You are previewing Maximum Linux Security.
O'Reilly logo
Maximum Linux Security

Book Description

Maximum Linux Security: A Hacker's Guide to Protecting Your Linux Server and Workstation is designed for system administrators, managers, or Linux users who wish to protect their Linux servers and workstations from unauthorized intrusions and other external threats to their systems' integrity. Written by an experienced hacker--someone who knows which systems are vulnerable and how crackers get into them--this unique guide to Linux security identifies existing and potential security holes and faults, and then describes how to go about fixing them.

Table of Contents

  1. Copyright
    1. Dedication
  2. Preface
    1. About the Author
    2. Acknowledgments
    3. Tell Us What You Think!
  3. Introduction
    1. This Book's Organization
    2. How This Book Is Cross-Referenced
      1. amadmin
    3. Using This Book
    4. Odds and Ends
    5. Summary
  4. I. Linux Security Basics
    1. 1. Introducing Linux
      1. What Is Linux?
        1. Linux Is Free
        2. Linux Closely Resembles UNIX
        3. Where Did Linux Come From?
      2. Linux as a Standalone System
      3. Linux as an Intranet/Internet Server
      4. A Linux Security Overview
        1. User Accounts
        2. Discretionary Access Control (DAC)
        3. Network Access Control
        4. Encryption
        5. Built-In Logging, Auditing, and Network Monitoring
        6. Intrusion Detection
      5. Summary
    2. 2. Physical Security
      1. Server Location and Physical Access
        1. The Network Operations Center (NOC)
      2. Network Topology
        1. Assorted Network Topologies
          1. Bus Topology
          2. Ring Topology
          3. Star Topology
        2. Summary of Topology Security
      3. Network Hardware
        1. Common Network Hardware Security Measures
        2. Summary of Network Hardware
      4. Workstations and Security
        1. BIOS and Console Passwords
        2. Biometric Access Controls
          1. Biometric Identification: A Historical Perspective
          2. Using Biometric Access Control Devices
        3. Modem Security
          1. ModemLock
          2. Modem Security Enforcer
          3. CoSECURE
          4. PortMarshal
        4. Anti-Theft Devices
          1. Laptop Lockup
          2. FlexLock-50
          3. Computer Guardian
          4. PHAZER
        5. Unique Numbers, Marking, and Other Techniques
          1. STOP
          2. Accupage
          3. The Intel Pentium III Serial Number
      5. Summary
    3. 3. Installation Issues
      1. About Various Linux Distributions, Security, and Installation
      2. Partitions and Security
        1. What Are Partitions, Exactly?
        2. Lumping Linux into a Single Partition
          1. /etc/fstab
        3. Other Advantages of Multiple Partitions
        4. Sizing Out Partitions
          1. fdisk
        5. Creating the Swap and Root Partitions
        6. Creating the Extended Partition
        7. Creating Logical Partitions Within the Extended Partition
        8. Other Partitioning Tools
          1. cfdisk
          2. Disk Druid
        9. Summary of Partitions and Security
      3. Choosing Network Services During Installation
      4. Boot Loaders
        1. /etc/lilo.conf: The LILO Configuration File
          1. Adding a Boot Password
        2. Summary of Boot Loaders
      5. Summary
    4. 4. Basic Linux System Administration
      1. The Basic Idea
        1. Your Very Own Account
      2. Creating and Managing Accounts
        1. Account Policy
        2. Account Structure
          1. passwd
        3. Adding Users
          1. Adding Users with Graphical Tools
            1. usercfg
          2. Adding Users with adduser
            1. adduser
            2. adduser
          3. Adding Users by Manually Editing /etc/passwd
            1. vipw
        4. Using Your Own Tools to Add Users
        5. Deleting Users
      3. Performing Administrative Tasks with su
        1. su—The Substitute User
