SSH Clients for Non-Unix Platforms
6.7 Network Security
Because Linux is a very popular Unix flavor on the PC platform, it attracts more unpleasant characters who try to break into computer systems. Section 5.13 talked about firewalls, but this isn't really the whole story on security.
Network security attracts extremists. Those who are interested in breaking into systems do so because they really like to, and those who come up with elaborate schemes to protect themselves do so because they really like to swat away people trying to break into their systems.
Most people would rather just not hav e to deal with it, but that attitude and a broadband connection will get your system compromised in no time. Fortunately, you don't need to know very much to keep your system safe. Here are a few basic rules of thumb:
Run as few services as possible Intruders can't break into serv ices that don't exist on your system.
If you know what a serv ice is, and you're not using it at the moment, don't turn it on just in case you might want it sometime.
Block as much as possible with a firewall Unix systems have a number of internal services that you may not know about, such as TCP port 6000 for the X Window System server. No other system in the world needs to know about these services, and no other system in the world should know about them, either. Furthermore, it is very difficult to track and regulate the services on your system, because many different kinds of programs listen on ports. You can prevent intruders from discov ering internal services with effective firewall rules. Refer to Section 5.13.1 for an example firewall.
Keep on top of the services that you offer to the entire Internet If you run an SSH server or Postfix or other services, make sure that you have the ability to stay up to date with the software and get appropriate alerts. See Section 6.7.4 for some online resources.
Don't give an account to anyone who doesn't need an account It's much easier to gain superuser access from a local account than it is to break in remotely. In fact, given the huge base of software (and the resulting bugs and design flaws) available on most systems, it's almost laughably easy to gain superuser access to a system after you get to a shell prompt. Don't assume that your friends know how to protect their passwords (or to choose good passwords in the first place).
Avoid installing dubious binary packages They can contain Trojan horses.
That's the practical end of protecting yourself. You should know a few basics on why it is important to do so. There are three basic kinds of network attacks:
Full compromise This means getting superuser access (full control) of a machine. An intruder can accomplish this by trying a serv ice attack, such as a buffer overflow exploit, or by taking over a poorly protected user account, and then trying to exploit a poorly written setuid program.
Denial-of-service (DoS) attacks These prevent a machine from carrying out its network services, or they force a computer to malfunction in some other way without any special access. These attacks are harder to prevent, but they are easier to respond to.
Virus or worm Linux users are mostly immune to email worms and viruses, simply because their email clients aren't so stupid as to actually run programs that they get in message attachments, and Linux isn't as attractive a target as Windows. However, you can create a Linux virus; it's been done before, and as Linux gains popularity, it will happen with increasing frequency. Avoid binary software distributions, especially from places that you've nev er heard of. Some network services have been susceptible to worms before, and history is doomed to repeat itself.
6.7.1 Where Linux Distributions Stand
Not long ago, installing certain Linux distributions on easily accessible networks (such as university networks) practically ensured security compromises. These distributions activ ated ev ery single service by
How Linux Works: What Every Super-User Should Know
by Brian Ward ISBN:1593270356
No Starch Press © 2004 (347 pages)
This guide describes the inner workings of a Linux system beginning with the file system and boot process and covering advanced topics such as networking, firewalls, development tools, device management, shell scripts, and sharing printers with Samba.
Table of Contents
How Linux Works—What Every Super-User Should Know Chapter 1 - The Basics
Chapter 2 - Devices, Disks, Filesystems, and the Kernel Chapter 3 - How Linux Boots
Chapter 4 - Essential System Files, Servers, and Utilities Chapter 5 - Configuring Your Network
Chapter 6 - Network Services
Chapter 7 - Introduction to Shell Scripts Chapter 8 - Development Tools
Chapter 9 - Compiling Software From Source Code Chapter 10- Maintaining the Kernel
Chapter 11- Configuring and Manipulating Peripheral Devices Chapter 12- Printing
Chapter 13- Backups
Chapter 14- Sharing Files with Samba Chapter 15- Network File Transfer Chapter 16- User Environments Chapter 17- Buying Hardware for Linux Chapter 18- Further Directions Appendix A- Command Classification Bibliography
Index List of Figures List of Tables List of Sidebars
default and had no default firewalling. It wasn't just Linux, either — Solaris was remarkably good at leaving the door open, not to mention the hundreds of Windows exploits, and so on.
Linux distributions are better now; they do not activ ate every possible service, and they tend to come with preconfigured firewalls. There is no doubt that the firewalls do most of the work. Programmers delight in adding new network services, especially for GUI applications and support, but security often takes a backseat. Better authentication (such as the Kerberos system) would help tremendously, but this happens to be one of the weakest and most disorganized areas of most applications.
A firewall isn't necessarily the ideal solution, but it does offer a uniform way to block all network traffic. The only thing that ever came close to this in the past was the TCP wrapper system, but that only worked for inetd servers and applications that specifically included wrapper support.
In a perfect world, programmers would write invulnerable code, but while you wait for a perfect world, you need to know what to look out for.
