Unix security
Encyclopedia
Unix security refers to the means of securing
a Unix
or Unix-like
operating system
. A secure environment is achieved not only by the design concepts of these operating systems, but also through vigilant user
and administrative
practices.
system. All files in a typical Unix-style filesystem have permissions set enabling different access to a file.
Permissions on a file are commonly set using the chmod
command and seen through the ls
command. For example:
-r-xr-xr-x 1 root wheel 745720 Sep 8 2002 /bin/sh
Unix permissions permit different users access to a file. Different user groups have different permissions on a file.
More advanced Unix filesystems include the Access Control List concept which allows permissions to be granted to multiple users or groups. An Access Control List may be used to grant permission to additional individual users or groups. For example:
/pvr [u::rwx,g::r-x,o::r-x/u::rwx,u:sue:rwx,g::r-x,m::rwx,o::r-x]
In this example, which is from the chacl command on the Linux
operating system, the user sue is granted write permission to the /pvr directory.
in order to access the su command.
account. If access to this account is gained by an unwanted user, this results in a complete breach of the system. A root account however is necessary for administrative purposes, and for the above security reasons the root account is seldom used for day to day purposes (the sudo
program is more commonly used), so usage of the root account can be more closely monitored.
Root access "as it should be" can be visualised by those familiar with the Superman
stories using the following analogy
:
and guarding it properly are probably the most important things a user can do to improve Unix security.
In Unix systems, the essential information about users is stored under the file /etc/passwd
. This file keeps track of the users registered in the system and their main definitions. Passwords, or more correctly, the hash of the password, can also be stored in the same place. The entries in /etc/passwd occupy exactly one line each, and have the following form:
nickname:password_hash:UserID:GroupID:Complete_Name:home_dir:shell_bin
An example would be:
xfze:$1$zuW2nX3sslp3qJm9MYDdglEApAc36r/:1000:100:José Carlos D. S. Saraiva:/home/xfze:/bin/bash
Since all users must have read access to this file, in order for the system to check the login password, one security issue was raised: anyone could have read the file and retrieve the password hashes of other users. To solve this problem, the file /etc/shadow was created to store the password hashes, with only root
having read access. Under password shadowing, the /etc/passwd the 2nd field (password hash
) is replaced by an 'x' which tells the system to retrieve the corresponding user's password via the /etc/shadow file.
The /etc/shadow file usually only contains the first two fields:
xfze:$1$zuW2nX3sslp3qJm9MYDdglEApAc36r/:::::
The remaining fields in the /etc/shadow file include:
These fields may be used to improve Unix security by enforcing a password security policy.
based checksum, or the use of read-only media.
From a security standpoint, the specific packaging method, such as the RPM Package Manager
format originally from Red Hat Linux
is not as important as the use of features which ensure the integrity of the patch itself.
distributions which use the RPM Package Manager
format for providing base functionality and software updates make use of MD5
and GPG
to ensure content integrity. The hash values are packaged with the RPM file and verified when the package is installed.
distributions which use the Debian
.deb package format
for providing base functionality and software updates make use of GPG
signatures to ensure content integrity. A signature is computed when the package is constructed and verified later when the package is installed.
The commands inetd
and xinetd
act as super-servers for a variety of network protocols such as rlogin
, telnet
and ftp.
Turning off unnecessary services
This approach is usually called proactive security. There are some operating systems which are secure by default. Amongst others, the free BSD flavours (FreeBSD
, NetBSD
, and OpenBSD
) are proactively secure. For example, the output of netstat on a NetBSD 3.0 workstation clearly outlines this technique:
$ netstat -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost.smtp *.* LISTEN
tcp 0 0 *.ssh *.* LISTEN
Active Internet6 connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp6 0 0 localhost.smtp *.* LISTEN
tcp6 0 0 *.ssh *.* LISTEN
Active UNIX domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
c0d10d80 dgram 0 0 0 c0cd8680 0 c0cb7000 -> /var/run/log
c0cb7000 dgram 0 0 0 c0cd8680 0 0 -> /var/run/log
c0cd8680 dgram 0 0 cb9639e8 0 c0d10d80 0 /var/run/log
The following example from a BSD system
$ sockstat -4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sendmail 569 4 tcp localhost.smtp *.*
root sshd 593 4 tcp *.ssh *.*
Shows that on this machine only the SSH
service is listening to the public network interface
of the computer. sendmail
is listening to the loopback
interface
only. Access to a service may be further restricted by using a firewall.
and Unix-like
systems is based on 9 permission bits, set user and group ID bits, and the sticky bit, for a total of 12 bits. These permissions apply almost equally to all filesystem objects such as files, directories and devices.
