Real World Linux Security: Intrusion Prevention, Detection and Recovery

Real World Linux Security: Intrusion Prevention, Detection and Recovery

by Bob Toxen

Paperback(Older Edition)

$40.49 $44.99 Save 10% Current price is $40.49, Original price is $44.99. You Save 10%.

Overview

"You have in your hands a book I've been waiting to read for years-a practical, hands-on guide to hardening your Linux system."

—From the foreword by Eric S. Raymond

  • Secure your system, detect an attack, track the cracker, and recover quickly
  • Learn the gory details of securing Web servers and Sendmail
  • Explore e-commerce issues, Trojan Horses, GPG and more
  • Step-by-step guide to installing and using key security tools
"A comprehensive guide to system security-covers everything from hardening a system to system-recovery after an attack. "

—Steve Bourne, Creator of the Bourne Shell

Your enemy is coming—are you ready?

It's not a question of "if" but "when." Will you be ready to protect your system when a cracker comes to call? Real World Linux Security goes beyond the books that merely detail system vulnerabilities; it offers system administrators practical solutions for safeguarding Linux systems and actively responding to break-in attempts. Veteran Bob Toxen shows you how to know your enemies and stop them at the front gate, before they can damage your system.

The hands-on guide to protecting your Linux data—and yourself

  • 7 "deadly sins of Linux security"
  • Set up effective firewalls
  • Break-in case studies
  • Develop internal security policies
  • Block spam
  • Recover quickly from an intrusion

About the CD-ROM

The accompanying CD contains original software that locks out crackers and alerts system administrators. Inaddition, it includes programs that monitor system health and report suspicious activities, detect network sniffers, and speed backup and recovery.

About the Author

Bob Toxen has 26 years of UNIX/Linux experience, and is one of the 168 recognized developers of Berkeley UNIX. He learned about security as a student at UC Berkeley, when he played for "the other team," successfully cracking several of the original UNIX systems there. He is president of Fly-By-Day Consulting, specializing in Linux security, client/server creation, system administration, porting, and C programming.

Technical Reviewers

  • Kurt Seifried, Sr. Analyst, SecurityPortal
  • Dr. Indira Moyer, Consultant
  • Larry Gee, Architect, ApplianceWare
  • Michael Warfield, Sr. Wizard X-Force, Internet Security Systems
  • Stephen Friedl, Consultant
  • Mike O'Shaughnessy, Quarry Technologies

Product Details

ISBN-13: 9780130281876
Publisher: Pearson Education
Publication date: 11/30/2000
Series: Prentice Hall Open Source Technology Series
Edition description: Older Edition
Pages: 736
Product dimensions: 7.05(w) x 9.24(h) x 1.56(d)

Read an Excerpt

PREFACE:

Chapter 1

Introduction

Linux is a solid operating system. It is easy to use and install, has very powerful capabilities, runs fast on almost any hardware, and rarely crashes. It has few bugs and its widespread support from a cast of thousands ensures that any remaining bugs get fixed as soon as they are discovered. It is highly versatile and can be made as secure as any UNIX system.

Unfortunately, UNIX and Linux machines are broken into every day, not because they are inherently insecure, but because the steps required to expose a system to the real world safely-the modern Internet-are not always so obvious. The single goal of this book is to teach any Linux or UNIX system administrator how to secure his systems, keep them secure, and feel confident that all necessary steps have been taken.

1.1 Who Should Read This Book?

This book will aid Linux and UNIX System Administrators (SysAdmins) in making their systems and networks as secure as possible from intruders and improper action of the users. It covers both quick and simple solutions, and some more involved solutions to eliminate every possible vulnerability.

It is organized to allow the busy SysAdmin to increase the security of the systems one piece at a time. It is recognized that one cannot take a system down for a week and work exclusively on its security for that week. In the real world, a SysAdmin's time is divided up by many tasks that cannot wait and systems are too critical to stay down for long.

In the real world, some systems will be broken into despite the best efforts of talented SysAdmins. This book devotes over 60,000 words to dealing with apossible break-in. It deals with how to prepare for it, how to detect it, and how to recover from it quickly and completely with minimal loss of confidential data and money, with minimal inconvenience to one's customers and employees, and with minimal publicity. This is considered one of the unique features of this book.

On March 30, 2000, 350 "hackers" from around the world gathered in Israel for a conference. Organizers there said that they were able to break into 28 percent of Israeli computers that they tried and that this percentage was typical worldwide. This was with the permission of the computers' owners, who were convinced that their computers were invulnerable. The quoted statistics were not broken down by operating system type. Both John Draper ("Captain Crunch") and Kevin Mitnick were there.

