practical unix internet security second edition phần 10 potx

If possible, disable the honoring of SUID files and devices on mounted partitions.● 20.2 Server-Side NFS Security 20.4 Improving NFS Security [ Library Home | DNS & BIND | TCP/IP | send

Trang 1

[Chapter 22] 22.4 SOCKS

file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch22_04.htm (8 of 8) [2002-04-12 10:45:45]

Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com

Trang 2

Chapter 20 NFS

20.3 Client-Side NFS Security

NFS can create security issues for NFS clients as well as servers Because the files that a client mountsappear in the client's filesystem, an attacker who is able to modify mounted files can directly compromisethe client's security

The primary system that NFS uses for authenticating servers is based on IP host addresses and

hostnames NFS packets are not encrypted or digitally signed in any way Thus, an attacker can spoof anNFS client either by posing as an NFS server or by changing the data that is en route between a serverand the client In this way, an attacker can force a client machine to run any NFS-mounted executable Inpractice, this ability can give the attacker complete control over an NFS client machine

At mount time, the UNIX mount command allows the client system to specify whether or not SUID files

on the remote filesystem will be honored as such This capability is one of the reasons that the mountcommand requires superuser privileges to execute If you provide facilities to allow users to mount theirown filesystems (including NFS filesystems as well as filesystems on floppy disks), you should makesure that the facility specifies the nosuid option Otherwise, users might mount a disk that has a speciallyprepared SUID program that could cause you some headaches later on

NFS can also cause availability and performance issues for client machines If a client has an NFS

partition on a server mounted, and the server becomes unavailable (because it crashed, or because

network connectivity is lost), then the client can freeze until the NFS server becomes available

Occasionally, an NFS server will crash and restart and - despite NFS's being a connectionless and

stateless protocol - the NFS client's file handles will all become stale In this case, you may find that it is

impossible to unmount the stale NFS filesystem, and your only course of action may be to forcibly restartthe client computer

Here are some guidelines for making NFS clients more reliable and more secure:

Make sure that your computer is either an NFS server or an NFS client, but not both

[Chapter 20] 20.3 Client-Side NFS Security

Trang 3

If possible, disable the honoring of SUID files and devices on mounted partitions.

●

20.2 Server-Side NFS

Security

20.4 Improving NFS Security

[Chapter 20] 20.3 Client-Side NFS Security

Trang 4

Appendix F Organizations

F.2 U S Government Organizations

F.2.1 National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology (formerly the National Bureau of Standards) hasbeen charged with the development of computer security standards and evaluation methods for

applications not involving the Department of Defense (DoD) Its efforts include research as well asdeveloping standards

More information on NIST's activities can be obtained by contacting:

NIST Computer Security Division A-216

F.2.2 National Security Agency (NSA)

One complimentary copy of each volume in the "Rainbow Series" of computer security standards can beobtained from the NSA The NSA also maintains lists of evaluated and certified products You cancontact them at:

[Appendix F] F.2 U S Government Organizations

file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/appf_02.htm (1 of 2) [2002-04-12 10:45:46]

Trang 5

In addition to other services, the NSA operates the National Cryptologic Museum in Maryland Anonline museum is located at:

[Appendix F] F.2 U S Government Organizations

file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/appf_02.htm (2 of 2) [2002-04-12 10:45:46]

Trang 6

Chapter 17 TCP/IP Services

17.5 Monitoring Your Network with netstat

You can use the netstat command to list all of the active and pending TCP/IP connections between your machine and every other machine on the Internet This command is very important if you suspect that somebody is breaking into your computer or using your computer to break into another one netstat lets you see which machines your machine is talking

to over the network The command's output includes the host and port number of each end of the connection, as well as

the number of bytes in the receive and transmit queues If a port has a name assigned in the /etc/services file, netstat will

print it instead of the port number.

Normally, the netstat command displays UNIX domain sockets in addition to IP sockets You can restrict the display to

IP sockets only by using the -f inet option.

Sample output from the netstat command looks like this:

charon% netstat -f inet

Active Internet connections

Proto Recv-Q

Send-Q Local Address Foreign Address (state)

tcp 0 0 CHARON.MIT.EDU.telnet GHOTI.LCS.MIT.ED.1300 ESTABLISHED tcp 0 0 CHARON.MIT.EDU.telnet amway.ch.apollo 4196 ESTABLISHED tcp 4096 0 CHARON.MIT.EDU.1313 E40-008-7.MIT.ED.telne ESTABLISHED tcp 0 0 CHARON.MIT.EDU.1312 MINT.LCS.MIT.EDU.6001 ESTABLISHED tcp 0 0 CHARON.MIT.EDU.1309 MINT.LCS.MIT.EDU.6001 ESTABLISHED tcp 0 0 CHARON.MIT.EDU.telnet MINT.LCS.MIT.EDU.1218 ESTABLISHED tcp 0 0 CHARON.MIT.EDU.1308 E40-008-7.MIT.ED.telne ESTABLISHED tcp 0 0 CHARON.MIT.EDU.login RING0.MIT.EDU.1023 ESTABLISHED tcp 0 0 CHARON.MIT.EDU.1030 *.* LISTEN

NOTE: The netstat program only displays abridged hostnames, but you can use the -n flag to display the IP

address of the foreign machine.

