11.4 Network Access in Unix

This section briefly reviews Unix network security. We cover TCP wrappers, NFS/NIS, backups , and X Windows, building the foundation for the section that follows ("Unix Hardening").

11.4.1 TCP Wrappers

While not standard for all flavors of Unix, TCP wrappers , written by Wietse Venema and Dan Farmer, are shipped with many distributions. TCP wrappers provide a versatile network access control facility. This security mechanism consists of the executable file (usually /usr/bin/tcpd ) and a shared library. The tcpd is started by the Internet superserver inetd (the standard for most Unix variants). If TCP wrappers are used, /etc/inetd.conf looks like this:

 pop-3    stream tcp    nowait root    /usr/sbin/tcpd    qpopper telnet stream tcp    nowait root    /usr/sbin/tcpd    in.telnetd auth stream tcp    nowait nobody /usr/sbin/in.identd in.identd -l -e -o inetd.conf example 

In this case, access to POP3 and telnet is controlled by TCP wrappers (tcpd present) and access to the ident daemon is not (unless it can be compiled with the TCP wrapper library). The library allows the programs to be built with TCP wrapper support. For example, sendmail is often built this way. In either case, the program or the tcpd checks the configuration files /etc/ hosts .allow and /etc/hosts.deny for permissions before starting. TCP wrappers also increase the amount of useful logging information by recording the failed and successful attempts to log in to the system, even via services that normally do not create logfile records (such as POP3). Examples of this are as follows:

 ALL:ALL 

This file denies access to everybody for all services that check the file. "Default-deny" is always the best network access control policy. The next file ( hosts.allow ) is checked first:

 sshd: 127.0.0.1 .example.edu  111.11. popper: .example.edu .others.edu machine.yetanother.edu in.ftpd: trustuser@cs.example.edu 

This excerpt shows that access to SSH is allowed from localhost (IP address 127.0.0.1), from all machines in a particular domain (all machines from "example.edu"), and from all machines with an IP address in a particular class B (111.11.0.0 to 111.11.255.255). Users from example.edu and other University domains can check their email via the POP3 protocol (popper daemon). Finally, FTP is only allowed for a single user (local username "trustuser") and from a single host (host cs.example.edu ).

TCP wrappers should always be configured (even if a firewall is used), since they provide another layer of defense.

TCP wrappers run on most variants of Unix and are included by default (in the form of a binary or a libwrap library) in Linux and some others. While newer Red Hat Linux flavors run xinetd and there is no obvious relation to TCP wrappers in the files, they do all the work in the form of the libwrap library.

11.4.2 NFS/NIS

Network Filesystem (NFS) and Network Information Services (NIS) are present in many Unix environments. NFS is a network-aware filesystem developed by Sun Microsystems. It is used for sharing disks across the network. Older versions of NFS (still in wide use) use UDP; the newer NFSv3 can use TCP.

NFS has many security implications. First, attackers using a sniffer can capture files transmitted over NFS. A dedicated NFS sniffer is a part of the dsniff toolkit by Dug Song. This "filesnarf" tool saves files transmitted over NFS on a local disk of the machine running the tool.

There are more NFS security tricks related to unsecured file shares exposed to the Internet and some privilege escalation attempts (usually due to NFS misconfiguration). NIS also has a history of security problems. The most significant of these is the ability of attackers to capture login credentials (such as usernames and encrypted passwords) even when they know only the NIS domain name .

11.4.3 Backups

Why are backups considered a security mechanism? Because they are the last line of defense against security breaches. Even the SANS/FBI Top 20 Vulnerabilities (http://www.sans.org/top20.htm) lists inadequate backups as one of the most common problems. When a system is violated, filesystems are corrupted and firewalls are breached; if you have backups, you can simply pop the trusted tape into the drive and everything goes back to normal, as if by magic (note that you must perform forensics at once, or you'll have to keep pulling out that backup tape). Of course, the process is likely to be a bit more complicated. The disks might need to be formatted, the operating system must be installed from the vendor media, patches have to be applied, and then the data must be restored from the backup. Additionally, it is worth checking that the problem that caused the incident is not being restored, as has reportedly happened with recent viruses in some organizations. Reinfection by your own tape is an unpleasant thing to happen to a security administrator. It makes sense to first check at least the executable and system configuration files (if any) about to be restored. Such checks may be performed by comparing the files with known good copies or by using integrity-checking software such as Tripwire or AIDE.