          1. Granting Other Users Limited su-like Access
            1. sudo
              1. /etc/sudoers
              2. Editing /etc/sudoers with visudo
      4. Access Control
      5. Permissions and Ownership
        1. chmod: Changing File Permissions
          1. The Octal System
            1. Files with Special Permissions
              1. Protecting Against SUID- and SGID-Based Attacks
              2. Some Well-Known SUID-Related Vulnerabilities
      6. A Closer Look at Groups
        1. Creating Groups
          1. /etc/group and Adding New Groups
        2. chown: Assigning User Owner and Group Permissions
          1. Using Graphical Tools to Set Owners, Permissions, and Groups
          2. How Users Interface with Groups
            1. newgrp: Changing the Current Group
        3. Removing Groups
      7. Bringing Down Your System
        1. shutdown: Shutting Down Your Linux System
      8. Summary
  5. II. Linux User Security
    1. 5. Password Attacks
      1. What Is a Password Attack?
      2. How Linux Generates and Stores Passwords
        1. Passwords Down Through the Ages
          1. Cryptography
      3. The Data Encryption Standard (DES)
        1. Dictionary Attacks
      4. Case Study: Cracking Linux Passwords Via Dictionary Attack
        1. Crack
          1. Unpacking Crack
          2. Making Crack
          3. Running Crack
          4. Viewing Your Results
            1. Crack Command-Line Options
              1. Accessories for Crack: Wordlists
              2. Alternatives to Crack
        2. Dictionary Attacks: A Historical Perspective
      5. Password Shadowing and the shadow Suite
        1. /etc/shadow: The Password shadow Database
          1. Adding Users on Shadowed Systems: useradd
          2. Transferring Startup Files: /etc/skel
          3. Deleting Users on Shadowed Systems: userdel
          4. Modifying an Existing User Record on Shadowed Systems: usermod
            1. Verifying Password Database Data: pwchk
          5. Adding a Group on Shadowed Systems: groupadd
          6. Modifying Group Information on a Shadowed System: groupmod
          7. Deleting Groups on Shadowed Systems: groupdel
          8. Managing Group Access: gpasswd
            1. Verifying Group Data: grpchk
        2. Beyond Creating and Deleting Users and Groups
          1. Changing an Existing User's Password Expiration Data: chage
          2. Mixing and Matching /etc/passwd and /etc/shadow Databases
        3. Possible Attacks Against Your Shadowed System
      6. After Installing the shadow Suite
        1. Human Password Choices and System Security
        2. Proactive Password Checking
          1. passwd+
          2. anlpasswd
          3. npasswd
      7. Other Password Security Issues
        1. Password Proliferation and Security
      8. Pluggable Authentication Modules
      9. Still Other Password Security Solutions
        1. Regarding Network Information Service and Password Security
      10. Summary
    2. 6. Malicious Code
      1. What Is Malicious Code?
        1. What Is a Trojan?
        2. Viruses
      2. Detecting Malicious Code
        1. Tripwire
        2. Availability of Tripwire
        3. Installing Tripwire
          1. Generating Your Passphrases
          2. Preparing to Use Tripwire
            1. The Tripwire Configuration File
            2. The Tripwire Policy File
        4. Configuring and Running Tripwire
        5. Checking File Integrity with Tripwire
        6. Summary on Tripwire
      3. Other File Integrity Checking Software
        1. TAMU
        2. ATP (The Anti-Tampering Program)
        3. Hobgoblin
        4. sXid
        5. trojan.pl
        6. Additional Resources
      4. Summary
  6. III. Linux Network Security
    1. 7. Sniffers and Electronic Eavesdropping
      1. How Sniffers Work
      2. Case Studies: Performing a Few Simple Sniffer Attacks
        1. linsniffer
        2. linux_sniffer
        3. hunt
        4. sniffit
          1. sniffit Operation and Configuration