The first two lines of this output indicate Telnet connections between the machines GHOTI.LCS.MIT.EDUu and

AMWAY.CH.APOLLO.COM and the machine CHARON.MIT.EDU Both of these connections originated at the remote

machine and represent interactive sessions currently being run on CHARON; you can tell this because these ports are greater than 1023 and are connected to the Telnet port (They may or may not be unnamed.) Likewise, the third Telnet connection, between CHARON and E40-008-7.MIT.EDU, originated at CHARON to the machine E40-008-7 The next

two lines are connections to port 6001 (the X Window Server) on MINT.LCS.MIT.EDU There is a Telnet from MINT to CHARON, one from CHARON to E40-008-7.MIT.EDU, and an rlogin from RINGO.MIT.EDU to CHARON The last

line indicates that a user program running on CHARON is listening for connections on port 1030 If you run netstat on your computer, you are likely to see many connections If you use the X Window System, you may also see "UNIX domain sockets" that are the local network connections from your X clients to the X Window Server.

With the -a option, netstat will also print a list of all of the TCP and UDP sockets to which programs are listening Using the -a option will provide you with a list of all the ports that programs and users outside your computer can use to enter the system via the network (Unfortunately, netstat will not give you the name of the program that is listening on the

[Chapter 17] 17.5 Monitoring Your Network with netstat

Trang 7

[20] But the lsof command will See the discussion about lsof in Chapter 25, Denial of Service Attacks and Solutions.

charon% netstat -a -f inet

Active Internet connections

Proto Recv-Q

Send-Q Local Address Foreign Address (state)

Previous netstat printout

tcp 0 0 *.telnet *.* LISTEN tcp 0 0 *.smtp *.* LISTEN tcp 0 0 *.finger *.* LISTEN tcp 0 0 *.printer *.* LISTEN tcp 0 0 *.time *.* LISTEN tcp 0 0 *.daytime *.* LISTEN tcp 0 0 *.chargen *.* LISTEN tcp 0 0 *.discard *.* LISTEN tcp 0 0 *.echo *.* LISTEN tcp 0 0 *.exec *.* LISTEN tcp 0 0 *.login *.* LISTEN tcp 0 0 *.shell *.* LISTEN tcp 0 0 *.ftp *.* LISTEN udp 0 0 *.time *.*

udp 0 0 *.daytime *.*

udp 0 0 *.chargen *.*

udp 0 0 *.discard *.*

udp 0 0 *.echo *.*

udp 0 0 *.ntalk *.*

udp 0 0 *.talk *.*

udp 0 0 *.biff *.*

udp 0 0 *.tftp *.*

udp 0 0 *.syslog *.*

charon%

NOTE: There are weaknesses in the implementation of network services that can be exploited so that one

machine can masquerade temporarily as another machine There is nothing that you can do to prevent this

deception, assuming that the attacker gets the code correct and has access to the network This kind of

"spoof" is not easy to carry out, but toolkits are available to make the process easier Some forms of

spoofing may require physical access to your local network, but others may be done remotely All require exact timing of events to succeed Such spoofs are often impossible to spot afterwards.

17.4 Security Implications of

Network Services

17.6 Network Scanning

[Chapter 17] 17.5 Monitoring Your Network with netstat

Trang 8

Chapter 17 TCP/IP Services

Pay specific attention to trap doors and Trojan horses that could compromise your internal

network For example, decide whether or not your users should be allowed to have rhosts files If

you decide that they should not have such files, delete the files, rename the files, or modify yoursystem software to disable the feature

●

Educate your users to be suspicious of strangers on the network

●

[Chapter 17] 17.7 Summary

file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/ch17_07.htm [2002-04-12 10:45:46]

Trang 9

Chapter 19

19 RPC, NIS, NIS+, and Kerberos

Contents:

Securing Network Services

Sun's Remote Procedure Call (RPC)

Secure RPC (AUTH_DES)

Sun's Network Information Service (NIS)

Sun's NIS+

Kerberos

Other Network Authentication Systems

In the mid-1980s, Sun Microsystems developed a series of network protocols - Remote Procedure Call(RPC), the Network Information System (NIS, and previously known as Yellow Pages or YP[1]), and theNetwork Filesystem (NFS) - that let a network of workstations operate as if they were a single computersystem RPC, NIS, and NFS were largely responsible for Sun's success as a computer manufacturer: theymade it possible for every computer user at an organization to enjoy the power and freedom of an

individual, dedicated computer system, while reaping the benefits of using a system that was centrallyadministered

[1] Sun stopped using the name Yellow Pages when the company discovered that the name

was a trademark of British Telecom in Great Britain Nevertheless, the commands continue

to start with the letters "yp."

