Security Issues in HP-UX and
Linux
Kwang H. Paick
kwang@hp73.pvamu.edu
Prairie View A&M University
chep2000
kwang paick
1
Common Attacks
• Physical access
• Access to the command line
• Network access
chep2000
kwang paick
2
Security Setup
1.
2.
3.
4.
5.
chep2000
Physical security
File and Directory Permission
User Accounts
Log Files
Correct network configuration
kwang paick
3
I.
Physical Security
• Physical access
• BIOS and Console Passwords
• Anti-theft devices
chep2000
kwang paick
4
Most Unix systems are not secured because
• Default installation includes a wide range
of vulnerabilities
• Software patches are not installed, and
• Systems are not well maintained
chep2000
kwang paick
5
II. File and Directory Permissions
HP-UX systems contain > 20,000 in 10.20
The most common permission problems are write
access for group or other on almost any file or
directory in the base installation
Some files and directories require group or
other ‘write’ permissions
e.g. Temporary directories (group and others)
Spool directories for the lpr system must be group
writeable
chep2000
kwang paick
6
Common Permission Problems
The number one problem has been ownership
of the /etc directory by bin
• the /etc directory must be owned by root,
and writable only be the owner
• HP-UX systems allow bin to own many
other directories as well (only 48 out of
1200 directories were not owned by bin
chep2000
kwang paick
7
HP-UX and ACLs
HP-UX includes the ability to provide a finer degree of
access control through access control lists
A user-group pair is written as user group
• The symbol % represents no particular user or group;
(u.g,
(u.%,
(%.g,
(%.%,
chep2000
rwx)
rwx)
rwx)
rwx)
specific user, specific group
specific user, no specific group
no specific user, specific group
no specific user, no specific group
kwang paick
8
HP-UX and ACLs
• Most backup utilities ignore the ACL information for
compatibility with POSIX standards
• Only the fbackup and frecover file archive utilities
handle access control lists properly
• Change ACLs with the chacl command
-rw-r--r-lsacl xx
-rw-r--r--+
(lon.%,rw-)(don.%,rw-)(%.hep,r--)(%.%,r--) xx
ACLs are rarely used.
chep2000
kwang paick
9
III. User Accounts
User accounts must be maintained correctly
• The accounts’ database must be checked for
correctness
• New accounts must be monitored, and old accounts
disabled
• Accounts with unusual user-ids checked
• User home directories correctly configured
• Passwords “checked” and protected
chep2000
kwang paick
10
/etc/passwd
Must be readable by all , but writable only be the root
• Any account with the user id of zero is granted root’s
privileges
• The home directory should exist, be owned by the
user, and not writeable by group or other
• The use of temporary directories as the home directory
is a scurity problem
• The COPS tool can check the existence, ownership and
permission of each home directory
chep2000
kwang paick
11
Home Directory
Shell startup files must specify a safe PATH:
• System directories before any local directries
• DOT last if present in PATH ( makes Trojan horses less
effective)
• root PATH
– Never have DOT in root’s PATH
– never includes writable directories in search path
• umask
– user’s default umaks
– root’s umaks
chep2000
033
077
kwang paick
12
Home Directory
Dangerous startup files permitted
• A .rhosts file permits user to control who may log
into their account remotely via the “r” commands
• The .netrc files contain unencrypted passwords for
remote logins.
COPS and TIGER check for these problems, as do
commercial tool
chep2000
kwang paick
13
Shadow Password
A goal in many attacks is to get a copy of the
encrypted passwords in the /etc/passwd file
 These attacks can be foiled by moving the encrypted
passwords into a different file, only readable by the
root
 These files have the generic name shadow password
files
chep2000
kwang paick
14
Shadow Password
Some versions of UNIX come with shadow files,
others must be converted
 Solaris use /etc/shadow by default
•Linux uses /etc/shadow after conversion
• Pwconv-merge old /etc/passwd records into a new shadow
database
• Pwchk- verification and synching between /etc/shadow
and /etc/passwd
• Pwuncov- back to /etc/passwd
chep2000
kwang paick
15
Shadow Password
Arguments against Shadowing
 Makes account management more difficult, as
the /etc/passwd file can no longer just be edited
 account information gets scattered among many
files if converted
 Crashing an FTP server can reveal the shadowed
passwords in the core file
chep2000
kwang paick
16
IV. Log Files
Need to know where they are and what they
contains
check permissions and ownership
see how often they are rotated/truncated
monitor logfile contents
Archive important logs
chep2000
kwang paick
17
Log Files
The wtmp files log user login, logout, date
changes, start or stop of system accounting,
reboots
•/etc/wtmp
•/var/adm/wtmp--10.20, old Linux
•var/log/wamp --Linux
chep2000
kwang paick
18
Log Files
Effect of su command on /var/adm/wtmp
•When su was used, it creates a new process
with both the process's real UID and effective
UID altered.
