, which are stored on an NIS+ server in the domain. (As this is Secure RPC, the secret key is stored encrypted; see Section 13.2.1.)

All communication between NIS+ servers and NIS+ principals take place through Secure RPC. This makes the communication resistant to both eavesdropping and spoofing attacks. NIS+ also oversees the creation and management of Secure RPC keys. By virtue of using NIS+, every member of the organization is enabled to use Secure RPC.

NIS+ Tables and Other Objects

All information stored on an NIS+ server is stored in the form of objects. NIS+ supports three fundamental types of objects:[194]

Table objects

Store configuration information.

Group objects

Used for NIS+ authorization. NIS+ groups give you a way to collectively refer to a set of NIS+ principals (users or machines) at a single time.

Directory objects

Provide structure to an NIS+ server. Directories can store tables, groups, or other directories, creating a tree structure on the NIS+ server that’s similar to the Unix filesystem.

Information stored in NIS+ tables can be retrieved using any table column as a key; NIS+ thus eliminates the need to have multiple NIS maps (such as group.bygid and group.byname) under NIS. NIS+ predefines 16 tables (see Table 14-1); users are free to create additional tables of their own.

Table 14-1. Predefined NIS+ tables

Table

Equivalent Unix files

Stores

Hosts

/etc/hosts

IP address and hostname of every workstation in the NIS+ domain

Bootparams

/etc/bootparams

Configuration information for diskless clients, including location of root, swap, and dump partitions

Passwd

/etc/passwd

User account information (password, full name, home directory, etc.)

Cred

n/a

Secure RPC credentials for users in the domain

Group

/etc/group

Groupnames, passwords, and members of every Unix group

Netgroup

/etc/netgroup

Netgroups to which workstations and users belong

Mail_Aliases

/usr/lib/aliases/etc/aliases/etc/mail/aliases

Electronic mail aliases

Timezone

/etc/timezone

Time zone of each workstation in the domain

Networks

/etc/networks

Networks in the domain and their canonical names

Netmasks

/etc/inet/netmasks/etc/netmasks

Name of each network in the domain and its associated netmask

Ethers

/etc/ethers

Ethernet address of every workstation in the domain

Services

/etc/services

Port number for every Internet service used in the domain

Protocols

/etc/protocols

IP protocols used in the domain

RPC

n/a

RPC program numbers for RPC servers in the domain

Outcome

n/a

Location of home directories for users in the domain

Auto_Mounter

n/a

Information for Sun’s Automounter

Using NIS+

Using an NIS+ domain can be remarkably pleasant. When a user logs into a workstation, the /bin/login command automatically acquires the user’s NIS+ security credentials and attempts to decrypt them with the user’s login password.

If the account password and the NIS+ credentials password are the same (and they usually are), the NIS+ keyserv process will cache the user’s secret key, and the user will have transparent access to all Secure RPC services. If the account password and the NIS+ credentials password are not the same, then the user will need to manually log in to the NIS+ domain by using the keylogin command.

NIS+ users should change their passwords with the NIS+ nispasswd command, which works in much the same way as the standard Unix passwd command.

NIS+ security is implemented by providing a means for authenticating users, and by establishing access control lists that control the ways that those authenticated users can interact with the information stored in NIS+ tables. NIS+ provides for two authentication types:

LOCAL

Authentication based on the UID of the Unix process executing the NIS+ command. LOCAL authentication is used largely for administrating the root NIS+ server.

DES

Authentication based on Secure RPC. Users must have their public key and encrypted secret key stored in the NIS+ Cred table to use DES authentication.

Like Unix files, each NIS+ object has an owner, which is usually the object’s creator. (An object’s owner can be changed with the nischown command.) NIS+ objects also have access control lists, which are used to control which principals have which kind of access to the object.

NIS+ allows four types of access to objects:

Access right

Meaning

Read

Ability to read the contents of the object

Modify

Ability to modify the contents of the object

Create

Ability to create new objects within the table

Destroy

Ability to destroy objects contained within the table

NIS+ maintains a list of these access rights for four different types of principals:

Access right

Meaning

Nobody

Unauthenticated requests, such as requests from individuals who do not have NIS+ credentials within this NIS+ domain

Owner

The principal that created the object (or was assigned ownership via the nischown command)

Group

Other principals in the object’s group

World

Other principals within the object’s NIS+ domain

The way that NIS+ commands display access rights is similar to the way that the Unix ls command displays file permissions. The key difference is that NIS+ access rights are displayed as a list of 16 characters, and the first 4 characters represent the rights for “nobody”, rather than “owner”, as shown in Figure 14-2.

NIS+ access rights are displayed as a list of 16 characters

Figure 14-2. NIS+ access rights are displayed as a list of 16 characters

NIS+ tables may provide additional access privileges for individual rows, columns, or entries that they contain. Thus, all authenticated users may have read access to an entire table, but each user may have the additional ability of modifying the row of the table associated with the user’s own account. Note that while individual rows, columns, or entries can broaden the access control list, they cannot impose more restrictive rules.