Sun was not the first company to develop a network-based operating system, nor was Sun's approachtechnically the most sophisticated One of the most important features that was missing was security:Sun's RPC and NFS had virtually none, effectively throwing open the resources of a computer system tothe whims of the network's users

Despite this failing (or perhaps, because of it), Sun's technology soon became the standard Soon theUniversity of California at Berkeley developed an implementation of RPC, NIS, and NFS that

interoperated with Sun's As UNIX workstations became more popular, other companies, such as HP,Digital, and even IBM either licensed or adopted Berkeley's software, licensed Sun's, or developed theirown

Over time, Sun developed some fixes for the security problems in RPC and NFS Meanwhile, a number

of other competing and complementary systems - for example, Kerberos and DCE - were developed for[Chapter 19] RPC, NIS, NIS+, and Kerberos

Trang 10

solving many of the same problems As a result, today's system manager has a choice of many differentsystems for remote procedure calls and configuration management, each with its own trade-offs in terms

of performance, ease of administration, and security This chapter describes the main systems availabletoday and makes a variety of observations on system security For a full discussion of NFS, see Chapter

20, NFS

19.1 Securing Network Services

Any system that is designed to provide services over a network needs to have several fundamental

Server authentication Clients need to have some way of verifying that the server they are

communicating with is a valid server

●

Client authentication Servers need to know that the clients are in fact valid client machines.

●

User authentication There needs to be a mechanism for verifying that the user sitting in front of

a client workstation is in fact who the user claims to be

●

Data integrity A system is required for verifying that the data received over the network has not

been modified during its transmission

monitoring en route.

Obviously, the most secure network systems provide all five network security capabilities

Call (RPC)[Chapter 19] RPC, NIS, NIS+, and Kerberos

Trang 11

[Chapter 19] RPC, NIS, NIS+, and Kerberos

Trang 12

Chapter 11 Protecting Against Programmed

Threats

11.4 Entry

The most important question that arises in our discussion of programmed threats is: How do these threatsfind their way into your computer system and reproduce? Most back doors, logic bombs, Trojan horses,and bacteria appear on your system because they were written there Perhaps the biggest security threat

to a computer system is its own user group Users understand the system, know its weaknesses, and knowthe auditing and control systems that are in place Legitimate users often have access with sufficientprivilege to write and introduce malicious code into the system Especially ironic, perhaps, is the ideathat at many companies the person responsible for security and control is also the person who couldcause the most damage if he wished to issue the appropriate commands

Users also may be unwitting agents of transmission for viruses, worms, and other such threats They mayinstall new software from outside, and install embedded malicious code at the same time Software

obtained from public domain sources traditionally has been a source of system infection Not all publicdomain software is contaminated, of course; most of it is not Commercial products also have been

known to be infected The real difficulties occur when employees do not understand the potential

problems that may result from the introduction of software that has not been checked thoroughly, nomatter what its source Such software includes the "click-and-download" paradigm of WWW browsers

A third possible method of entry occurs if a machine is connected to a network or some other means ofcomputer-to-computer communication Programs may be written on the outside and find their way into amachine through these connections This is the way worms usually enter systems Worms may carrylogic bombs or viruses with them, thus introducing those problems into the computer at the same time.Programmed threats can easily enter most machines Environments with poor controls abound, caused inpart by the general lack of security training and expertise within the computing community Few

college-level programs in computer science and computer engineering even offer an elective in computersecurity (or computer ethics), so few computer users - even those with extensive training - have the

background to help safeguard their systems

No matter how the systems initially became infected, the situation is usually made worse when the

software spreads throughout all susceptible systems within the same office or plant Most systems areconfigured to trust the users, machines, and services in the local environment Thus, there are even fewerrestrictions and restraints in place to prevent the spread of malicious software within a local cluster ornetwork of computers Because the users of such an environment often share resources (including

programs, diskettes, and even workstations), the spread of malicious software within such an

[Chapter 11] 11.4 Entry

Trang 13

environment is hastened considerably Eradicating malicious software from such an environment is alsomore difficult because identifying all sources of the problem is almost impossible, as is purging all thoselocations at the same time.

[Chapter 11] 11.4 Entry

Trang 14

Chapter 3 Users and Passwords

3.7 One-Time Passwords

The most effective way to minimize the danger of bad passwords is to not use conventional passwords at

all Instead, your site can install software and/or hardware to allow one-time passwords A one-time

password is just that - a password that is used only once

As a user, you may be given a list of passwords on a printout; each time you use a password, you cross itoff the list, and you use the next password on the list the next time you log in Or you may be given asmall card to carry; the card will display a number that changes every minute Or you may have a smallcalculator that you carry around When the computer asks you to log in, it will print a number, and youwill type that number into your little calculator, then type in your personal identification number, andthen type to the computer the resulting number that is displayed

All of these one-time password systems provide an astounding improvement in security over the

conventional system Unfortunately, because they require either the installation of special programs orthe purchase of additional hardware, they are not widespread at this time in the UNIX marketplace.One-time passwords are explained in greater detail in Chapter 8; that chapter also shows some examples

of one-time password systems available today

3.6 The Care and Feeding of

Passwords

3.8 Summary

[Chapter 3] 3.7 One-Time Passwords

Trang 15

3.5 Verifying Your New Password

After you have changed your password, try logging into your account with the new password to makesure that you've entered the new password properly Ideally, you should do this without logging out, soyou will have some recourse if you did not change your password properly This is especially crucial if

you are logged in as root and you have just changed the root password.