The 9 permission bits are divided into three groups of three bits each. The first group describes the permissions of the file owner, the second group describes the permissions of a group associated with the file owner or the directory containing the file, and the third group describes the permissions associated with any process which does not have the same user ID as the file. Each group of three bits contains a bit indicating the read, write or execute access is granted. In the case of directories, execute access is interpreted as the permission to perform a filename lookup within the directory.
The set user ID and set group ID bits, commonly abbreviated set-UID and set-GID respectively, are used to change the identity of the process which executes a file having either or both of those bits set. A file having the set-UID
permission bit set will cause a process which executes that file to temporarily switch the effective user ID to that of the file owner. A file having the set-GID permission bit set will cause a process which executes that file to temporarily switch the effective group ID to that of the file group. A process may then alternate between the effective user or group ID which it inherited from the file and the real user or group ID which it inherited when the user logged on to the system. This provides a mechanism by which a process may limit the access rights it possesses to those code regions which require those access rights. This is a form of a security technique known as privilege separation
and improves program security by limiting the unintended or undesirable actions of a processes.
A directory having the set-GID permission bit set will cause a newly created file to have an initial file group value equal to the file group of the directory. This provides a mechanism whereby a subsystem, such as the system's mail subsystem, can create files which have a common file group value so that set-GID processes within that subsystem are then able to read or write the file.
The sticky bit, formally known as the save text on swap bit, derives its name from its original purpose. Originally the sticky bit caused a process's initial memory image to be stored as a contiguous image on the disk drive which was used to store real memory pages when they were not in use. This improved the performance of commonly executed commands by making the initial memory image readily available. Modern UNIX systems no longer perform that function when the bit is set, but the name has been preserved nonetheless. In the case of files, the sticky-bit may be used by the system to indicate the style of file locking to be performed. In the case of directories, the sticky bit prevents any process, other than one which has super-user privileges or one having an effective user ID of the file owner, from deleting a file within that directory. The sticky bit is most commonly used on publicly writable directories, such as the various temporary working space directories on the system.
(root) when using identity authentication (local user is the same as remote user). It is primarily the feature of NFS but potentially may be available on other systems as well.
This problem arises when some remote file system is shared by multiple users. These users belong to one or multiple groups. In Unix, every file and folder normally has the separate permissions (read, write, execute) for the owner (normally the creator of the file), for the group to that the owner belongs and for the "world" (all other users). This allows to restrict write and read access only to the authorized users while in general NFS server must also be protected by firewall.
Superuser has more rights than the ordinary user, being able to change the file ownership, set arbitrary permissions and access all protected content. Even users that do need to have root access to they individual workstations may not be authorized for the similar actions on a shared file system. Root squash reduces rights of the remote root, making one no longer superuser. On UNIX like systems, root squash option can be turned on and off in /etc/exports file on a server side.
After implementing the root squash, the authorized superuser performs restricted actions after logging in into NFS server directly and not just by mounting the exported NFS folder.
.
consequently email virus scanning is often installed. The ClamAV virus scanner is available in source code form and may be used to scan Unix file systems for viruses which infect other operating systems.
There are viruses and worms that target Unix-like operating systems. In fact, the first computer worm -- the Morris worm -- targeted Unix systems.
is the current user interface for interacting with Linux
kernel netfilter functionality. It replaced ipchains
. Other Unix
like operating systems may provide their own native functionality and other open source
firewall products exist. More detailed information about iptables is contained elsewhere. A brief discussion is contained here in order to describe how iptables may be used to configure a Linux firewall.
netfilter provides a state-full packet filter which can be configured according to network interface
, protocol
, source and/or destination address
, source and/or destination port and the state of the packet. A network packet traverses several chains between the time it is received by a network interface and the time it is accepted by the host or forwarded to another host. The common chains are INPUT, OUTPUT and FORWARD. The INPUT chain is traversed for all packets as they are received by a network interface, regardless of whether they are to be accepted by the host or forwarded to another host. The OUTPUT chain is traversed for all packets as they are transmitted by a network interface. The FORWARD chain is traversed for those packets are being routed through the host from one network interface to another, such as is the case for a multi-homed system (a system with more than one physical network interface).