•su does not change /var/adm/wtmp file, and
finger command will continue to display the
account to which you logged in, not the one
that you su'ed to.
chep2000
kwang paick
19
Log Files: wtmp files
•Grow until no space
•Pruning the wtmp file
zero the log file
•rm /var/adm/wtmp.old
•ln /var/adm/wtmp.old /var/adm/wtmp
•cp /dev/null /var/adm/wtmp
chep2000
kwang paick
20
Log Files
•Hack Tools
– Hacker tools(zap) delete entries matching a user
name by replacing the record with nulls
•There are also zap detectors
– chkwtmp at COAST
chep2000
kwang paick
21
Log Files:Last Login
lastlog file
•/va/log/lastlog Linux
•/usr/sbin/acct/lastlog 10.20
lastlogin - keep record of date each person last logged
in"
bug - the date shown is usually 1 more than it should
be because lastlogin is run at 4am and checks the last
24 hrs worth of process accounting info (in pacct)"
chep2000
kwang paick
22
Log Files:Bad Login
Bad login attempts
The trouble is that these logs often contain
passwords
Look for /etc/btmp on HP-UX
Make certain that these files are readable only
by the root, if they exist
chep2000
kwang paick
23
Log Files:su Login
UNIX systems will always log the use of the su
command
•Located in /var/log
• /var/adm/sulog (10.20)
• /var/adm/messages
chep2000
kwang paick
24
Log Files:su Login
SU 01/31 20:08 + tty?? root-lon
SU 02/01 14:56 + tty?? root-dan
SU 02/01 16:06 + ttyp2 dan-kwang
SU 02/01 16:06 - ttyp2 babar-root
SU 02/01 16:06 + ttyp2 babar-root
SU 02/01 16:28 + tty?? root-babar
These logs are useful to both attackers and
defenders:
 Attackers can learn who knows the root password
 Defenders can learn the same thing
chep2000
kwang paick
25
sudo
Allows select users to execute specified
commands as root
e.g. eject, mount, reboot, adding new acct
prevent possible errors
means for accountability
/etc/sudoers
chep2000
kwang paick
26
Log Files:Syslog
The system logdaemon, or syslogd, appears in
most UNIX systems
Newer versions of syslog will ignore messages
sent from the network by default
 Use the –l flag to enable this behaviour on BSD
 The –r flag is used with Linux
mail.debug
/var/adm/syslog/mail.log
*.info;mail.none /var/adm/syslog/syslog.log
chep2000
kwang paick
27
Log Files:Syslog
Feb 1 17:50:38 hp73 /sbin/init.d/sendmail[1119]: #### rebooted ####
• Feb 2 09:24:03 hp73 sendmail[2272]: JAA02272: from=wu, size=9112,
class=0, pri=39112, nrcpts=1,
msgid=<199902231524.JAA02272@hp73.pvamu.edu>,
relay=wu@localhost
• Feb 2 14:16:25 hp73 sendmail[22105]: OAA22104:
to=<joyum@Bayou.UH.EDU>, ctladdr
• =<kwang@hp73.pvamu.edu> (207/20), delay=00:00:34, xdelay=00:00:33,
mailer=smtp,
• relay=bayou.uh.edu. [129.7.1.7], stat=Sent (OAA06943 Message accepted
for delivery)
• Feb 2 14:43:13 hp73 popper[22159]: (v2.1.4-R3) Servicing request from
"129.207.217.28" at 129.207.217.28
• Feb 2 14:43:41 hp73 popper[22159]: Stats: kwang 0 0 78 1096568
chep2000
kwang paick
28
V. Network Configuration
Any server is a potential hole.