Forcing a Change of Password

At one major university we know about, it was commonplace for students to change their passwords andthen be unable to log into their accounts Most often this happened when students tried to put controlcharacters into their passwords.[7] Other times, students mistyped the password and were unable toretype it again later More than a few got so carried away making up a fancy password that they couldn'tremember it later

[7] The control characters ^@, ^G, ^H, ^J, ^M, ^Q, ^S, and ^[ should probably not be put in

passwords, because they can be interpreted by the system If your users will log in using

xdm, they should avoid all control characters, as xdm often filters them out You should also

beware of control characters that may interact with your terminal programs, terminal

concentrator monitors, and other intermediate systems you may use Finally, you may wish

to avoid the # and @ characters, as some UNIX systems still interpret these characters with

their use as erase and kill characters

Well, once a UNIX password is entered, there is no way to decrypt it and recover it The only recourse is

to have someone change the password to another known value Thus, the students would bring a picture

ID to the computing center office, where a staff member would change the password to ChangeMe and

instruct them to immediately go down the hall to a terminal room to do exactly that

Late one semester shortly after the Internet worm incident, one of the staff decided to try running a

password cracker (see Chapter 8) to see how many student account passwords were weak Much to the

surprise of the staff member, dozens of the student accounts had a password of ChangeMe Furthermore,

at least one of the other staff members also had that as a password! The policy soon changed to one inwhich forgetful students were forced to enter a new password on the spot

Under SVR4, there is an option to the passwd command that can be used by the superuser: -f, (e.g.,

passwd -f nomemory) This forces the user to change his password during the login process the very nexttime he logs in to the system It's a good option for system administrators to remember (This behavior is[Chapter 3] 3.5 Verifying Your New Password

Trang 16

the default on AIX OSF/1 uses the chfn command for this same purpose.)

One way to try out your new password is to use the su command Normally, the su command is used to

switch to another account But as the command requires that you type the password of the account towhich you are switching, you can effectively use the su command to test the password of your ownaccount

% su nosmis

password: mypassword

%

(Of course, instead of typing nosmis and mypassword, use your own account name and password.)

If you're using a machine that is on a network, you can use the telnet or rlogin programs to loop backthrough the network and log in a second time by typing:

You may need to replace localhost in the above example with the name of your computer

If you try one of the earlier methods and discover that your password is not what you thought it was, youhave a definite problem To change the password to something you do know, you will need the currentpassword However, you don't know that password! You will need the help of the superuser to fix thesituation (That's why you shouldn't log out - if the time is 2 a.m on Saturday, you might not be able toreach the superuser until Monday morning, and you might want to get some work done before then.)The superuser (user root) can't decode the password of any user However, the superuser can help youwhen you don't know what you've set your password to by setting your password to something else Ifyou are running as the superuser, you can set the password of any user, including yourself, without

supplying the old password You do this by supplying the username to the passwd command when youinvoke it:

# passwd cindy

New password: NewR-pas

Retype new password: NewR-pas

#

Passwords[Chapter 3] 3.5 Verifying Your New Password

Trang 17

[Chapter 3] 3.5 Verifying Your New Password

Trang 18

3.8 Summary

In this chapter we've discussed how UNIX identifies users and authenticates their identity at login We'vepresented some details on how passwords are represented and used We'll present more detailed technicalinformation in succeeding chapters on how to protect access to your password files and passwords, butthe basic and most important advice for protecting your system can be summarized as follows:

Use one-time passwords if possible

Making sure that users pick good passwords is one of the most important parts of running a secure

Trang 19

Chapter 21 Firewalls

21.2 Building Your Own Firewall

For years, firewalls were strictly a do-it-yourself affair A big innovation was the introduction of severalfirewall toolkits - ready-made proxies and client programs designed to build a simple, straightforwardfirewall system Lately, a number of companies have started offering complete firewall "solutions."

Today there are four basic types of firewalls in use:

Packet firewalls

These firewalls are typically built from routers that are programmed to pass some types of packetsand to block others

Traditional proxy-based firewalls

These firewalls require that users follow special procedures or use special network clients that areaware of the proxies

Packet-rewriting firewalls

These firewalls rewrite the contents of the IP packets as they pass between the internal networkand the Internet From the outside, all communications appear to be mediated through a proxy onthe firewall From the inside network, the firewall is transparent

Screens

These firewalls bisect a single Ethernet with a pair of Ethernet interfaces The screen doesn't have

an IP address Instead, each Ethernet interface listens to all packets that are transmitted on its

segment and forwards the appropriate packets, based on a complex set of rules, to the other

interfaces Because the screen does not have an IP address, it is highly resistant to attack over thenetwork For optimal security, the screen should be programmed through a serial interface or

removable media (e.g., floppy disk), although you can design a screen that would be addressedthrough its Ethernet interface directly (speaking a network protocol other than IP) Some

manufacturers of screens provide several network interfaces, so that you can set up a WWW server

or a news server on a separate screened subnet using the same screen

In this section, we will discuss the construction of a firewall built from a choke and a gate that uses

proxies to move information between the internal network and the external network We describe how tobuild this kind of firewall because the tools are readily available, and because this type seems to provideadequate security for many applications