The book is designed to be used by both the veteran of many years of Linux and UNIX experience, as well as the new SysAdmin. It does assume that the reader is somewhat knowledgeable in system administration; Prentice Hall has other fine books to help people hone their SysAdmin skills. There are many useful details here, both for the person with a single Linux box at home and for those supporting multinational corporations and large government agencies with very large networks comprised of multiple types of operating systems.

1.2 How This Book Is Organized

Part I is concerned with increasing the security of your systems. This book is organized with the understanding that some SysAdmins have only a little time right now, but certainly want to fix the most severe holes immediately, before someone breaks into their systems. (The smaller holes also need to be closed, but statistically there is more time to address them before a cracker is likely to try them. Crackers, sometimes incorrectly called hackers, are people who break into computer systems without permission for the fun, challenge, fame, or due to a grudge.) These urgent quick-to-do items are covered in Chapter 2 "Quick Fixes for Common Problems" on page 15. That chapter starts with a discussion of basic security concepts to bring those new to Linux security up to speed and to serve as a "refresher" for veterans. The author estimates that applying just the quick fixes may reduce a system's vulnerability by 70 to 90 percent, based on published reports and incidents discussing probable "points of entry." Many of these solutions are independent from each other so that a SysAdmin may pick the solutions most appropriate to his or her situation and may implement these in almost any order.

The book then progresses into more involved procedures that can be done to increase security, allowing the system administrator to progress to as secure a system as time and desire allows. It even addresses some simple kernel modifications to increase security still further. It can be treated as a workbook, to be worked through a bit at a time, or as a reference book, with relevant areas picked from the Table of Contents or from the extensive Index.

Part II deals with preparing for an intrusion. No computer or network is completely secure and anyone who thinks that theirs is 100 percent secure is, well, probably due for some "education." Most computer security books deal almost exclusively with securing systems and devote only a few pages to dealing with an intrusion, that 10-40 percent of their readers will suffer. This author considers this to be a naive disservice. (All other common platforms are considered even more vulnerable.) In many of the cases that this author has been asked to analyze, the vulnerability that allowed the break-in turned out to be a bug in system software that had not been well-known at the time. This proves the point that just securing a system is not sufficient.
Innovative solutions are presented to even the most daunting problems, such as keeping customers' credit card numbers secure even if the Web server and the entire internal network are completely compromised! This solves a major widespread problem with e-commerce companies.

This book is called Real World Linux Security: Intrusion Prevention, Detection, and Recovery because in the real world a significant percentage of computers are broken into and the prepared SysAdmin is well prepared for this. Perhaps 5-25 percent of SysAdmins who have secured their Linux boxes still will have to deal with an intrusion. Even the author's own quiet site on a Dynamic IP over PPP suffers weekly intrusion attempts (with no successes so far), but it has been prepared for intrusion attempts and even for fast recovery from a possible successful intrusion.

Switching to another platform will not reduce this risk, in my opinion. I have seen many reports of security bugs in various competing systems. Almost weekly I see a report on a newly discovered severe vulnerability in software long running and widely distributed on these closed-source platforms. Software written by independent vendors also has its share of problems.

Part III deals with detecting intrusions (both attempts and successes) and sophisticated notification and logging in detail. Part IV discusses recovering from intrusions successfully, completely, and quickly! It also covers tracking down the intruder and dealing with law enforcement officers and the courts, and what to expect from them. Outages can cost millions of dollars a day in lost revenue and bad publicity can mean more lost business and worse-the dismissal of the SysAdmins. A quick recovery may get no publicity and might even be blamed on a glitch in the Internet.

This book covers many security problems. These include problems of incorrect configuration, some services whose design prevents them from being made secure, some inherent limitations in the TCP/IP, UDP/IP, ICMP/IP, ARP, and related protocols, bugs in programs that have come with various Linux distributions or which get installed on Linux systems, and even some physical security and human factors (social engineering) matters.

Please do not get the idea that Linux is a hard-to-configure, buggy, half-baked idea not worthy of your attention! Nothing could be further from the truth. Many security experts consider Linux and FreeBSD UNIX to be the most secure general purpose operating systems. This is because the open source allows many more talented white hats to inspect each line of code for problems and to correct these problems and "fold the fixes back into the master code base" maintained by Linus, the Free Software Foundation, and the creators of the major distributions.