Choice of media for backups is a complicated question that is beyond the scope of this book. Hard disk drives, CD-ROMs, Zip and Jazz drives , and various tapes all have their uses as backups. Network backup using rsync-like tools also can be valuable for your environment.

Unix backups are easy to do. Many tools in the system provide backups. We briefly touch upon tar , cpio , dump , and dd .

tar is an old Unix archival tool. It has a vast number of command-line options. The minimum functionality allows you to archive a chosen directory, optionally compress the archive, and write it to disk or tape.

First, create a compressed archive of /home and write it to /backup as home.tar.gz :

 tar czf /backup/home.tar.gz /home 

Then unpack the archive with the above file in place:

 tar xzf  /backup/home.tar.gz 

afio (a modern version of a classic cpio ) allows you to archive a predefined list of files. The main advantage of afio over tar is that the tar archive can only be compressed as a whole. If a media error occurs, the entire archive is destroyed . afio allows you to compress files individually before they are archived. Thus, an error only damages one compressed file.

dump is another old favorite. It can be used to back up the whole partition on tape or disk and then to restore it via a restore command.

Here's an example of dump:

 dump 0d /dev/rmt0 /home 

Restore the above dump in the current directory (Linux):

 restore xf /dev/rmt0 

In addition to the full mode used in the example, dump and restore have an incremental mode that allows you to back up only the data that has changed since the previous backup.

dd is not strictly a backup tool. It allows disk-to-disk copying in order to create mirrors of the current disks. If you have two identical disks, the command allows you to create an exact copy, which is useful for cold-swapping the disk in case of failure. Simply replace the disk with a copy produced by dd, and the system should boot and run as before. It creates identical partitions and boot sectors, which requires that the disk drives be of identical make and size .

Here is how to create a mirror copy on the identical disk:

 dd if=/dev/hda of=/dev/hdb bs=1024k 

Obviously, the target partition needs to be unmounted before running the dd command, and all its data will be replaced .

Even though backing up is easy, all backup media should be verified . Do not become the subject of the famous Unix joke: "Backups are just fine, it's the restores we have problems with." Many Unix horror stories involve missing or inadequate backups. Look for the document called "Unix Administration Horror Story Summary" in your favorite search engine for some vivid lessons on the importance of backup procedures. Verifying backups is a crucial step. Just thinking that you have a backup does not protect you from damage.

Backups must be done often in order to minimize data loss. Even though frequent, full backups are often impossible , the important Unix files (such as those located in the /etc directory) should be saved as frequently as possible. Backups and restores should also be done intelligently. Don't restore with a virus-infected backup. You can sometimes prevent such a thing from happening by using tools such as Tripwire, or by not restoring anything that might cause reinfection (i.e., restore the data, but not the programs). That is, unless you are good enough to disinfect your drive manually.

11.4.4 X Window System

Although the X Window system (also known as X Windows ) is a part of a graphical user interface (GUI), it is tightly related to networking ”X Windows was designed to provide a universal method of accessing system resources from the localhost as well as across networks. The X Window system usually has a port (6000 TCP) or a set of ports (6000 and up) open . While no recent remote exploits for popular X implementations have surfaced at the time of this writing, several denial-of-service application crash attacks against X have been reported . Other X components (such as an XFS font server) can also be listening to ports and could be vulnerable to network intrusions.

Additionally, the X protocol is clear text-based and thus subject to eavesdropping. Attackers can sometimes capture keypresses and mouse movements and can even display X contents. Fortunately, X traffic may be forwarded using SSH. In fact, if the SSH connection is established to a server, all X connections are forwarded over the secure tunnel (provided the configuration option is set). Note that bugs in this functionality have enabled certain attacks against SSH to succeed in an older version of OpenSSH.