The Name Service Switch

NIS and NIS+ can be used to distribute user, group, and password information on a network, as well as information about hosts, networks, protocols, and other entities. Of course, this information can also be stored in local files or accessed through other distributed network databases (such as DNS). How should a client decide which mechanisms to use to get this kind of information, when multiple mechanisms are possible, and the order in which to try them?

Sun solved this problem in Solaris by writing its C library information lookup functions so they could try a variety of information sources. Sun’s approach was adopted by the GNU C library, and is thus commonly found on Linux systems as well.

The list of sources for each kind of data and the order in which to try them is defined in a file named /etc/nsswitch.conf:

passwd:   files nisplus nis
shadow:   files nisplus nis
group:    files nisplus nis
hosts:    files nisplus nis dns
services: nisplus [NOTFOUND=return] files

In this example, the passwd, shadow, and group entries are checked first in the local files, and then looked up through NIS+ or NIS. The first matching entry will end the search. Hostname lookups will proceed similarly, but will also check DNS. Finally, information about network services will be checked through NIS+, and if NIS+ reports that it does not find a given service, the search will stop. If the NIS+ server is down, however, the local file /etc/services will still be checked.

To speed up frequent lookups (for passwd, group, and hosts, in particular), some systems run a name service caching daemon (nscd) that locally caches the results of the lookup.

Changing your password

Once a user has her NIS+ account set up, she should use the nispasswd command to change the password:

% nispasswd
Changing password for simsong on NIS+ server.
Old login password: fj39=3-f

New login password: fj43fadf

Re-enter new  password:fj43fadf

        NIS+ password information changed for simsong
        NIS+ credential information changed for simsong
%

When a user’s passwords don’t match

If a user has a different password stored on his workstation and on the Secure RPC server, he will see the following message when he logs in:

login: simsong
Password: fj39=3-f

Password does not decrypt secret key for unix.237@cpg.com.
Last login: Sun Nov 19 18:03:42 from sun.vineyard.net
Sun Microsystems Inc.   SunOS 5.4       Generic July 1994
%

In this case, the user has a problem because the password that the user knows and uses to log in does not, for some reason, match the password that was used to encrypt the password on the Secure RPC server. The user can’t change his password with the nispasswd program because he doesn’t know his NIS password:

% nispasswd
Changing password for simsong on NIS+ server.
Old login password:fj39=4-f

Sorry.
%

Likewise, the superuser can’t run the nispasswd program for the user. The only solution is for the system administrator to become the superuser and give the user a new key:

# newkey -u simsong
Updating nisplus publickey database.
Adding new key for unix.237@cpg.com.
Enter simsong's login password: fj39=3-f

#

This procedure sets the user’s Secure RPC password to be the same as his login password. Note that you must know the user’s login password. If you don’t, you’ll get this error:

# newkey -u simsong
Updating nisplus publickey database.
Adding new key for unix.237@cpg.com.
Enter simsong's login password: nosmis

newkey: ERROR, password differs from login password.
#

After the user has a new key, he can then use the nispasswd command to change his password, as shown above.

NIS+ Limitations

If properly configured, NIS+ can be a very secure system for network management and authentication. However, as with all security systems, it is possible to make a mistake in the configuration or management of NIS+ that would render a network that it protects somewhat less than secure.

Here are some things to be aware of:

Do not run NIS+ in NIS compatibility mode

NIS+ has an NIS compatibility mode that allows the NIS+ server to interoperate with NIS clients. If you run NIS+ in this mode, then any NIS server on your network (and possibly other networks as well) will have the ability to access any piece of information stored within your NIS+ server. Typically, NIS access is used by attackers to obtain a copy of your domain’s encrypted password file, which is then used to probe for weaknesses.

Manually inspect the permissions of your NIS+ objects on a regular basis

System integrity-checking software such as Tripwire does not exist (yet) for NIS+. In its absence, you must manually inspect the NIS+ tables, directories, and groups on a regular basis. Be on the lookout for objects that can be modified by nobody or by world; also be on the lookout for tables in which new objects can be created by these principal classes.

Secure the computers on which your NIS+ servers are running

Your NIS+ server is only as secure as the computer on which it is running. If attackers can obtain root access on your NIS+ server, they can make any change that they wish to your NIS+ domain, including creating new users, changing user passwords, and even changing your NIS+ server’s master password.

NIS+ servers operate at one of three security levels

These levels are described in Table 14-2. Make sure that your server is operating at level 2, which is the default level.

Table 14-2. NIS+ server security levels

Security level

Description

0

The NIS+ server runs with all security options turned off. Any NIS+ principal may make any change to any NIS+ object. This level is designed for testing and initially setting up the NIS+ namespace. Security level 0 should not be present in a shipping product (but for some reason it is). Do not use security level 0.

1

The NIS+ server runs with security turned on, but with DES authentication turned off. That is, the server will respond to any request in which LOCAL or DES authentication is specified, opening it up to a wide variety of attacks. Security level 1 is designed for testing and debugging. Similar to security level 0, this should not be present in a shipping “security” product. Do not use it.

2

The NIS+ server runs with full security authentication and access-checking enabled. Only run NIS+ servers at security level 2.


[194] Other types of objects are supported, but they aren’t really important to this discussion. Interested readers should consult the manpages.