2.2 The Seven Most Deadly SinsThese are the seven common problems most likely to allow major damage to occur to your system or bank account. If any of these are currently a problem on your systems, you should take care of them immediately.[5]
2.2.1 Weak and Default Passwords (#1)As a system administrator, you are aware of the system breaches possible on your Linux machine. You have taken the time and effort to devise a difficult-to-guess password that uses at least eight characters, uses both letters and numbers, upper- and lowercase letters, and possibly some punctuation. Your root password is awesome no one could guess it in a hundred years. (OK, some obsessive with a decrypt package could destroy it in a few days except that you use shadow passwords, but that is another story.) How are your users doing? Choke, cough, gag, hack. Every account is a possible entry point. Have your users followed your advice, company policy, or threats to devise a good password? Are they being as careful as you are? Probably not. Now it is your turn to don the black hat and think like your enemy.
Using programs like crack (which cracks passwords), can you break into your users' accounts? You definitely will need to get written management approval to conduct this level of security audit. There are notable cases of unauthorized audits landing people in jail or at least on the unemployment rolls. Randal Schwartz is one. You might even install a module in the passwd program that automatically tries to break a user's proposed new password. Though the standard passwd program makes very simple tests, there are more sophisticated routines that include much of crack's capability. One way to do this is to make use of the cracklib capability in the Pluggable Authentication Modules (PAM) enhancements to the passwd program. The cracklib library analyzes passwords to determine whether they are easily crackable. PAM offers additional security for Linux systems and other operating systems too. Edit the /etc/pam.d/passwd file to include: passwd password requisite /usr/lib/security/pam_cracklib.so retry=3 passwd password required /usr/lib/security/pam_pwdb.so use_authtok This will cause the PAM-enabled passwd program to load these dynamically loadable program libraries. PAM now is standard with Red Hat. On some systems these are in /lib instead of /usr/lib. There is more documentation on configuring PAM-enabled utilities at: www.kernel.org/pub/linux/libs/pam/ Another good source for PAM information is: www.sun.com/software/solaris/pam/ On Slackware, this capability will be enabled if the following line is present in /etc/login.defs (and the dictionary is installed): CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict See also "Restricting Login Location and Times" on page 315.
2.2.2 Open Network Ports (#2)Just as every account on your system is a potential path for a cracker, every network service is a road to it. Most Linux distributions install "tons" of software and services by default. They deliberately prefer "easy" over "secure." Many of these are not necessary or wanted. Take the time to remove software and services you do not need. Better still do not install them to begin with. To find out what services are being run, use the netstat -atuv command or use the ports program discussed in "Turn Off Unneeded Services" on page 86. Either will list all open ports on your system. Even a home system can have dozens or hundreds of ports open. A large Web server could have many more. If there are services listed that you do not want to be provided by this box, disable them. Many distributions offer a Control panel to do this easily, including Red Hat and Mandrake. You might want to remove the binaries from the disk or chmod them to 0, especially any that are set-UID or set-GID. NFS, finger, the shell, exec, and login r* services (rsh, rexec, and rlogin), FTP, telnet, sendmail, DNS, and linuxconf are some of the more popular services that get installed by default on many Linux distributions; at least some of these should not be enabled for most systems. Most of these are controlled by the inet daemon, inetd; these can be disabled by editing the /etc/inetd.conf file. You do not need the FTP or telnet daemons to use the respective clients to connect into other systems. You do not need the sendmail daemon listening on port 25 to send mail out or to send mail to local users or to download mail via POP or IMAP. (You do need to invoke sendmail periodically to de-spool delayed outgoing mail. The techniques are explained in "Hardening for Very High Security" on page 306.) You only need DNS (named, the name daemon) if other systems will be querying yours for this data. Most programs running on your own system will be very happy to read /etc/resolv.conf and query your ISP's or organization's main DNS server instead of contacting a named process running on your system. Coincidentally named's ports are some of the most popular ports that crackers use to break into systems. If you do need to run named, use the recently added facilities that allow it to chroot itself and switch to a nonroot user. All these services, except the normal installation of NFS,[6] DNS, and sendmail, are started on demand by inetd. They may be turned off by commenting out their entries in /etc/inetd.conf. Many distributions offer a Control panel or Linuxconf to do this easily, including Red Hat and Mandrake. The standalone services are turned off by altering their entries under /etc/rc.d.