Each of the built-in chains has a default policy which defines what action is taken for a packet which reaches the end of the chain. Packet traversal ends when a rule matches the packet and has an action of ACCEPT, DROP, REJECT or RETURN.
The simplest iptables
firewall consists of rules for each desired service, followed by a rule which indicates that any packets which reach this rule are dropped. A system which only permitted, for example, incoming email traffic would have a rule which accepted connections on the SMTP
port, and then dropped others. A rule would be required which indicated that all established connections were also permitted so that outgoing connections would receive responses from other systems.
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere state ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp
0 0 LOG all -- any any anywhere anywhere LOG level warning
0 0 DROP all -- any any anywhere anywhere
The addition of an explicit DROP action ensures that the packets are discarded should the default policy of the INPUT chain accidentally be changed to ACCEPT.
and may be used to prevent viruses within the firewall from escaping to other systems. For example, it may be the policy of a network to limit outgoing email connections to a single authorized email servers as a way of combating e-mail spam
. This could be achieved by the following example:
Chain OUTPUT (policy ACCEPT)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any !server anywhere tcp dpt:smtp
There is no need to include any other rules in this example as the default policy for the OUTPUT chain is ACCEPT. Note also that this rule assumes that the host which is acting as the firewall will not be sending email itself, such as to the email server. This is a good assumption as typically a firewall system contains the minimal amount of system code needed to act as a firewall.
A more restrictive OUTPUT chain would contain permissive (ACCEPT) entries for those services which may be accessed outside the firewall and then a restrictive (DROP) policy for the chain itself.
Packet sniffing:
Attacks:
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
a Unix
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
or Unix-like
Unix-like
A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
. A secure environment is achieved not only by the design concepts of these operating systems, but also through vigilant user
User (computing)
A user is an agent, either a human agent or software agent, who uses a computer or network service. A user often has a user account and is identified by a username , screen name , nickname , or handle, which is derived from the identical Citizen's Band radio term.Users are...
and administrative
System administrator
A system administrator, IT systems administrator, systems administrator, or sysadmin is a person employed to maintain and operate a computer system and/or network...
practices.
Permissions
A core security feature in these systems is the permissionsFile system permissions
Most current file systems have methods of administering permissions or access rights to specific users and groups of users. These systems control the ability of the users to view or make changes to the contents of the filesystem....
system. All files in a typical Unix-style filesystem have permissions set enabling different access to a file.
Permissions on a file are commonly set using the chmod
Chmod
The chmod command is a Unix command that lets a user tell the system how much access it should permit to a file. It changes the file system modes of files and directories. The modes include permissions and special modes...
command and seen through the ls
Ls
In computing, ls is a command to list files in Unix and Unix-like operating systems. ls is specified by POSIX and the Single UNIX Specification.- History :An ls utility appeared in the original version of AT&T UNIX...
command. For example:
-r-xr-xr-x 1 root wheel 745720 Sep 8 2002 /bin/sh
Unix permissions permit different users access to a file. Different user groups have different permissions on a file.
More advanced Unix filesystems include the Access Control List concept which allows permissions to be granted to multiple users or groups. An Access Control List may be used to grant permission to additional individual users or groups. For example:
/pvr [u::rwx,g::r-x,o::r-x/u::rwx,u:sue:rwx,g::r-x,m::rwx,o::r-x]
In this example, which is from the chacl command on the Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
operating system, the user sue is granted write permission to the /pvr directory.
User groups
Users under Unix style operating systems often belong to managed groups with specific access permissions. This enables users to be grouped by the level of access they have to this system. Many Unix implementations add an additional layer of security by requiring that a user be a member of the wheel user privileges groupGroup identifier (Unix)
In Unix-like systems, multiple users can be categorized into groups. POSIX and conventional Unix file system permissions are organized into three classes, user, group, and others. The use of groups allows additional abilities to be delegated in an organized fashion, such as access to disks,...
in order to access the su command.