• ‘r’ commands
• public services:
–
–
–
–
poorly configured anonymous FTP servers
mail servers
older version of Linux
web servers
chep2000
kwang paick
29
Network Configuration
Protecting Data in Transit
•Replace telnet, rlogin, rsh and rcp
ssh, slogin, ssh, scp
•Secure Shell-ssh use latest version
with
– http://www.slac.stanford.edu/comp/unix/ssh.htm
chep2000
kwang paick
30
Network Configuration
Anonymous FTP
directory
•
•
•
•
•
permission
ftp
555 with root ownership.. users to read
and execute
/ftp/bin
555 with root ownership
/ftp/bin/ls 111 with root ownership…users to execute only
/ftp/etc
555 with root ownership
/ftp/etc/passwd
444 with root ownership. Users to read-only
access
chep2000
kwang paick
31
Network Configuration:FTP
• FTP bounce attack
• Erroneous file permissions
• The SITE EXEC bug
create restricted FTP access
• /etc/ftpusers—restricted users access file—
name appears—denies
•
etc:bin, daemon, room, uucp,..
• /etc/ftpaccess—core configuration file
chep2000
kwang paick
32
Network Configuration
ftphosts—used to allow or deny access to
certain accounts from various host
•
( wild card supported
•
•
•
•
allow [username] [host or host pattern]
deny [username] [host or host pattern]
allow doe *.xyz.com
deny doe *.abc.com
alternative is to use SSLftp-Secure Sockets
Layer--- current version is 0.8
chep2000
kwang paick
33
Network Configuration:SMTP
Trust everyone;
•Protect the server from penetration
•Protect smtp service from misuse, such as
outsiders exploiting your mail server to send
spam or fake mail
•Current version 8.9.3
– earlier version—update ASAP
chep2000
kwang paick
34
Network Configuration:SMTP
To check sendmail version: telnet to port 25
and vew
• telnet abc.xyz.edu 25
•.
•.
• 220 abc.xyz.edu ESMTP 8.9.3/8.9.3; -- version number
chep2000
kwang paick
35
Network Configuration:SMTP
Several places recommended replace sendmail with
Qmail
• ftp://moni.msci.memphis.edu/pub/qmail
• developer offered a $1,000 reward to anyone who
could break Qmail.
– Sendmail offers high-powered SMTP service and
excellent compatibility with existing UNIX utilities.
– Qmail strives to be small, fast and secure
chep2000
kwang paick
36
TOOLS
Security tool that detects system vulnerabilities
• COPS-The computer Oracle and Password System
Port based scanner
• SATAN (Security Administrator's Tool for Analyzing Networks
• ISS-Internet security Scanner
– faster than Satan; less information
• SAINT-Security Administrator's Integrated Network Tool
– updated version of SATAN
chep2000
kwang paick
37
References
Defending against Scanner Attacks
•
Courtney-SATAN and SAINT Detector
Sites with Defensive software
• COAST:
• ftp//coast.cs.purdue.edu/pub/tools
• http://www.cs.purdue.edu/coast/archive/Archive_inde
xing.html
• NIST:http://cs-www-ncsl.nist.gov/tools/tols.htm
chep2000
kwang paick
38
References
• NIH htttp://www.alw.nih.gov/Security/prog-full.htm
• CIAC
– ftp://ciac.llnl.gov/pub/ciac/sectools/unix
– http://ciac.lnl.gov/ciac
• CIRT
– http://www.cert.org
• FIRST
http://www.first.org
• Trinux tools
http://www/trinux.org
chep2000
kwang paick
39
References
• HP-UX support:
– http://us-support.external.hp.com
– security-alert@hp.com for bulletins
• Linux Security News
– http://security.linuxtoday.com
• Redhat support
– http://www.redhat.com/support/errata
• UNIX support
– http://www.usenix.rg
chep2000
kwang paick
40
References
Books
– S. Garfinkle, G. Spafford, Practical UNIX Security, O’Reilly &
Associates, Sebastopol, CA 1996, 2nd ed.
– Anonymous, Maximum Linux Security, SAMS, Indianapolis, IN
1999
chep2000
kwang paick
41
Monitor SUID and SGID Files
– SUID and SGID Files
• two speciial file permissions:
• SGID (set group ID, octal 2000 or S)
• SUID (set user ID, octal 4000, or s)
• find / -perm +4000
• owner’s permission are enforced even when other
users executed them.
chep2000
kwang paick
42