      3. Other Sniffers and Network Monitoring Tools
      4. Risks Posed by Sniffers
      5. Defending Against Sniffer Attacks
        1. ifconfig
        2. ifstatus
        3. NEPED: Network Promiscuous Ethernet Detector
        4. Other, More Generic Defenses Against Sniffers
      6. Further Reading
      7. Summary
    2. 8. Scanners
      1. What Is a Scanner?
        1. Anatomy of a System Scanner
          1. COPS—The Computer Oracle and Password System
            1. Unpacking, Making, Installing, and Running Legacy COPS
        2. Anatomy of a Network Scanner
          1. ISS—Internet Security Scanner (Legacy Version)
            1. Unpacking, Making, Installing, and Running Legacy ISS
      2. Scanner Building Blocks and Scanner Evolution
        1. SATAN (Security Administrator's Tool for Analyzing Networks)
          1. SATAN's Basic Characteristics
          2. Configuring SATAN for Linux
            1. Making and Running SATAN on Linux
      3. How Scanners Fit into Your Security Regimen
      4. Various Scanner Tools
        1. SAINT (Security Administrator's Integrated Network Tool)
        2. ISS—Internet Security Scanner
          1. Installing and Running ISS
        3. Nessus
        4. nmap—The Network Mapper
        5. CGI scanner v1.0
          1. Other Interesting Scanners
        6. Are Scanners Legal?
      5. Defending Against Scanner Attacks
        1. courtney (SATAN and SAINT Detector)
        2. IcmpInfo (ICMP scan/bomb detector)
        3. scan-detector (Generic UDP scan detector)
        4. klaxon
        5. Psionic PortSentry
      6. Interesting Resources
      7. Summary
    3. 9. Spoofing
      1. What Is Spoofing All About?
      2. TCP and IP Spoofing
      3. Case Study: A Simple Spoofing Attack
        1. A Sample Attack
        2. TCP and IP Spoofing Tools
          1. spoofit.h
          2. seq_number.c
          3. ipspoof
          4. 1644
        3. What Services Are Vulnerable to IP Spoofing?
      4. Preventing IP Spoofing Attacks
      5. ARP Spoofing
        1. Defending Against ARP Spoofing Attacks
          1. arp: A Tool to Manipulate Routing Tables
      6. DNS Spoofing
        1. jizz
        2. ERECT
        3. snoof
        4. Detecting and Defending Against DNS Spoofing
      7. Other Strange Spoofing Attacks
        1. spoofscan
        2. pmap_set/unset
        3. ICQ File transfer spoofer v.0001
        4. syslog-poison.c
        5. ICQ Hijaak
        6. icqspoof.c
        7. RIP Spoofer
        8. syslog_deluxe
        9. spoofkey
        10. sirc4
      8. Further Reading
      9. Summary
    4. 10. Protecting Data in Transit
      1. Secure Shell (ssh)
        1. The ssh Core Utilities
        2. Quick Start: Installing the ssh Distribution
          1. Not-So-Quick Start: Specifying configure Options
        3. ssh Server Configuration
          1. /etc/sshd_config: The ssh Server Configuration File
        4. sshd Startup Command-Line Options
          1. /etc/ssh_config: The ssh Client Configuration File
        5. Starting sshd
        6. Using the ssh Client
          1. ssh Client Command-Line Options
      2. scp: The Secure Copy Remote File Copy Program
      3. Providing ssh Services in a Heterogeneous Network
        1. Tera Term Pro + TTSSH for Windows
        2. About ssh Support for Macintosh
        3. Examples of ssh in Action
      4. ssh Security Issues
      5. Additional Resources
      6. Summary
  7. IV. Linux Internet Security
    1. 11. FTP Security
      1. File Transfer Protocol
        1. FTP Security History
          1. FTP Bounce Attacks
          2. Erroneous Permissions
          3. The SITE EXEC bug
      2. FTP's Default Security Features
        1. /etc/ftpusers: The Restricted Users Access File
          1. ftphosts
        2. /etc/ftpaccess: The ftpd Configuration File
          1. Summary of FTP's Default Security Measures
      3. SSLftp
        1. Installing SSLftp
      4. Specific FTP Application Security
        1. ncftp
        2. filerunner
        3. ftpwatch
        4. wu-ftpd 2.4.2-academ[BETA-18]