Issues
Most Unix and Unix-like systems have an account or group which enables a user to exact complete control over the system, often known as a rootSuperuser
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
account. If access to this account is gained by an unwanted user, this results in a complete breach of the system. A root account however is necessary for administrative purposes, and for the above security reasons the root account is seldom used for day to day purposes (the sudo
Sudo
sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user...
program is more commonly used), so usage of the root account can be more closely monitored.
Root access "as it should be" can be visualised by those familiar with the Superman
Superman
Superman is a fictional comic book superhero appearing in publications by DC Comics, widely considered to be an American cultural icon. Created by American writer Jerry Siegel and Canadian-born American artist Joe Shuster in 1932 while both were living in Cleveland, Ohio, and sold to Detective...
stories using the following analogy
Analogy
Analogy is a cognitive process of transferring information or meaning from a particular subject to another particular subject , and a linguistic expression corresponding to such a process...
:
-
- Using a root account is rather like being Superman; an administrator's regular user is more like Clark Kent. Clark Kent becomes Superman for only as long as necessary, in order to save people. He then reverts to his "disguise". Root access should be used in the same fashion. The Clark Kent disguise doesn't really restrict him though, as he is still able to use his super powers. This is analogous to using the sudo program.
User and administrative techniques
Unix has many tools that can improve security if used properly by users and administrators.Passwords
Selecting a strong passwordPassword
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
and guarding it properly are probably the most important things a user can do to improve Unix security.
In Unix systems, the essential information about users is stored under the file /etc/passwd
Passwd (file)
In Unix-like operating systems the /etc/passwd file is a text-based database of information about users that may login to the system or other operating system user identities that own running processes....
. This file keeps track of the users registered in the system and their main definitions. Passwords, or more correctly, the hash of the password, can also be stored in the same place. The entries in /etc/passwd occupy exactly one line each, and have the following form:
nickname:password_hash:UserID:GroupID:Complete_Name:home_dir:shell_bin
An example would be:
xfze:$1$zuW2nX3sslp3qJm9MYDdglEApAc36r/:1000:100:José Carlos D. S. Saraiva:/home/xfze:/bin/bash
Since all users must have read access to this file, in order for the system to check the login password, one security issue was raised: anyone could have read the file and retrieve the password hashes of other users. To solve this problem, the file /etc/shadow was created to store the password hashes, with only root
Root
In vascular plants, the root is the organ of a plant that typically lies below the surface of the soil. This is not always the case, however, since a root can also be aerial or aerating . Furthermore, a stem normally occurring below ground is not exceptional either...
having read access. Under password shadowing, the /etc/passwd the 2nd field (password hash
Key derivation function
In cryptography, a key derivation function derives one or more secret keys from a secret value such as a master key or other known information such as a password or passphrase using a pseudo-random function...
) is replaced by an 'x' which tells the system to retrieve the corresponding user's password via the /etc/shadow file.
The /etc/shadow file usually only contains the first two fields:
xfze:$1$zuW2nX3sslp3qJm9MYDdglEApAc36r/:::::
The remaining fields in the /etc/shadow file include:
- The minimum number of days between password changes
- The maximum number of days until the password must be changed
- The number of days of warning given before the password must be changed
- The number of days after the password must be changed when the account becomes unusable
- The date (expressed as the number of days since January 1st, 1970) when the account is expired
These fields may be used to improve Unix security by enforcing a password security policy.
Users and accounts
Administrators should delete old accounts promptly.- suSu (Unix)The su command, also referred to as super user substitute user, spoof user, set user or switch user, allows a computer operator to change the current user account associated with the running virtual console....
, sudoSudosudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user...
, sshSecure ShellSecure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
only, no remote root logins
Patching
Operating systems, like all software, may contain bugs in need of fixing or may be enhanced with the addition of new features. Patching the operating system in a secure manner requires that the software come from a trustworthy source and not have been altered since it was packaged. Common methods for verifying that operating system patches have not been altered include the use of cryptographic hash, such as an MD5MD5
The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
based checksum, or the use of read-only media.