On Red Hat based systems, issue the following commands to shut down portmap and prevent it from being restarted on reboot. Even as late as Red Hat 7.3 on a standard non-server install, the evil portmap is invoked. /etc/rc.d/init.d/nfs stop /etc/rc.d/init.d/nfslock stop /etc/rc.d/init.d/portmap stop chkconfig --del nfs chkconfig --del nfslock chkconfig --del portmap An alternative tool is the ASCII menu-based ntsysv program. Like chkconfig, ntsysv only manipulates the symbolic links under /etc/rc.d/rc[0-6].d so you also will need to explicitly shut down the service. To do both of these issue the commands: /etc/rc.d/init.d/portmap stop ntsysv On other distributions that use the System V-style of startup scripts (/etc/rc.d/rc[0-6].d directories for Red Hat derivations and /etc/rc.[0-b].d for Debian), rename the appropriate script under rcX.d (X usually is 3) that starts with a capital-S and has the service name in it. For example, cd /etc/rc.d/rc3.d mv S11portmap K11portmap Just as only scripts starting with "S" are invoked when entering the respective run level, scripts starting with "K" are invoked when exiting that run level. This is to turn off daemons that should run only in that run level. For example, this mechanism will turn off sshd, the SSH daemon, when switching from run level "3" (multiuser with networking) to run level "s" (single-user mode). Just as a selected Ssomething script can be disabled by renaming to ssomething, one of these latter scripts can be renamed from Ksomething to ksomething to disable it. On Slackware and similar systems, simply comment out the lines that start them in /etc/rc.d/*. The grep program may be used to find these. Be sure to terminate any of these services that currently are running on your system after altering the configuration files. If you do not want to bother with kill, a simple reboot will do this and verify that the configuration files were correctly altered. (A set of available rescue disks before this reboot would be a fine idea.)
To remove these services from your system, you can use your distribution's package manager to delete them. Red Hat based installations (Red Hat, Mandrake, Caldera, Yellow Dog, TurboLinux) use RPM. Debian-based distributions (Debian and Corel) use dpkg. SuSE uses YAST and Slackware uses pkgtool. Linux is like the Swiss Army knife of networking it has one or two tools of mass destruction that get used all the time, others that are used less often, and some that are never used. Unlike the Swiss Army knife, you can slim down Linux to just the services you need, and discard those you do not. I will never use the awl or corkscrew on my knife just like I will never use rsh or finger. Decide which ports you want to have open (such as www and ftp) and close the rest. Closing unnecessary ports makes your system more secure and perform better. 2.2.3 Old Software Versions (#3)Linux is not perfect. There are new vulnerabilities being found monthly.[7] Do not despair, though. The speed with which problems are found and fixed in Linux is the fastest on the planet. Your challenge as an administrator is to keep up with the changes.
Each distribution has a mailing list that you can (and should) subscribe to, where security bulletins are issued, and an FTP or Web site at which the fix will be available. Also, there are the independent security mailing lists, such as Bugtraq and X-Force's Alert, that are excellent. Get yourself tapped into those mailing lists.
Other good sources of Linux security information are: www.lwn.net/ http://linuxtoday.com/ They are distribution-neutral and carry all the major distributions' security advisories. There is much more information on Web resources in Appendix A. One of the beauties of Linux is that when a fix is issued, it is very quick to install, and unless it is in the kernel, your downtime for that service is on the order of seconds or minutes. Rarely, if ever, is a reboot necessary. 2.2.4 Insecure and Badly Configured Programs (#4)The number of security bugs and their severity in commonly used Linux programs have been reduced so dramatically that I have dropped the subject of poor physical security from the most deadly sins. In its place is the use of insecure programs (such as rsh, NFS, portmap, and FTP) in other-than-carefully-controlled situations and the failure to properly configure other programs. These "other programs" are capable of good security only if properly configured. Therefore, the Seven Most Deadly Sins has been updated for the second edition to reflect this. This pushes poor physical security off the list and into the new "must read" section, "Law of the Jungle Physical Security" on page 121. Additionally, Deadly Sin #5, Insecure CGIs, has been merged with this one. This is because, while locally written or adapted insecure CGI programs continue to be a problem, a substantial percentage of problems are due to SysAdmins making use of known insecure features of programs or failing to take advantage of security features. Most SysAdmins know that POP and IMAP (unless wrapped in SSL), telnet, and FTP[8] send passwords in the clear. They know that NFS and portmap have a history of security problems as well as design defects in their authentication. Many use them anyway and then are surprised when they get broken into. Do not do that! Instead, use spop, simap, SSH, and SSH's scp or sftp. See "Replace These Weak Doors with Brick" on page 94, "New Lamps for Old" on page 103, and "United We Fall, Divided We Stand" on page 115.
Many programs are secure only if properly configured, and it is common for SysAdmins to configure them improperly. Sometimes, it is a lack of training and understanding of the risks, while other times use of an insecure feature is deliberate, because "I just gotta have it." A recent case in point is Apache's PHP capability. It has had a recent history of security problems. PHP's security problems have been well publicized, and still some people cannot seem to use it securely or find an alternative. Security and convenience often are contradictory; frequently, a choice must be made. Chapter 4, "Common Hacking by Subsystem," on page 171 and Chapter 6, "Advanced Security Issues," on page 261 may be helpful. Before deciding to deploy a service (i.e., changing what capabilities will be used or how the service will be deployed), research its security. Check its security history and understand how it may be deployed securely. If it cannot be deployed securely, what are the secure alternatives? I still encounter people using FTP who don't realize that sftp is an excellent alternative. Putting an insecure service, in this case NFS, behind a firewall was a good solution for one client. For another, putting its insecure Windows networks behind firewalls, with its different offices linked via a VPN between these same Linux firewalls, offered excellent security. Another client had me configure a firewall with separate subnets for its students, its financial administration and human resources, and the rest of its employees, along with internal and external DMZs. The rest of this section will address CGI problems specifically. A CGI program will allow anyone to access your Web site, good intentions or not. Although other "accepted" servers, such as sendmail and named, will also talk with anyone, the scope of what a client may request is far smaller. While these latter servers have had their share of serious security bugs, those that keep up-to-date (as discussed in "Old Software Versions (#3)" on page 31) have minimal risk. Here are a few hard, fast rules that will help you make your Web site secure. (See "Special Techniques for Web Servers" on page 284 for several ways to increase Web server security.)