      5. Summary
    2. 12. Mail Security
      1. SMTP Servers and Clients
        1. A Simple SMTP Client
      2. sendmail Security Basics
        1. The MIME Buffer Overflow Bug
        2. The HELO Buffer Overflow
        3. Password File/Root Access
        4. sendmail Header Parsing DoS Attack
        5. sendmail Service Protection
          1. Protecting Against Unauthorized Relaying
          2. Real-Time Blacklisting
            1. How Does the RBL Work?
          3. Disabling EXPN and VRFY
          4. Using TCP Wrappers to Block Traffic
        6. Other sendmail Resources
      3. Replacing sendmail with Qmail
        1. Qmail Installation
          1. Testing Qmail
          2. Virtual User Accounts
        2. Other Qmail Resources
      4. Summary
    3. 13. Telnet Security
      1. Assessing the Need to Provide Telnet Services
      2. Telnet's Security History
      3. Secure Telnet Systems
      4. deslogin
        1. Installing the deslogin Distribution
          1. Installing the Cipher Package
          2. Installing the deslogin Component
          3. deslogin Configuration
          4. The deslogin client
            1. deslogin Licensing
        2. STEL (Secure Telnet)
        3. SSl MZ-Telnet
      5. SRA Telnet from Texas A&M University
      6. The Stanford SRP Telnet/FTP Package
        1. Important Documents
      7. Summary
    4. 14. Web Server Security
      1. Eliminating Nonessential Services
        1. File Transfer Protocol (FTP)
        2. finger
        3. Network File System (NFS)
        4. Other RPC Services
          1. rpc.ruserd
          2. rstatd
          3. rwalld (The rwall Server)
        5. The R Services
          1. rshd (The Remote Shell Server)
          2. rlogin
          3. rexec (Remote Execution Services)
          4. rwhod (The Remote who Services)
        6. Other Services
        7. Applying Access Control to Running Services
      2. Web Server Security
        1. httpd
        2. Controlling Outside Access: access.conf
          1. Inclusive Screening: Explicitly Allowing Authorized Hosts
          2. Exclusive Screening: Explicitly Blocking Unwanted Hosts
          3. The mutual-failure Option: Mix and Match
        3. Configuration Options That Can Affect Security
        4. The ExecCGI Option: Enabling CGI Program Execution
        5. The FollowSymLinks Option: Allowing Users to Follow Symbolic Links
        6. The Includes Option: Enabling Server Side Includes (SSI)
          1. Enabling Server Side Includes Without Command Execution
        7. The Indexes Option: Enabling Directory Indexing
      3. Adding Directory Access Control with Basic HTTP Authentication
        1. htpasswd
          1. Setting Up Simple User-Based HTTP Authentication
            1. Creating a New .htpasswd Database
            2. Creating a New .htaccess File
          2. Setting Up Group-Based HTTP Authentication
      4. Weaknesses in Basic HTTP Authentication
      5. HTTP and Cryptographic Authentication
        1. Adding MD5 Digest Authentication
      6. Running a chroot Web Environment
      7. Accreditation and Certification
        1. Coopers & Lybrand L.L.P., Resource Protection Services (USA)
        2. The American Institute of Certified Public Accountants (AICPA)
        3. International Computer Security Association (Previously NCSA)
        4. Troy Systems
      8. Summary
    5. 15. Secure Web Protocols
      1. The Problem
      2. Secure Sockets Layer (SSL) from Netscape Communications Corporation
        1. SSL's Security History
      3. Installing Apache-SSL
        1. Unpacking, Compiling, and Installing OpenSSL
        2. Unpacking, Patching, and Installing Apache
          1. Preparing to Generate a Certificate
        3. Configuring httpsd Startup Files
        4. Testing the Server
          1. Configuration Notes
        5. About Certificates and Certificate Authorities
        6. Summary of Apache-SSL
        7. Further Reading on SSL
      4. Other Secure Protocols: IPSEC
      5. Summary
    6. 16. Secure Web Development
      1. Development Risk Factors: A Wide Overview
      2. Spawning Shells
        1. Executing Shell Commands with system()
          1. system() in C
          2. system() in Perl
        2. popen() in C and C++
        3. open() in Perl
        4. eval (Perl and shell)
        5. exec() in Perl
      3. Buffer Overruns
        1. About User Input in General
      4. Paths, Directories, and Files
        1. chdir()