6.7.2 Typical Vulnerabilities
There are two important kinds of vulnerabilities that you need to worry about: direct attacks and clear-text password sniffing. Direct attacks just try to take ov er your machine without being terribly subtle. The most common type of direct attack is a buffer ov erflow exploit, where a careless programmer doesn't check the bounds of a buffer array. The attacker fabricates a stack frame inside a huge chunk of data, dumps it to the remote server, then hopes that the program overwrites its program data and eventually executes the new stack frame. It's a somewhat complicated attack, but easy to replicate.
On the other hand, clear-text passwords can allow intruders to log in to your machine. From there, they will inevitably try to gain superuser access locally (which is much easier than making a remote attack), try to use the machine as an intermediary for attacking other hosts, or both.
Note If you hav e a serv ice that you need to encrypt, but the service offers no nativ e support, you can try Stunnel (http://www.stunnel.org/), an encryption wrapper package much like TCP wrappers.
Like tcpd, Stunnel is especially good at wrapping inetd services.
Some serv ers are chronic targets of attacks because of poor implementation and design. You should deactiv ate the following services if you ev er come across them:
sendmail I would usually not rail against a specific program, but Sendmail has an exceptionally long history of exploitation. There are two v ery good alternativ e mail serv ers, Postfix
(http://www.postfix.org/) and qmail (http://www.qmail.org/).
ftpd For whatever reason, all FTP serv ers seem plagued with vulnerabilities. In addition, most FTP servers use clear-text passwords. If you have to move files from one machine to another, consider an SSH-based solution or an rsync server.
telnetd, rlogind, rexecd All of these pass remote session data (including passwords) in clear-text form. Avoid them unless you happen to have a Kerberos-enabled v ersion.
fingerd Intruders can get user lists and other information with the finger serv ice.
6.7.3 Port Scanning
Listing your open ports and firewall configuration with netstat and iptables is a good start for staying on top of unwanted traffic, but you may want to go a step further with Nmap (Network Mapper), a program that scans all of the ports on a machine or network of machines, looking for potential vulnerabilities. Nmap gives you a view from the outside and eliminates guessing which ports are open. Most intruders use Nmap, and you can get it at http://www.insecure.org/.
Warning If someone else controls the network that you want to Nmap (or run Nmap from), ask that person if it's all right that you do so. Network administrators watch for port scans and delight in stomping on any machine that runs a scan.
Just run nmap host to run a generic scan on a host. Here's an example scan:
Starting nmap 3.30 (http://www.insecure.org/nmap/) at 2003-08-04 16:25 PDT
How Linux Works: What Every Super-User Should Know
by Brian Ward ISBN:1593270356
No Starch Press © 2004 (347 pages)
This guide describes the inner workings of a Linux system beginning with the file system and boot process and covering advanced topics such as networking, firewalls, development tools, device management, shell scripts, and sharing printers with Samba.
Table of Contents
How Linux Works—What Every Super-User Should Know Chapter 1 - The Basics
Chapter 2 - Devices, Disks, Filesystems, and the Kernel Chapter 3 - How Linux Boots
Chapter 4 - Essential System Files, Servers, and Utilities Chapter 5 - Configuring Your Network
Chapter 6 - Network Services
Chapter 7 - Introduction to Shell Scripts Chapter 8 - Development Tools
Chapter 9 - Compiling Software From Source Code Chapter 10- Maintaining the Kernel
Chapter 11- Configuring and Manipulating Peripheral Devices Chapter 12- Printing
Chapter 13- Backups
Chapter 14- Sharing Files with Samba Chapter 15- Network File Transfer Chapter 16- User Environments Chapter 17- Buying Hardware for Linux Chapter 18- Further Directions Appendix A- Command Classification Bibliography
Index List of Figures List of Tables List of Sidebars
Interesting ports on host (10.1.2.2):
(The 1636 ports scanned but not shown below are in state: closed) Port State Service
9/tcp open discard 13/tcp open daytime 22/tcp open ssh 37/tcp open time 111/tcp open sunrpc 113/tcp open auth 6000/tcp open X11
Nmap run completed -- 1 IP address (1 host up) scanned in 0.594 seconds
The host in this example probably doesn't have any kind of firewall running, because it has quite a few open ports.
Nmap can do much more — hav e a look at its manual page and the considerable online resources.
6.7.4 Security Resources
Here are three good security sites:
http://www.sans.org/ Offers training, serv ices, a free weekly newsletter of the top current vulnerabilities, sample security policies, and more.
http://www.cert.org/ A place to look for the most severe problems.
http://www.insecure.org/ This is the place to go for Nmap and pointers to all sorts of network exploit testing tools. It's much more open and specific about exploits than many other sites.
How Linux Works: What Every Super-User Should Know
by Brian Ward ISBN:1593270356
No Starch Press © 2004 (347 pages)
This guide describes the inner workings of a Linux system beginning with the file system and boot process and covering advanced topics such as networking, firewalls, development tools, device management, shell scripts, and sharing printers with Samba.
Table of Contents
How Linux Works—What Every Super-User Should Know Chapter 1 - The Basics
Chapter 2 - Devices, Disks, Filesystems, and the Kernel Chapter 3 - How Linux Boots
Chapter 4 - Essential System Files, Servers, and Utilities Chapter 5 - Configuring Your Network
Chapter 6 - Network Services