[Chapter 21] 21.2 Building Your Own Firewall

Trang 20

For additional useful and practical information on constructing your own firewall, we recommend that

you read Building Internet Firewalls by D Brent Chapman and Elizabeth D Zwicky (O'Reilly &

Associates, 1995)

21.2.1 Planning Your Configuration

Before you start purchasing equipment or downloading software from the Internet for your firewall, youmight first want to answer some basic questions:

What am I trying to protect? If you are simply trying to protect two or three computers, you might

find that using host-based security is easier and more effective than going to the expense and

difficulty of building a full-fledged firewall

●

Do I want to build my own firewall, or buy a ready-made solution? Although you could build a

very effective firewall, the task is very difficult and one in which a single mistake can lead todisaster

●

Should I buy a monitored firewall service? If your organization lacks the expertise to build its own

firewall, or it does not wish to commit the resources to monitor a firewall 24 hours a day, 7 days aweek, you may find that paying for a monitored firewall service is an economical alternative.Several ISPS now offer such services as a value-added option to their standard Internet offerings

●

How much money do I want to spend? You can spend a great deal of money on your own systems,

or on a commercial product Often (but not always) the extra expense may result in a more capablefirewall

●

Is simple packet filtering enough? If so, you can probably set up your "firewall" simply by adding

a few rules to your existing router's configuration files

21.2.2 Assembling the Parts

After you have decided on your configuration, you must then assemble the parts This assembly includes:Choke

Most organizations use a router You can use an existing router or purchase a special router for thepurpose

Gate

Usually, the gate is a spare computer running the UNIX operating system Gates do not need to betop-of-the-line workstations, because the speed at which they function is limited by the speed ofyour Internet connection, not the speed of your computer's CPU In many cases, a high-end PC canprovide sufficient capacity for your gate

Trang 21

You'll want to get a variety of software to run on the gate Start with a firewall toolkit, such as theone from Trusted Information Systems You should also have a consistency-checking package,such as Tripwire, to help you detect intrusion Finally, consider using a package such as Tiger tohelp find security weaknesses in the firewall's UNIX configuration

21.2.3 Setting Up the Choke

The choke is the bridge between the inside network and the outside network It should not forward

packets between the two networks unless the packets have the gate computer as either their destination ortheir origination address You can optionally further restrict the choke so that it forwards only packets forparticular protocols - for example, packets used for mail transfer but not for telnet or rlogin

There are three main choices for your choke:

Use an "intelligent router." Many of these routers can be set up to forward only certain kinds ofpackets and only between certain addresses

You can alter your operating system's network driver so that it only accepts packets from the

internal network and the choke If you are running Linux, you can use the operating system's

kernel-based IP filtering, accessible through the ipfw command, to prevent the system from

receiving packets from non-approved networks or hosts In the not too distant future, other vendorsmay offer similar features

3

The details of how you set up your choke will vary greatly, depending on the hardware you use and thathardware's software Therefore, the following sections are only general guidelines

21.2.4 Choosing the Choke's Protocols

The choke is an intelligent filter: it is usually set up so that only the gate machine can talk to the outsideworld All messages from the outside (whether they're mail, FTP, or attempts to break in) that are

directed to internal machines other than the gate are rejected Attempts by local machines to contact sitesoutside the LAN are similarly denied

The gate determines destinations, then handles requests or forwards them as appropriate For instance,SMTP (mail) requests can be sent to the gate, which resolves local aliases and then sends the mail to theappropriate internal machine

Furthermore, you can set up your choke so that only specific kinds of messages are sent through Youshould configure the choke to reject messages using unknown protocols You can also configure thechoke to specifically reject known protocols that are too dangerous for people in the outside world to use[Chapter 21] 21.2 Building Your Own Firewall

Trang 22

on your internal computers.

The choke software should carefully examine the option bits that might be set in the header of each IPpacket Option bits, such as those for IP forwarding, fragmentation, and route recording, may be valid onsome packets However, they are sometimes set by attackers in an attempt to probe the state of yourfirewall or to get packets past a simple choke Other options, such as source routing, are never

acceptable; packets that specify them should be blocked

You also want to configure the choke to examine the return addresses (source addresses) on packets.Packets from outside your network should not state source addresses from inside your network, nor

should they be broadcast or multicast addresses Otherwise, an attacker might be able to craft packets thatlook normal to your choke and clients; in such cases, the responses to these packets are what actually dothe damage

The choke can also be configured to prevent local users from connecting to outside machines throughunrestricted channels This type of configuration prevents Trojan-horse programs from installing networkback doors on your local machines Imagine a public domain data-analysis program that surreptitiouslylistens on port 49372 for connections and then forks off a /bin/csh The configuration also discouragessomeone who does manage to penetrate one of your local machines from sending information back to theoutside world

Ideally, there should be no way to change your choke's configuration from the network An attackertrying to tap into your network will be stuck if your choke is a PC-based router that can be

reprogrammed only from its keyboard

NOTE: The way you configure your choke will depend on the particular router that you are

using for a choke; consult your router's documentation for detail

Routers as Chokes

Trang 23

Appendix D Paper Sources

D.2 Security Periodicals

Computer Audit Update,

Computer Fraud & Security Update,

Computer Law & Security Report,

Computers & Security

Elsevier Advanced Technology

Crown House, Linton Rd

Barking, Essex I611 8JU

[Appendix D] D.2 Security Periodicals

file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/appd_02.htm (1 of 3) [2002-04-12 10:45:49]