2.2.5 Insufficient Resources and Misplaced Priorities (#5)In many organizations, management simply will not approve sufficient resources to allow SysAdmins to provide good security. Good security does not happen by accident. It takes many elements to achieve a truly comprehensive security solution. Education, design, proper implementation, user training, maintenance, and continual vigilance all are required for an organization's system to be secure. When security is not supported (i.e., funded) by an organization, it is frequently limited to what a SysAdmin is willing to do on his own time. Yet, if he is unwilling to spend the time, he certainly will be blamed for any violations. This deadly sin puts the SysAdmin in the middle of problems that are not his direct responsibility. In other words, management will not allow him to make the changes necessary for good security and good business. This may not be a "technical" problem, but I have found it to be the cause of break-ins at numerous organizations. Sadly, most of my clients come to me only after they have suffered a major, expensive break-in. I would much rather help people maintain good security than to do a painful and expensive repair. A lack of resources commonly is due to misplaced priorities. "We have not been broken into and the media exaggerates every danger well beyond the true risk." This is a common belief of those whose organizations have not been broken into. I have deliberately peppered this book with accounts of break-ins in the hope that they may make an impression on management somewhere. Consider making a present to your boss of Bruce Schneier's excellent book, Secrets and Lies: Digital Security in a Networked World. Secrets and Lies is aimed at management and makes a good companion to this book. Some of the examples are the same as in this book, as both books were written at about the same time and they show common fallacies. On a number of occasions, I have warned clients about major security problems only to have them decide that security was not as important as getting that next release out or making nonsecurity computer improvements. Later, they learn the sad reality recovering from a security breach commonly costs ten times as much as having implemented security before the break-in would have cost and they then must spend the money to implement the security. This "ten times the cost" figure represents only the direct cost. It does not account for lost market opportunities, for delayed products, for loss of customers who heard about the security breach and went elsewhere, and for costs to customers and employees who simply could not access your site and e-mail during recovery. It does not account for lost investors or for other consequences of bad publicity, and it most certainly does not account for the damage done to an IT professional's career. What can be done to resolve insufficient resources and misplaced priorities? Spend an hour or two a week working on security as a skunk works[12] project. Demonstrate a Linux firewall, Web server, or VPN. Show how easy it is to update Linux software when patches come in, to use SSH and GPG, to crack most passwords, or attack a Wi-Fi wireless network. Do scans of your network from your home system (using nmap with the -O flag) to show how open your network is. Install Snort and Portsentry outside of your firewall (if any) to show how much your network is attacked.
Talk with your colleagues to find accounts of problems and relay them to your management. Have a good consultant, or other trusted outside source, do a security audit of your company and recommend improvements. Never give up. Never surrender.[13] Giving up leads to procrastination and results in compromised systems. That is the dark side of The Force. Finger pointing is a popular game after a major problem.
Misplaced priorities also can mean using Microsoft because "We are a Microsoft shop," disregarding that it may not have sufficient security for servers accessible from the Internet.
2.2.6 Stale and Unnecessary Accounts (#6)As discussed before, each account is a possible entry point into the system. Imagine, for a moment, that you realize your system has been compromised and you have to send a message to everyone to change their passwords immediately.
A stale account's password will not be changed, thereby leaving a hole. If they have data that needs to be reassigned, disable their account by putting a "*" or "!!" in the ex-user's password field in the /etc/passwd file. This disables logging in via that account because no password encrypts into either of these values and shadow password-enabled code understands these sequences. Get things cleaned up as soon as possible. Make sure that no set-UID or set-GID programs or publicly readable or writable files containing confidential data remain owned by that account. Issuing chmod 0 /home/someone find / -user someone -ls is a good start. Note that the user may have a mailbox, entries on mailing lists, files in the print spool directory, accounts in various applications, etc. that will need to be attended to. Note that some of the services you removed (while correcting an earlier sin) have accounts in the /etc/passwd file. When you remove that service, make sure that the /etc/passwd account is also removed or disabled. Some of the notables are FTP, NFS, uucp, mail, gopher, and news. If you do not need them, get rid of them. 2.2.7 Procrastination (#7)In many reports of intrusions the SysAdmin says, "I meant to install...TCP Wrappers...a newer version of...a firewall...meant to turn off NFS..." Clearly they knew, at least vaguely, what had to be done but delayed until it was too late. Sure, you have more responsibilities than time, but consider setting aside an hour twice a week to upgrade security. This book is organized so that it may be used as a workbook, with the most urgent and fundamental problems discussed first. This allows you to pop a book marker in it and advance the marker every few days. |
Top |