From a security standpoint, the specific packaging method, such as the RPM Package Manager
RPM Package Manager
RPM Package Manager is a package management system. The name RPM variously refers to the .rpm file format, files in this format, software packaged in such files, and the package manager itself...
format originally from Red Hat Linux
Red Hat Linux
Red Hat Linux, assembled by the company Red Hat, was a popular Linux based operating system until its discontinuation in 2004.Red Hat Linux 1.0 was released on November 3, 1994...
is not as important as the use of features which ensure the integrity of the patch itself.
Source Distributions
Source distributions include the ability to examine the code for suspicious content. The drawback, absent an accompanying cryptographic hash value, is that the user must be able to perform a security analysis of the code themselves.RPM Packages
LinuxLinux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
distributions which use the RPM Package Manager
RPM Package Manager
RPM Package Manager is a package management system. The name RPM variously refers to the .rpm file format, files in this format, software packaged in such files, and the package manager itself...
format for providing base functionality and software updates make use of MD5
MD5
The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
and GPG
GNU Privacy Guard
GNU Privacy Guard is a GPL Licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF standards track specification of OpenPGP...
to ensure content integrity. The hash values are packaged with the RPM file and verified when the package is installed.
Debian Packages
LinuxLinux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
distributions which use the Debian
Debian
Debian is a computer operating system composed of software packages released as free and open source software primarily under the GNU General Public License along with other free software licenses. Debian GNU/Linux, which includes the GNU OS tools and Linux kernel, is a popular and influential...
.deb package format
Deb (file format)
deb is the extension of the Debian software package format and the most often used name for such binary packages. Like the "Deb" part of the term Debian, it originates from the name of Debra, erstwhile girlfriend and now ex-wife of Debian's founder Ian Murdock.Debian packages are also used in...
for providing base functionality and software updates make use of GPG
GNU Privacy Guard
GNU Privacy Guard is a GPL Licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF standards track specification of OpenPGP...
signatures to ensure content integrity. A signature is computed when the package is constructed and verified later when the package is installed.
Other vendors and distributions
Regardless of the vendor or distribution, all software distributions should provide a mechanism for verifying that the software is legitimate and has not been modified since it was originally packaged.Services
Unnecessary system software should not be installed or configured on a system. Software which is no longer required should be removed completely, if possible.- Identify what services are running
- netstat -na
- lsof
- nmap
- sockstat -4 (FreeBSDFreeBSDFreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
)
The commands inetd
Inetd
inetd is a super-server daemon on many Unix systems that manages Internet services. First appearing in 4.3BSD , it is generally located at /usr/sbin/inetd.-Function:...
and xinetd
Xinetd
In computer networking, xinetd, the eXtended InterNET Daemon, is an open-source super-server daemon which runs on many Unix-like systems and manages Internet-based connectivity...
act as super-servers for a variety of network protocols such as rlogin
Rlogin
rlogin is a software utility for Unix-like computer operating systems that allows users to log in on another host via a network, communicating via TCP port 513.It was first distributed as part of the 4.2BSD release....
, telnet
TELNET
Telnet is a network protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communications facility using a virtual terminal connection...
and ftp.
Turning off unnecessary services
- using chkconfig on Red Hat LinuxRed Hat LinuxRed Hat Linux, assembled by the company Red Hat, was a popular Linux based operating system until its discontinuation in 2004.Red Hat Linux 1.0 was released on November 3, 1994...
- using /etc/rc.conf and /usr/local/etc/rc.d on FreeBSD (mention /etc/rc.local)
- using rc-update on Gentoo LinuxGentoo LinuxGentoo Linux is a computer operating system built on top of the Linux kernel and based on the Portage package management system. It is distributed as free and open source software. Unlike a conventional software distribution, the user compiles the source code locally according to their chosen...
This approach is usually called proactive security. There are some operating systems which are secure by default. Amongst others, the free BSD flavours (FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
, NetBSD
NetBSD
NetBSD is a freely available open source version of the Berkeley Software Distribution Unix operating system. It was the second open source BSD descendant to be formally released, after 386BSD, and continues to be actively developed. The NetBSD project is primarily focused on high quality design,...
, and OpenBSD
OpenBSD
OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution , a Unix derivative developed at the University of California, Berkeley. It was forked from NetBSD by project leader Theo de Raadt in late 1995...