Trang 24

Voice: +1-617-235-2895

Computer Security, Audit & Control

(Law & Protection Report)

P.O Box 5323

Madison, WI 53705

Voice: +1-608-271-6768

Computer Security Alert

Computer Security Journal

Computer Security Buyers Guide

Computer Security Institute

FBI Law Enforcement Bulletin

Federal Bureau of Investigation

10th and Pennsylvania Avenue

Information Systems Security Monitora

U.S Department of the Treasury

Bureau of the Public Debt

AIS Security Branch

Trang 25

International Association of Chiefs of Police

110 North Glebe Road, Suite 200

Arlington, VA 22201-9900

Voice: +1-703-243-6500

Security Management

American Society for Industrial Security

1655 North Fort Meyer Drive, Suite 1200

Trang 26

Chapter 18 WWW Security

18.7 Summary

One of the principal goals of good security management is to prevent the disclosure of privileged

information Running a WWW service implies providing information, quickly and in volume These twoideas pose a serious conflict, especially given how recently these services and software have appearedand how rapidly they are evolving We have no way of anticipating all the failure modes and problemsthese services may bring

We strongly recommend that you consider running an WWW service on a stripped-down machine thathas been especially designated for that purpose Put the machine outside your firewall, and let the worldhave access to it and only to it

Trang 27

Chapter 14 Telephone Security

14.2 Serial Interfaces

Information inside most computers moves in packets of 8, 16, or 32 bits at a time, using 8, 16, or 32individual wires When information leaves a computer, however, it is often divided into a series of singlebits that are transmitted sequentially Often, these bits are grouped into 8-bit bytes for purposes of error

checking or special encoding Serial interfaces transmit information as a series of pulses over a single wire A special pulse called the start bit signifies the start of each character The data is then sent down the wire, one bit at a time, after which another special pulse called the stop bit is sent (see Figure 7.1)

Figure 14.1: A serial interface sending the letter K (ASCII 75)

Because a serial interface can be set up with only three wires (transmit data, receive data, and ground),it's often used with terminals With additional wires, serial interfaces can be used to control modems,allowing computers to make and receive telephone calls

[Chapter 14] 14.2 Serial Interfaces

Trang 28

14.1 Modems: Theory of

Operation

14.3 The RS-232 Serial

Protocol

[Chapter 14] 14.2 Serial Interfaces

Trang 29

Appendix C UNIX Processes

C.3 Signals

Signals are a simple UNIX mechanism for controlling processes A signal is a 5-bit message to a process

that requires immediate attention Each signal has associated with it a default action; for some signals,

you can change this default action Signals are generated by exceptions, which include:

Attempts to use illegal instructions

The system default may be to ignore the signal, to terminate the process receiving the signal (and,

optionally, generate a core file), or to suspend the process until it receives a continuation signal Some

signals can be caught - that is, a program can specify a particular function that should be run when the

signal is received By design, UNIX supports exactly 31 signals They are listed in the files

/usr/include/signal.h and /usr/include/sys/signal.h Table 27.4 contains a summary

Table C.6: UNIX Signals

Signal Name Number[7] Key Meaning[8]

SIGHUP 1 Hangup (sent to a process when a modem or network connection is lost)SIGINT 2 Interrupt (generated by CTRL-C (Berkeley UNIX) or RUBOUT

(System V)

SIGIOT 6 * I/O trap instruction; used on PDP-11 UNIX

[Appendix C] C.3 Signals

file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/appc_03.htm (1 of 3) [2002-04-12 10:45:50]

Trang 30

SIGEMT 7 * Emulator trap instruction; used on some computers without

floating-point hardware support

SIGBUS 10 * Bus error (invalid memory reference, such as an attempt to read a full

word on a half-word boundary)SIGSEGV 11 * Segmentation violation (invalid memory reference, such as an attempt

to read outside a process's memory map)SIGSYS 12 * Bad argument to a system call

SIGPIPE 13 Write on a pipe that has no process to read it

SIGTERM 15 Software termination signal (default kill signal)

SIGTSTP 18 + Stop signal generated by keyboard

SIGCHLD 20 @ Child process state has changed

SIGTTIN 21 + Read attempted from control terminal while process is in backgroundSIGTTOU 22 + Write attempted to control terminal while process is in background

SIGWINCH 28 @ tty window has changed size

[7] The signal number varies on some systems

[8] The default action for most signals is to terminate

Key:

* If signal is not caught or ignored, generates a core image dump

@ Signal is ignored by default

+ Signal causes process to suspend

! Signal cannot be caught or ignored

Signals are normally used between processes for process control They are also used within a process toindicate exceptional conditions that should be handled immediately (for example, floating-point

Trang 31

Trang 32

Chapter 16 TCP/IP Networks

16.5 Summary

Connecting to a network opens a whole new set of security considerations above and beyond those ofprotecting accounts and files Various forms of network protocols, servers, clients, routers, and othernetwork components complicate the picture To be safely connected requires an understanding of howthese components are configured and interact

Connections to networks with potentially unfriendly users should be done with a firewall in place.Connections to a local area network that involves only your company or university may not require afirewall, but still require proper configuration and monitoring

In later chapters we will discuss some of these other considerations We cannot provide truly

comprehensive coverage of all the related issues, however, so we encourage you pursue the referenceslisted in Appendix D

Trang 33

Chapter 27 Who Do You Trust?

