Академический Документы
Профессиональный Документы
Культура Документы
System security
1. Latest patches
Any operating system might have security bugs, which are detected only when system is used in
a real time environment. Apply whatever patches are available as of to date to plug the already
discovered security loopholes and look for the information about new security related bugs
Generally it takes some time when security loophole is discovered and its patch is developed . So
the best strategy against such situations is to keep informed by reading security related bulletin of
the OS vendor and disabling the affected service or constantly monitoring it and applying patches
whenever its available.
A perl script - patchk - is available at sunsolve.sun.com which can be used to identify & compare
the existing patches and download the latest ones.
2. Access to the system
Limit Root Access
Limit the direct root access by making sure console entry in /etc/default/login is not commented
out. Edit sshd.config and ssh.config to disable root access
If secure shell is being used to access the systems.
Sshd.config
Permit root login no
Permit empty password no
Allow hosts <host list>
Allow users <user list>
Ssh.config
Forward x11 no
Password authentication no
Host based authentication is more secure as it is based on private keys and public keys and only
user with the keys are allowed to connect. Password authentication is less secure as they can be
guessed or cracked by some programs.
Limit su capabilities
Allow only a few selected members of a group to use su to prevent any unauthorized access by
guessing the root password. Create a system administrators group and change su owner to root
and group to administrators group. Change su permissions to allow only member of this group an
execute permission.
Remote Access files
.rhosts ,.netrc hosts.equivalent are the files that provides access to the remote systems and
should be monitored carefully .They should be checked regularly for any unauthorized entry or if
not needed can be made with zero permission - chmod 0 . This will not allow creation of new file
by the same name and put entries to gain access.
Keep access log:
sulog file gives information about su login attempts to the system similarly a loginlog file can be
created by touching /etc/loginlog which keeps all the login information . Besides last command
also give useful information about the persons accessing the system.
Enabled
Disabled
s71ldap.client
S71ldap.client
s72autoinstall
S72autoinstall
s72slpd
S72slpd
s88sendmail
S88sendmail
s73nfs.client
S72nfs.client
s1574autofs
S74autofs S99dtlogin
s99dtlogin
S15nfs.server
s15nfs.server
Stop unnecessary and insecure network services:
/etc/inetd.conf has entry for about fifty network services and most of them are started by default.
While some of these services are not secure telnet, ftp, some of it are not required at all . These
services can allow an intruder to get in by providing system information and ports. Services such
as finger, sysstat & netstat provide useful information about the users, system and network.
Depending on the applications requirement some of these services should be stopped by
commenting out corresponding entry in /etc/inetd.conf
ftp should be disabled and secure copy ,scp , should be used instead . But if you must use ftp
then limit the users which can do an ftp to the system. /etc/ftpusers file can be created to keep the
ftp user list.
4. ip module
Control the IP Behavior:
IP module can be tuned to prevent forwarding, redirecting of packets and request for information
from the system. These parameters can be set using ndd with the given value to limit these
features.
ndd -set /dev/ip ip_forward_directed_broadcasts 0
ndd -set /dev/ip ip_forward_src_routed 0
ndd -set /dev/ip ip_ignore_redirect 1
ndd -set /dev/ip ip_ire_flush_interval 60000
ndd -set /dev/ip ip_ire_arp_interval 60000
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
Restart inetd:
# /usr/bin/pkill -HUP inetd
2. Increase the level of security by requiring DES encryption for your authentication
mechanism by adding the '-S 2' flag to the end of the sadmind line in inetd.conf:
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2
Restart inetd:
# /usr/bin/pkill -HUP inetd
7. Root Kit :
The hackers in some cases install a "root" kit which changes various files in the system in order
to gain super user privileges and to conceal the compromise.
You can determine with pkgchk command if certain files have changed:
/bin/su
/usr/sbin/ping
/usr/bin/du
/usr/bin/passwd
/usr/bin/find
/bin/ls
/bin/netstat
/usr/bin/strings
If there is any error reported on any of these files then system is compromised. The best resort in
these cases is to take system off the network and do a fresh operating system installation.
srload:
srload is a part of root kit which is used to get the non-standard SSH port access by the
attackers . Compromised systems have an entry in /etc/inittab of following line
SV:23:respawn:/usr/bin/srload -D -q
and may have the following file modified along with other files :
/etc/rcS.d/S30rootusr.sh
The immediate action for this is to disable the srload command by removing it from /etc/inittab
after booting in single user mode and removing srload command binary from /usr/bin or any other
location.
Error messages
fsck is a Unix utility for checking and repairing file system inconsistencies . File system can
become inconsistent due to several reasons and the most common is abnormal shutdown due to
hardware failure, power failure or switching off the system without proper shutdown. Due to these
reasons the superblock in a file system is not updated and has mismatched information relating to
system data blocks, free blocks and inodes .
Modes of operation:
fsck operates in two modes interactive and non interactive :
Interactive: the fsck examines the file system and stops at each error it finds in the file system
and gives the problem description and asks for user response usually whether to correct the
problem or continue without making any change to the file system.
noninteractive :fsck tries to repair all the problems it finds in a file system without stopping for
user response useful in case of a large number of inconsistencies in a file system but has the
disadvantage of removing some useful files which are detected to be corrupt .
If file system is found to have problem at the booting time non interactive fsck fsck is run and all
errors which are considered safe to correct are corrected. But if still file system has problems the
system boots in single user mode asking for user to manually run the fsck to correct the problems
in file system
Running fsck :
fsck should always be run in a single user mode which ensures proper repair of file system . If it
is run in a busy system where the file system is changing constantly fsck may see the changes as
inconsistencies and may corrupt the file system.
If the system can not be brought in a single user mode fsck should be run on the partitions, other
than root & usr, after unmounting them. Root & usr partitions can not be uncounted. If the system
fails to come up due to root/usr files system corruption the system can booted with CD and
root/usr partitions can be repaired using fsck.
Command syntax:
fsck [ -F fstype] [-V]
-F fstype
[-yY]
-V verifies the command line syntax but do not run the command
-Y or -y Run the command in non interactive mode - repair all errors encountered without waiting
for user response.
-o options Three options can be specified with -o flag
b=n where n is the number of next super block if primary super block is corrupted in a file
system.
p option used to make safe repair options during the booting process.
f
To get more info about the files in lost+found 'file' command can be used to see the type of files
and subsequently they can be opened in their applications or text editors to find out about their
contents. If the file is found to be correct it can be used after copying to some other directory and
renaming it.