There now is much sharing of code between Linux and the various BSD releases of UNIX and even versions of UNIX supported by the various vendors. This is to the advantage of all users of these systems, since there are more developers improving the code. By following the steps in this book, even a major intrusion can be detected and recovered from in a few minutes, rather than the many hours or days that The White House, Lloyd's of London, eBay.com, and other major, but apparently unprepared, sites required to recover.

1.2.1 Conventions in This Book

The Table of Contents is designed to allow one to scan it quickly for applicable issues. The Index is extensive and most items are cross-referenced, both by the subsystem or program that is affected and the type of problem, e.g., vulnerability. Some Internet resources (URLs) are listed in whatever sections discuss them; many popular Internet resources are discussed in Appendix A. Many URLs are listed in the Index too. Appendix B discusses non-Internet resources; these include books, CD-ROMs, and videos; some of these are free for the asking. Other appendices contain source code or other data that is too massive to appear in running text. These items also appear on the companion CD-ROM as do a number of open-source tools that are discussed in the text. These are mirrored on the associated Web site, ...

Table of Contents

List of Figures.
List of Tables.
Foreword.
Acknowledgments.
About the Author.
1. Introduction.
Who Should Read This Book? How This Book Is Organized. What Are You Protecting? Who Are Your Enemies? What They Hope to Accomplish. Costs: Protection versus Break-Ins. Protecting Hardware. Protecting Network and Modem Access. Protecting System Access. Protecting Files. Preparing for and Detecting an Intrusion. Recovering from an Intrusion.

I. SECURING YOUR SYSTEM.


2. Quick Fixes for Common Problems.
Understanding Linux Security. The Seven Most Deadly Sins. Passwords-A Key Point for Good Security. Advanced Password Techniques. Protecting the System from User Mistakes. Forgiveness Is Better Than Permission. Dangers and Countermeasures During Initial System Setup. Limiting Unreasonable Access. Firewalls and the Corporate Moat. Turn Off Unneeded Services. High Security Requires Minimum Services. Replace These Weak Doors with Brick. New Lamps for Old. United We Fall, Divided We Stand.

3. Quick and Easy Break-Ins and How to Avoid Them.
X Marks the Hole. Physical Intrusions. Selected Short Subjects. Terminal Device Attacks. Disk Sniffing.

4. Common Break-Ins by Subsystem.
NFS, mountd, and portmap. Sendmail. Telnet. FTP. The rsh, rcp, rexec, and rlogin Services. DNS (named, a.k.a BIND). POP and IMAP Servers. Doing the Samba. Stop Squid from Inking Out TheirTrail. The syslogd Service. The print Service (lpd). The ident Service. INND and News. Protecting Your DNS Registration.

5. Common Attacks.
Rootkit Attacks (Script Kiddies). Packet Spoofing Explained. SYN Flood Attack Explained. Defeating SYN Flood Attacks. Defeating TCP Sequence Spoofing. Packet Storms, Smurf Attacks, and Fraggles. Buffer Overflows or Stamping on Memory with gets(). Spoofing Techniques. Man in the Middle Attack.

6. Advanced Security Issues.
Configuring Netscape for Higher Security. Stopping Access to I/O Devices. Scouting Out Apache (httpd) Problems. Special Techniques for Web Servers. One-Way Credit Card Data Path for Top Security. Hardening for Very High Security. Restricting Login Location and Times. Obscure but Deadly Problems. Defeating Login Simulators. Stopping Buffer Overflows with Libsafe.

7. Establishing Security Policies.
General Policy. Personal Use Policy. Accounts Policy. E-Mail Policy. Web Server Policy. File Server and Database Policy. Firewall Policy. Desktop Policy. Laptop Policy. Disposal Policy. Network Topology Policy. Problem Reporting Policy. Ownership Policy. Policy Policy.

8. Trusting Other Computers.
Secure Systems and Insecure Systems. Linux and UNIX Systems Within Your Control. Mainframes Within Your Control. A Window Is Worth a Thousand Cannons. Firewall Vulnerabilities. Virtual Private Networks. Viruses and Linux.

9. Gutsy Break-Ins.
Mission Impossible Techniques. Spies. Fanatics and Suicide Attacks.

10. Case Studies.
Confessions of a Berkeley System Mole. Knights of the Realm (Forensics). Ken Thompson Cracks the Navy. The Virtual Machine Trojan. AOL's DNS Change Fiasco. I'm Innocent, I Tell Ya! Cracking with a Laptop and a Pay Phone. Take a Few Cents off the Top.