) are proactively secure. For example, the output of netstat on a NetBSD 3.0 workstation clearly outlines this technique:
$ netstat -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost.smtp *.* LISTEN
tcp 0 0 *.ssh *.* LISTEN
Active Internet6 connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp6 0 0 localhost.smtp *.* LISTEN
tcp6 0 0 *.ssh *.* LISTEN
Active UNIX domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
c0d10d80 dgram 0 0 0 c0cd8680 0 c0cb7000 -> /var/run/log
c0cb7000 dgram 0 0 0 c0cd8680 0 0 -> /var/run/log
c0cd8680 dgram 0 0 cb9639e8 0 c0d10d80 0 /var/run/log
The following example from a BSD system
$ sockstat -4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sendmail 569 4 tcp localhost.smtp *.*
root sshd 593 4 tcp *.ssh *.*
Shows that on this machine only the SSH
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
service is listening to the public network interface
Network interface
Network interface may refer to:* Network interface controller, the device a computer uses to connect to a computer network* Network interface device, a demarcation point for a telephone network...
of the computer. sendmail
Sendmail
Sendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and -delivery methods, including the Simple Mail Transfer Protocol used for email transport over the Internet....
is listening to the loopback
Loopback
Loopback describes ways of routing electronic signals, digital data streams, or flows of items from their originating facility back to the source without intentional processing or modification...
interface
Interface (computer science)
In the field of computer science, an interface is a tool and concept that refers to a point of interaction between components, and is applicable at the level of both hardware and software...
only. Access to a service may be further restricted by using a firewall.
File system security
File system security within UNIXUnix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
and Unix-like
Unix-like
A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
systems is based on 9 permission bits, set user and group ID bits, and the sticky bit, for a total of 12 bits. These permissions apply almost equally to all filesystem objects such as files, directories and devices.
The 9 permission bits are divided into three groups of three bits each. The first group describes the permissions of the file owner, the second group describes the permissions of a group associated with the file owner or the directory containing the file, and the third group describes the permissions associated with any process which does not have the same user ID as the file. Each group of three bits contains a bit indicating the read, write or execute access is granted. In the case of directories, execute access is interpreted as the permission to perform a filename lookup within the directory.
The set user ID and set group ID bits, commonly abbreviated set-UID and set-GID respectively, are used to change the identity of the process which executes a file having either or both of those bits set. A file having the set-UID
Setuid
setuid and setgid are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group...
permission bit set will cause a process which executes that file to temporarily switch the effective user ID to that of the file owner. A file having the set-GID permission bit set will cause a process which executes that file to temporarily switch the effective group ID to that of the file group. A process may then alternate between the effective user or group ID which it inherited from the file and the real user or group ID which it inherited when the user logged on to the system. This provides a mechanism by which a process may limit the access rights it possesses to those code regions which require those access rights. This is a form of a security technique known as privilege separation
Privilege separation
In computer programming and computer security, privilege separation is a technique in which a program is divided into parts which are limited to the specific privileges they require in order to perform a specific task...
and improves program security by limiting the unintended or undesirable actions of a processes.
A directory having the set-GID permission bit set will cause a newly created file to have an initial file group value equal to the file group of the directory. This provides a mechanism whereby a subsystem, such as the system's mail subsystem, can create files which have a common file group value so that set-GID processes within that subsystem are then able to read or write the file.
The sticky bit, formally known as the save text on swap bit, derives its name from its original purpose. Originally the sticky bit caused a process's initial memory image to be stored as a contiguous image on the disk drive which was used to store real memory pages when they were not in use. This improved the performance of commonly executed commands by making the initial memory image readily available. Modern UNIX systems no longer perform that function when the bit is set, but the name has been preserved nonetheless. In the case of files, the sticky-bit may be used by the system to indicate the style of file locking to be performed. In the case of directories, the sticky bit prevents any process, other than one which has super-user privileges or one having an effective user ID of the file owner, from deleting a file within that directory. The sticky bit is most commonly used on publicly writable directories, such as the various temporary working space directories on the system.
Root squash
Root squash is reduction of the access rights for the remote superuserSuperuser
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
(root) when using identity authentication (local user is the same as remote user). It is primarily the feature of NFS but potentially may be available on other systems as well.