27.4 What All This Means

We haven't presented the material in this chapter to induce paranoia in you, gentle reader Instead, wewant to get across the point that you need to consider carefully who and what you trust If you have

information or equipment that is of value to you, you need to think about the risks and dangers that might

be out there To have security means to trust, but that trust must be well placed

If you are protecting information that is worth a great deal, attackers may well be willing to invest

significant time and resources to break your security You may also think you don't have information that

is worth a great deal; nevertheless, you are a target anyway Why? Your site may be a convenient

stepping stone to another, more valuable site Or perhaps one of your users is storing information of greatvalue that you don't know about Or maybe you simply don't realize how much the information you have

is actually worth For instance, in the late 1980's, Soviet agents were willing to pay hundreds of

thousands of dollars for copies of the VMS operating system source - the same source that many siteadministrators kept in unlocked cabinets in public computer rooms

To trust, you need to be suspicious Ask questions Do background checks Test code Get written

assurances Don't allow disclaimers Harbor a healthy suspicion of fortuitous coincidences (the FBI

happening to call or that patch tape showing up by FedEx, hours after you discover someone trying toexploit a bug that the patch purports to fix) You don't need to go overboard, butremember that the bestway to develop trust is to anticipate problems and attacks, and then test for them Then test again, later.Don't let a routine convince you that no problems will occur

If you absorb everything we've written in this book, and apply it, you'll be way ahead of the game

However, this information is only the first part of a comprehensive security plan You need to constantly

be accumulating new information, studying your risks, and planning for the future Complacency is one

of the biggest dangers you can face As we said at the beginning of the book, UNIX can be a securesystem, but only if you understand it and deploy it in a monitored environment

You can trust us on that

[Chapter 27] 27.4 What All This Means

Trang 34

Chapter 5 The UNIX Filesystem

5.10 Summary

The UNIX filesystem is the primary tool that is used by the UNIX operating system for enforcing

computer security Although the filesystem's concepts of security- - separate access permissions for thefile's user, group, and world - are easy to understand, a UNIX system can be very difficult to administerbecause of the complexity of getting every single file permission correct

Because of the attention to detail required by the UNIX system, you should use measures beyond thefilesystem to protect your data One of the best techniques that you can use is encryption, which wedescribe in the next chapter

5.9 Oddities and Dubious

Ideas

6 Cryptography

Trang 35

Appendix E Electronic Resources

E.2 Usenet Groups

There are several Usenet newsgroups that you might find to be interesting sources of information onnetwork security and related topics However, the unmoderated lists are the same as other unmoderatedgroups on the Usenet: repositories of material that is often off-topic, repetitive, and incorrect Ourwarning about material found in mailing lists, expressed earlier, applies doubly to newsgroups

[Appendix E] E.2 Usenet Groups

file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/appe_02.htm (1 of 2) [2002-04-12 10:45:51]

Trang 36

Discussions about cryptology research and application

[Appendix E] E.2 Usenet Groups

file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/appe_02.htm (2 of 2) [2002-04-12 10:45:51]

Trang 37

Chapter 15 UUCP

15.9 Summary

Although UUCP can be made relatively secure, most versions of UUCP, as distributed by vendors, arenot If you do not intend to use UUCP, you may wish to delete (or protect) the UUCP system altogether

If you are not running UUCP, check the permissions on the uucppublic directory, and set them to 0.

If you do use UUCP:

Be sure that the UUCP control files are protected and cannot be read or modified using the UUCPprogram

Trang 38

Scope of This Book

This book is divided into six parts; it includes 27 chapters and 7 appendixes

Part I, Computer Security Basics, provides a basic introduction to security policy The chapters are

written to be accessible to both users and administrators

Chapter 1, Introduction, provides a history of the UNIX operating system and an introduction to UNIXsecurity It also introduces basic terms we use throughout the book

Chapter 2, Policies and Guidelines, examines the role of setting good policies to guide protection of yoursystems It also describes the trade-offs that must be made to account for cost, risk, and correspondingbenefits

Part II, User Responsibilities, provides a basic introduction to UNIX host security The chapters arewritten to be accessible to both users and administrators

Chapter 3 is about UNIX user accounts It discusses the purpose of passwords, explains what makes goodand bad passwords, and describes how the crypt( ) password encryption system works

Chapter 4, Users, Groups, and the Superuser, and the Superuser, describes how UNIX groups can beused to control access to files and devices It also discusses the UNIX superuser and the role that specialusers play

Chapter 5, The UNIX Filesystem, discusses the security provisions of the UNIX filesystem and tells how

to restrict access to files and directories to the file's owner, to a group of people, or to everybody on thecomputer system

Chapter 6, Cryptography, discusses the role of encryption and message digests in your security It

includes a discussion of several popular encryption schemes, including the PGP mail package

Part III, System Security, is directed primarily towards the UNIX system administrator It describes how

to configure UNIX on your computer to minimize the chances of a break-in, as well as to limit the

opportunities for a nonprivileged user to gain superuser access

Chapter 7, Backups, discusses how and why to make archival backups of your storage It includes

discussions of backup strategies for different types of organizations

Chapter 8, Defending Your Accounts, describes ways that a computer cracker might try to initially break[Preface] Scope of This Book

file:///C|/Oreilly Unix etc/O'Reilly Reference Library/networking/puis/prf1_02.htm (1 of 4) [2002-04-12 10:45:53]

Trang 39

into your computer system By knowing these "doors" and closing them, you increase the security ofyour system.