11. Recent Break-Ins.
Fragmentation Attacks. The Ping of Death Sinks Dutch Shipping Company. Captain, We're Being Scanned!(Stealth Scans). Cable Modems: A Cracker's Dream. Using Sendmail to Block E-Mail Attacks. Sendmail Account Guessing. The Mysterious ingreslock. You're Being Tracked. Distributed Denial of Service (Coordinated) Attacks. Stealth Trojan Horses. Linuxconf via TCP Port. Evil HTML Tags and Script. Format Problems with syslog().

II. PREPARING FOR AN INTRUSION.


12. HardEning Your System.
Protecting User Sessions with SSH. PGP (Pretty Good Privacy). FSF's PGP Replacement. Firewalls with IP Chains and DMZ.

13. Preparing Your Hardware.
Timing Is Everything. Advanced Preparation. Switch to Auxiliary Control (Hot Backups). TCP Wrappers. Adaptive TCP Wrappers: Raising the Drawbridge. Cracker Trap. Ending Cracker Servers with a Kernel Mod. Fire Drills. Break Into Your Own System with Tiger Teams.

15. Scanning Your Own System.
The Nessus Security Scanner. The SARA and SAINT Security Auditors. The nmap Network Mapper. The Snort Attack Detector. Scanning and Analyzing with SHADOW. John the Ripper. Store the RPM Database Checksums.

III. DETECTING AN INTRUSION.


16. Monitoring Activity.
Log Files. Log Files: Measures and Countermeasures. Paging the SysAdmin: Cracking in Progress! An Example for Automatic Paging. Building on Your Example for Automatic Paging. Paging telnet and rsh Usage. Monitoring Port Usage. Using tcpdump to Monitor Your LAN. Monitoring the Scanners with Deception Took Kit (DTK). Monitoring Processes. Cron: Watching the Crackers. Caller ID.

17. Scanning Your System for Anomalies.
Finding Suspicious Files. Tripwire. Detecting Deleted Executables. Detecting Promiscuous Network Interface Cards. Finding Promiscuous Processes. Detecting Defaced Web Pages Automatically.

IV. RECOVERING FROM AN INTRUSION.


18. Regaining Control of Your System.
Finding the Cracker's Running Processes. Handling Running Cracker Processes. Drop the Modems, Network, Printers, and System.

19. Finding and Repairing the Damage.
Check Your /var/log Logs. The syslogd and klogd Daemons. Remote Logging. Interpreting Log File Entries. Check Other Logs. Check TCP Wrapper Responses. How the File System Can Be Damaged. Planting False Data. Altered Monitoring Programs. Stuck in the House of Mirrors. Getting Back in Control. Finding Cracker-Altered Files. Sealing the Crack. Finding set-UID Programs. Finding the mstream Trojan.

20. Finding the Attacker's System.
Tracing a Numeric IP Address with nslookup. Tracing a Numeric IP Address with dig. Who's a Commie: Finding .com Owners. Finding Entities Directly from the IP Address. Finding a G-Man: Looking Up .gov Systems. Using ping. Using traceroute. Neighboring Systems' Results. A Recent International Tracking of a Cracker. Be Sure You Found the Attacker. Other SysAdmins: Do They Care?

21. Having the Cracker Crack Rocks.
Police: Dragnet or Keystone Kops? Prosecution. Liability of ISPs Allowing Illegal Activity. Counteroffenses.

Appendix A: Internet Resources for the Latest Intrustions and Defenses.
Mailing Lists-The Mandatory Ones. Mailing Lists-The Optional Ones. News Groups. URLs for Security Sites. URLs for Security Tools. URLs for Documentation. URLs for General Tools. URLs for Specifications and Definitions. Vendor Software and Updates. Other Software Updates.

Appendix B: Books, CD-ROMs, and Videos.
Linux System Security. Linux Firewalls. Building Linux and Openbsd Firewalls. Samba: Integrating UNIX and Windows. The Cuckoo's Egg. Hackers. UNIX Complete. The Computer Contradictionary. U.S. Department of Defense DISA Resources. Internetworking with TCP/IP Vols I, II, and III. Linux Application Development. Consultants: The Good, the Bad, and the Slick.

Appendix C: Network Services and Ports.
Appendix D: The ports.c Listing.
Appendix E: The blockip.csh Listing.
Appendix F: The fpromisc.csh Listing.
Appendix G: The overwrite.c Listing.
Appendix H: Danger Levels.
Appendix I: About the CD-ROM.
The Author's GPG Public Key.