        2. Files
      5. Other Interesting Security Programming and Testing Tools
      6. Other Online Resources
      7. Summary
    7. 17. Denial-of-Service Attacks
      1. What Is a Denial-of-Service Attack?
      2. Risks Posed by Denial-of-Service Attacks
      3. How This Chapter Is Laid Out
      4. Network Hardware DoS Attacks
      5. Attacks on Linux Networking
        1. sesquipedalian.c
        2. inetd and NMAP
        3. lpd Bogus Print Requests
        4. mimeflood.pl
        5. portmap (and other RPC services)
        6. UNIX Socket Garbage Collection DoS
        7. time and daytime DoS
        8. teardrop.c
        9. identd Open Socket Flood
        10. Lynx/chargen Browser Attack
        11. nestea.c
        12. pong.c and ICMP floods
        13. The Ping of Death
        14. octopus.c
      6. Attacks on Linux Applications
        1. Netscape Communicator Content Type (1)
        2. Netscape Communicator Content Type (2)
        3. passwd Resource Starvation
        4. xdm
        5. wtmp lock
      7. Other DoS Attacks
      8. Defending Against Denial-of-Service Attacks
      9. Online Resources
      10. Summary
    8. 18. Linux and Firewalls
      1. What Is a Firewall?
        1. Network-Level Firewalls: Packet Filters
        2. Application-Proxy Firewalls/Application Gateways
      2. Assessing Whether You Really Need a Firewall
      3. tcpd: TCP Wrappers
        1. TCP Wrappers and Network Access Control
          1. Configuring /etc/hosts.deny and /etc/hosts.allow
            1. hosts_options Wildcards, Operators, and Shell Functions
            2. The EXCEPT Operator
          2. tcpdchk: The TCP Wrappers Configuration Checker
          3. tcpdmatch: The TCP Wrappers Oracle
        2. Summary of TCP Wrappers
      4. ipfwadm
        1. ipfwadm Basics
          1. ipfwadm Rule Categories
            1. Other ipfwadm Options
        2. Configuring ipfwadm
      5. ipchains
        1. ipchains Security History
      6. Free Firewall Tools and Add-Ons for Linux
      7. Commercial Firewalls
        1. Avertis
        2. CSM Proxy/Enterprise Edition
        3. GNAT Box Firewall
        4. NetScreen
        5. Phoenix Adaptive Firewall
        6. PIX Firewall
        7. SecureConnect
      8. Additional Resources
      9. Summary
    9. 19. Logs and Audit Trails
      1. What Is Logging, Exactly?
      2. Logging in Linux
        1. lastlog
        2. last
          1. Circumventing lastlog, last, and wtmp
        3. xferlog
        4. httpd Logs
          1. access_log: The HTTP Access Log File
          2. error_log: The Error Message Log
          3. Customizing httpd Logs
        5. System and Kernel Messages
        6. /var/log/messages: Recording System and Kernel Messages
          1. syslog.conf: Customizing Your syslog
            1. The Selector Field
            2. The Action Field
        7. Writing to syslog from Your Own Programs
        8. Backing and Handling Logs
          1. logrotate
      3. Other Interesting Logging and Audit Tools
        1. SWATCH (The System Watcher)
        2. Watcher
        3. NOCOL/NetConsole v4.0
        4. PingLogger
        5. LogSurfer
          1. Netlog
        6. Analog
      4. Summary
    10. 20. Intrusion Detection
      1. What Is Intrusion Detection?
      2. Basic Intrusion Detection Concepts
      3. Some Interesting Intrusion Detection Tools
        1. chkwtmp
        2. tcplogd
        3. Snort
        4. HostSentry
        5. Shadow
        6. MOM
        7. The HummingBird System
        8. AAFID (Autonomous Agents for Intrusion Detection)
        9. Documents on Intrusion Detection
    11. 21. Disaster Recovery
      1. What Is Disaster Recovery?
        1. Why You Need a Disaster Recovery-Contingency Plan
      2. Steps to Take Before Building Your Linux Network
        1. Hardware Standardization
        2. Software Standardization: Your Basic Config
      3. Choosing Your Backup Tools
      4. Simple Archiving: tarring and Zipping Your Files and Directories
        1. Creating a tar Archive
        2. Compressing Your tar Archive with gzip
