Transcript An Introduction to UNIX Security

An Introduction to
UNIX Security
A Presentation by
Trey Evans
[email protected]
www.bestican.net
Linux or UNIX?

System V


BSD


Linux, AIX, HP-UX, Solaris
Net, Open, Free
AT&T

SCO, IRIX, Solaris
Out of the Box Security




Very limited deployment options
Custom tailoring always the best option
Expensive to migrate
Often easy to monitor
Kernel Security




Remove any drivers not used
If the user needs them, he/she can add them
at boot time
Prevents unstable drivers from causing
hiccups when called
Eliminates possibility of attacker exploiting
weak driver or combination of drivers
Network Security

ipchains, iptables, “routes”



Tells machine what to do with what packets under
certain circumstances
Set up *nix box as a router / firewall / both
Tame user privileges




No need for users to be able to change IP
Keep users from enabling promiscuous mode
Keep users from enabling second network card
Perhaps disable user access to usbhci
Email Security



Sendmail
Qmail
www.google.com
Begin Fun Stuff
Penetration



Physically insert your machine into the
target’s network
Bypass perimeter security
Control router or outer most point

“Edge devices”
Physical Insertion


Basically, obtaining an IP on the system
Man in the middle



Easiest way – Wireless


Wireless – airjack userland utilities
Wired – spoof MAC, auth as legit user
bestican.net/wifi/pres.pdf
DHCP? IP addressing scheme?
Bypass security

Portscan looking for services


Box on inside?



Test firewall rules using packet crafting
See illustration
DoS or DDoS


nmap stealth mode (-s) or OS discover (-O)
Lame.
Google exploits for firewall
Outermost Device

Root access on gateway or firewall or router


Gives access to ALL packets on network
Redirect at will



Change IP table
Change message or headers
Sniff passwords

Write them down, you’ll need them later
Discovery


Ask “what’s the payload?”
Portscan


Rootkit



nmap, NetCat, nmap for X
Requires root on an internal box
Must be well hidden
Exploit scanner



Don’t get caught
Hardware may skew results
Morph
Elevate Privileges

Local access is root access




Based on boot loader, usually
Google.com
Doesn’t insert NFS folders into hierarchy
Exploits tailored to machine


Cool CC example
Cool passwd example
Historic Exploits

FTPD buffer overflow



Sendmail remote call



Widespread, FTPD installed by default often
Gave root FTP access
Auth as root
Send mail as anyone, read anyone’s mail
evil.c



Not a big threat (unless hosting)
Local access needed
Demo?