This problem arises when some remote file system is shared by multiple users. These users belong to one or multiple groups. In Unix, every file and folder normally has the separate permissions (read, write, execute) for the owner (normally the creator of the file), for the group to that the owner belongs and for the "world" (all other users). This allows to restrict write and read access only to the authorized users while in general NFS server must also be protected by firewall.
Superuser has more rights than the ordinary user, being able to change the file ownership, set arbitrary permissions and access all protected content. Even users that do need to have root access to they individual workstations may not be authorized for the similar actions on a shared file system. Root squash reduces rights of the remote root, making one no longer superuser. On UNIX like systems, root squash option can be turned on and off in /etc/exports file on a server side.
After implementing the root squash, the authorized superuser performs restricted actions after logging in into NFS server directly and not just by mounting the exported NFS folder.
SELinux
SELinux is the set of kernel extensions to control access more presicely, strictly defining both if and how files, folders, network ports and other resources can be accessed by the confined process. This system is mostly used to restrict processes (database, server) rather than human users. It can also limit processes that run as root. Other distributions use comparable alternatives like AppArmorAppArmor
AppArmor is a security module for the Linux kernel, released under the GNU General Public License. AppArmor allows the system administrator to associate with each program a security profile that restricts the capabilities of that program. It supplements the traditional Unix discretionary access...
.
Viruses and Virus Scanners
Unix-like operating systems are immune to most Microsoft Windows viruses because binaries created to run on Windows generally won't run on other platforms. However, many Unix like installations provide file storage services to Microsoft Windows clients, such as through the use of Samba software, and may unintentionally become a repository for viruses stored by users. It is common for Unix servers to act as Mail Transfer AgentsMail transfer agent
Within Internet message handling services , a message transfer agent or mail transfer agent or mail relay is software that transfers electronic mail messages from one computer to another using a client–server application architecture...
consequently email virus scanning is often installed. The ClamAV virus scanner is available in source code form and may be used to scan Unix file systems for viruses which infect other operating systems.
There are viruses and worms that target Unix-like operating systems. In fact, the first computer worm -- the Morris worm -- targeted Unix systems.
Firewalls
Network firewall protects systems and networks from network threats which exist on the opposite side of the firewall. Firewalls can block access to strictly internal services, unwanted users and in some cases filter network traffic by content.iptables
iptablesIptables
iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores...
is the current user interface for interacting with Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
kernel netfilter functionality. It replaced ipchains
Ipchains
Linux IP Firewalling Chains, normally called ipchains, is free software to control the packet filter/firewall capabilities in the 2.2 series of Linux kernels. It superseded ipfwadm, but was replaced by iptables in the 2.4 series. Unlike iptables, ipchains is stateless.It is a rewrite of Linux's...
. Other Unix
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
like operating systems may provide their own native functionality and other open source
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
firewall products exist. More detailed information about iptables is contained elsewhere. A brief discussion is contained here in order to describe how iptables may be used to configure a Linux firewall.
netfilter provides a state-full packet filter which can be configured according to network interface
Network card
A network interface controller is a computer hardware component that connects a computer to a computer network....
, protocol
Internet Protocol
The Internet Protocol is the principal communications protocol used for relaying datagrams across an internetwork using the Internet Protocol Suite...
, source and/or destination address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
, source and/or destination port and the state of the packet. A network packet traverses several chains between the time it is received by a network interface and the time it is accepted by the host or forwarded to another host. The common chains are INPUT, OUTPUT and FORWARD. The INPUT chain is traversed for all packets as they are received by a network interface, regardless of whether they are to be accepted by the host or forwarded to another host. The OUTPUT chain is traversed for all packets as they are transmitted by a network interface. The FORWARD chain is traversed for those packets are being routed through the host from one network interface to another, such as is the case for a multi-homed system (a system with more than one physical network interface).
Each of the built-in chains has a default policy which defines what action is taken for a packet which reaches the end of the chain. Packet traversal ends when a rule matches the packet and has an action of ACCEPT, DROP, REJECT or RETURN.
The simplest iptables
Iptables
iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores...
firewall consists of rules for each desired service, followed by a rule which indicates that any packets which reach this rule are dropped. A system which only permitted, for example, incoming email traffic would have a rule which accepted connections on the SMTP
Simple Mail Transfer Protocol
Simple Mail Transfer Protocol is an Internet standard for electronic mail transmission across Internet Protocol networks. SMTP was first defined by RFC 821 , and last updated by RFC 5321 which includes the extended SMTP additions, and is the protocol in widespread use today...
port, and then dropped others. A rule would be required which indicated that all established connections were also permitted so that outgoing connections would receive responses from other systems.