        3. cpio: Another File Archive Tool
        4. Creating a Hot Archive Site
      5. Types of Backups and Backup Strategies
        1. dump: A Tool for Scheduling Backups
        2. restore: Restoring Backups Made with dump
      6. Backup Packages
        1. KBackup (from Karsten Ballüders)
        2. Enhanced Software Technologies' BRU
        3. AMANDA (The Advanced Maryland Automatic Network Disk Archiver)
      7. Odds and Ends
      8. Summary
  8. V. Appendixes
    1. A. Linux Security Command Reference
      1. .htaccess
      2. .htpasswd
      3. ACUA (An Add-On)
      4. amadmin
      5. amanda
      6. amcheck
      7. amcleanup
      8. amdump
      9. amrestore
      10. Angel Network Monitor (An Add-On)
      11. arp
      12. bootpd
      13. cfdisk
      14. Check-ps (An Add-On)
      15. checkXusers (An Add-On)
      16. chmod
      17. chown
      18. chroot
      19. CIPE Crypto IP Encapsulation (An Add-On)
      20. crypt
      21. ctrlaltdel
      22. Dante (An Add-On)
      23. Deception Toolkit (An Add-On)
      24. DOC (Domain Obscenity Control, an Add-On)
      25. dns_lint (An Add-On)
      26. dnswalk (An Add-On)
      27. Ethereal (An Add-On)
      28. exports
      29. exscan (An Add-On)
      30. FakeBO (An Add-On)
      31. fdisk
      32. finger
      33. fingerd
      34. ftphosts
      35. ftpaccess
      36. ftpd
      37. ftpshut
      38. GNU Privacy Guard (An Add-On)
      39. halt
      40. hosts_access
      41. hosts_options
      42. hosts.equiv
      43. HUNT (An Add-On)
      44. htpasswd
      45. httpd
      46. icmpinfo (An Add-On)
      47. identd
      48. IdentTCPscan (An Add-On)
      49. inetd.conf
      50. ip_filter (An Add-On)
      51. IPAC (An Add-On)
      52. ipfwadm
      53. ISS (An Add-On)
      54. KSniffer (An Add-On)
      55. last
      56. Logcheck from the Abacus Project (An Add-On)
      57. lsof (An Add-On)
      58. MAT (Monitoring and Administration Tool, an Add-On)
      59. MOM (An Add-On)
      60. msystem (An Add-On That's Made for UNIX But Can Work with Linux)
      61. NEPED (Network Promiscuous Ethernet Detector, an Add-On)
      62. Nessus (An Add-On)
      63. netstat
      64. Network Security Scanner (An Add-On)
      65. NIST Cerberus (An Add-On)
      66. nmap (The Network Mapper, an Add-On)
      67. npasswd (An Add-On)
      68. ntop (An Add-On)
      69. passwd
      70. passwd+ (An Add-On)
      71. pgp4pine
      72. ping
      73. ps
      74. qmail (An Add-On)
      75. QueSo (An Add-On)
      76. rcmd
      77. rcp
      78. reboot
      79. rlogin
      80. rhosts
      81. rhosts.dodgy (An Add-On)
      82. rsh
      83. scp
      84. Sentry from the Abacus Project
      85. services
      86. shadow
      87. Shadow in a Box (An Add-On)
      88. showmount
      89. shutdown
      90. SINUS (An Add-On)
      91. SocketScript (An Add-On)
      92. ssh
      93. ssh-add
      94. ssh-agent
      95. ssh-keygen
      96. sshd
      97. SSLeay
      98. Strobe (An Add-On)
      99. sudo
      100. Swan (An Add-On)
      101. swatch (The System Watcher)
      102. sXid Secure (An Add-On)
      103. sysklogd
      104. System Administrator's Tool for Analyzing Networks (SATAN, an Add-On)
      105. tcpd (TCP WRAPPER)
      106. tcpdchk
      107. tcpdmatch
      108. tcpdump
      109. tftp
      110. The Linux Shadow Password Suite (An Add-On)
      111. traceroute
      112. traffic-vis (An Add-On)
      113. Trinux (An Add-On)
      114. TripWire(An Add-On)
      115. trojan.pl
      116. ttysnoop
      117. vipw
      118. visudo
      119. w
      120. who
      121. whois
      122. Xlogmaster (An Add-On)
    2. B. Linux Security Index—Past Linux Security Issues
      1. Summary
    3. C. Other Useful Linux Security Tools
    4. D. Sources for More Information
      1. Linux Security Patches, Updates, and Advisories
      2. Mailing Lists
      3. Usenet Newsgroups
        1. Secure Programming
        2. General Web Security
        3. General Security Resources
        4. RFCS of Interest
    5. E. Glossary