Chapter 9, Integrity Management, discusses how to monitor your filesystem for unauthorized changes.This includes coverage of the use of message digests and read-only disks, and the configuration and use

of the Tripwire utility

Chapter 10, Auditing and Logging, discusses the logging mechanisms that UNIX provides to help youaudit the usage and behavior of your system

Chapter 11, Protecting Against Programmed Threats, is about computer viruses, worms, and Trojanhorses This chapter contains detailed tips that you can use to protect yourself from these electronic

vermin

Chapter 12, Physical Security What if somebody gets frustrated by your super-secure system and

decides to smash your computer with a sledgehammer? This chapter describes physical perils that faceyour computer and its data and discusses ways of protecting them

Chapter 13, Personnel Security, examines concerns about who you employ and how they fit into youroverall security scheme

Part IV, Network and Internet Security, is about the ways in which individual UNIX computers

communicate with one another and the outside world, and the ways that these systems can be subverted

by attackers to break into your computer system Because many attacks come from the outside, this part

of the book is vital reading for anyone whose computer has outside connections

Chapter 14, Telephone Security, describes how modems work and provides step-by-step instructions fortesting your computer's modems to see if they harbor potential security problems

Chapter 15, UUCP, is about the UNIX-to-UNIX copy system, which can use standard phone lines tocopy files, transfer electronic mail, and exchange news This chapter explains how UUCP works and tellsyou how to make sure that it can't be subverted to damage your system

Chapter 16, TCP/IP Networks, provides background on how TCP/IP networking programs work anddescribes the security problems they pose

Chapter 17, TCP/IP Services, discusses the common IP network services found on UNIX systems,

coupled with common problems and pitfalls

Chapter 18, WWW Security, describes some of the issues involved in running a World Wide Web serverwithout opening your system to security problems The issues discussed here should also be borne inmind when operating any other kind of network-based information server

Chapter 19, RPC, NIS, NIS+, and Kerberos, discusses a variety of network information services It

covers some of how they work, and common pitfalls

Chapter 20, NFS, describes how Sun Microsystems' Network Filesystem works and its potential securityproblems

[Preface] Scope of This Book

Trang 40

Part V, Advanced Topics, discusses issues that arise when organizational networks are interconnectedwith the Internet It also covers ways of increasing your security through better programming.

Chapter 21, Firewalls, describes how to set up various types of firewalls to protect an internal networkfrom an external attacker

Chapter 22, Wrappers and Proxies, describes a few common wrapper and proxying programs to helpprotect your machine and the programs within it without requiring access to source code

Chapter 23, Writing Secure SUID and Network Programs, describes common pitfalls when writing yourown software It gives tips on how to write robust software that will resist attack from malicious users.Part VI, Handling Security Incidents, contains instructions about what to do if your computer's security iscompromised This part of the book will also help system administrators protect their systems from

authorized users who are misusing their privileges

Chapter 24, Discovering a Break-in, contains step-by-step directions to follow if you discover that anunauthorized person is using your computer

Chapter 25, Denial of Service Attacks and Solutions, describes ways that legitimate, authorized users canmake your system inoperable, ways that you can find out who is doing what, and what to do about it.Chapter 26, Computer Security and U.S Law Occasionally the only thing you can do is sue or try tohave your attackers thrown into jail This chapter describes the legal recourse you may have after a

security breach and discusses why legal approaches are often not helpful It also covers some emergingconcerns about running server sites connected to a wide area network such as the Internet

Chapter 27, Who Do You Trust?, is the concluding chapter that makes the point that somewhere alongthe line, you need to trust a few things, and people However, are you trusting the right ones?

Part VII, Appendixes, contains a number of useful lists and references

Appendix A, UNIX Security Checklist, contains a point-by-point list of many of the suggestions made inthe text of the book

Appendix B, Important Files, is a list of the important files in the UNIX filesystem and a brief discussion

of their security implications

Appendix C, UNIX Processes, is a technical discussion of how the UNIX system manages processes Italso describes some of the special attributes of processes, including the UID, GID, and SUID

Appendix D lists books, articles, and magazines about computer security

Appendix E, Electronic Resources, is a brief listing of some significant security tools to use with UNIX,including directions on where to find them on the Internet

Appendix F, Organizations, contains the names, telephone numbers, and addresses of organizations thatare devoted to seeing computers become more secure

[Preface] Scope of This Book

Định dạng
Số trang	96
Dung lượng	2,65 MB