INPUT chain
The following example shows a simple packet filter for the INPUT chain for the above described example:Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere state ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp
0 0 LOG all -- any any anywhere anywhere LOG level warning
0 0 DROP all -- any any anywhere anywhere
The addition of an explicit DROP action ensures that the packets are discarded should the default policy of the INPUT chain accidentally be changed to ACCEPT.
OUTPUT chain
There is less need for an OUTPUT chain and the default policy of the OUTPUT chain can safely be set to ACCEPT. In some instances it may be desirable for a firewall to limit certain outgoing connections to a certain set of approved systems. This is known as egress filteringEgress filtering
In computer networking, egress filtering is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically it is information from a private TCP/IP computer network to the Internet that is controlled.TCP/IP packets that are being sent...
and may be used to prevent viruses within the firewall from escaping to other systems. For example, it may be the policy of a network to limit outgoing email connections to a single authorized email servers as a way of combating e-mail spam
E-mail spam
Email spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE...
. This could be achieved by the following example:
Chain OUTPUT (policy ACCEPT)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- any any !server anywhere tcp dpt:smtp
There is no need to include any other rules in this example as the default policy for the OUTPUT chain is ACCEPT. Note also that this rule assumes that the host which is acting as the firewall will not be sending email itself, such as to the email server. This is a good assumption as typically a firewall system contains the minimal amount of system code needed to act as a firewall.
A more restrictive OUTPUT chain would contain permissive (ACCEPT) entries for those services which may be accessed outside the firewall and then a restrictive (DROP) policy for the chain itself.
General
Secure network communication:- Layer 7: GPGGNU Privacy GuardGNU Privacy Guard is a GPL Licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF standards track specification of OpenPGP...
/PGPPretty Good PrivacyPretty Good Privacy is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security... - Layers 4,5: SSL/TLSTransport Layer SecurityTransport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
/StunnelStunnelStunnel is an open-source multi-platform computer program, used to provide universal TLS/SSL tunneling service.Stunnel can be used to provide secure encrypted connections for clients or servers that do not speak TLS or SSL natively. It runs on a variety of operating systems , including most...
/S/MIMES/MIMES/MIME is a standard for public key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFCs. S/MIME was originally developed by RSA Data Security Inc... - Layer 3: VPNVirtual private networkA virtual private network is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network....
, IPsecIPsecInternet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session... - Layer 2: PPTPPoint-to-point tunneling protocolThe Point-to-Point Tunneling Protocol is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets....
Packet sniffing:
- tcpdumpTcpdumptcpdump is a common packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached...
, WiresharkWiresharkWireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education...
Attacks:
- Man in the middle attack
- land ping of deathPing of deathA ping of death is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A ping is normally 32 bytes in size ; historically, many computer systems could not handle a ping packet larger than the maximum IPv4 packet size, which is 65,535 bytes...
xmas Denial-of-service attackDenial-of-service attackA denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
et al.
Advanced
- rootkitRootkitA rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...
s, kernel modules, chkrootkit - exploit details, buffer overflowBuffer overflowIn computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
s, local vs remote
Service details
- banners
- SMTPSimple Mail Transfer ProtocolSimple Mail Transfer Protocol is an Internet standard for electronic mail transmission across Internet Protocol networks. SMTP was first defined by RFC 821 , and last updated by RFC 5321 which includes the extended SMTP additions, and is the protocol in widespread use today...
- spamE-mail spamEmail spam, also known as junk email or unsolicited bulk email , is a subset of spam that involves nearly identical messages sent to numerous recipients by email. Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. One subset of UBE is UCE... - SendmailSendmailSendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and -delivery methods, including the Simple Mail Transfer Protocol used for email transport over the Internet....
- banners help header version etc. - Domain Name SystemDomain name systemThe Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
- reverse mapping dnssec
External links
- The Unix Security Model for web server administration Robert K. Moniot 2000
- An Architectural Overview of UNIX Network Security Robert B. Reinhardt 1993
- Unix security papers