Appendix J: Glossary.
Index.

Preface

PREFACE:

Chapter 1

Introduction

Linux is a solid operating system. It is easy to use and install, has very powerful capabilities, runs fast on almost any hardware, and rarely crashes. It has few bugs and its widespread support from a cast of thousands ensures that any remaining bugs get fixed as soon as they are discovered. It is highly versatile and can be made as secure as any UNIX system.

Unfortunately, UNIX and Linux machines are broken into every day, not because they are inherently insecure, but because the steps required to expose a system to the real world safely-the modern Internet-are not always so obvious. The single goal of this book is to teach any Linux or UNIX system administrator how to secure his systems, keep them secure, and feel confident that all necessary steps have been taken.

1.1 Who Should Read This Book?

This book will aid Linux and UNIX System Administrators (SysAdmins) in making their systems and networks as secure as possible from intruders and improper action of the users. It covers both quick and simple solutions, and some more involved solutions to eliminate every possible vulnerability.

It is organized to allow the busy SysAdmin to increase the security of the systems one piece at a time. It is recognized that one cannot take a system down for a week and work exclusively on its security for that week. In the real world, a SysAdmin's time is divided up by many tasks that cannot wait and systems are too critical to stay down for long.

In the real world, some systems will be broken into despite the best efforts of talented SysAdmins. This book devotes over 60,000 words to dealing withapossible break-in. It deals with how to prepare for it, how to detect it, and how to recover from it quickly and completely with minimal loss of confidential data and money, with minimal inconvenience to one's customers and employees, and with minimal publicity. This is considered one of the unique features of this book.

On March 30, 2000, 350 "hackers" from around the world gathered in Israel for a conference. Organizers there said that they were able to break into 28 percent of Israeli computers that they tried and that this percentage was typical worldwide. This was with the permission of the computers' owners, who were convinced that their computers were invulnerable. The quoted statistics were not broken down by operating system type. Both John Draper ("Captain Crunch") and Kevin Mitnick were there.

The book is designed to be used by both the veteran of many years of Linux and UNIX experience, as well as the new SysAdmin. It does assume that the reader is somewhat knowledgeable in system administration; Prentice Hall has other fine books to help people hone their SysAdmin skills. There are many useful details here, both for the person with a single Linux box at home and for those supporting multinational corporations and large government agencies with very large networks comprised of multiple types of operating systems.

1.2 How This Book Is Organized

Part I is concerned with increasing the security of your systems. This book is organized with the understanding that some SysAdmins have only a little time right now, but certainly want to fix the most severe holes immediately, before someone breaks into their systems. (The smaller holes also need to be closed, but statistically there is more time to address them before a cracker is likely to try them. Crackers, sometimes incorrectly called hackers, are people who break into computer systems without permission for the fun, challenge, fame, or due to a grudge.) These urgent quick-to-do items are covered in Chapter 2 "Quick Fixes for Common Problems" on page 15. That chapter starts with a discussion of basic security concepts to bring those new to Linux security up to speed and to serve as a "refresher" for veterans. The author estimates that applying just the quick fixes may reduce a system's vulnerability by 70 to 90 percent, based on published reports and incidents discussing probable "points of entry." Many of these solutions are independent from each other so that a SysAdmin may pick the solutions most appropriate to his or her situation and may implement these in almost any order.

The book then progresses into more involved procedures that can be done to increase security, allowing the system administrator to progress to as secure a system as time and desire allows. It even addresses some simple kernel modifications to increase security still further. It can be treated as a workbook, to be worked through a bit at a time, or as a reference book, with relevant areas picked from the Table of Contents or from the extensive Index.

Part II deals with preparing for an intrusion. No computer or network is completely secure and anyone who thinks that theirs is 100 percent secure is, well, probably due for some "education." Most computer security books deal almost exclusively with securing systems and devote only a few pages to dealing with an intrusion, that 10-40 percent of their readers will suffer. This author considers this to be a naive disservice. (All other common platforms are considered even more vulnerable.) In many of the cases that this author has been asked to analyze, the vulnerability that allowed the break-in turned out to be a bug in system software that had not been well-known at the time. This proves the point that just securing a system is not sufficient.
Innovative solutions are presented to even the most daunting problems, such as keeping customers' credit card numbers secure even if the Web server and the entire internal network are completely compromised! This solves a major widespread problem with e-commerce companies.

This book is called Real World Linux Security: Intrusion Prevention, Detection, and Recovery because in the real world a significant percentage of computers are broken into and the prepared SysAdmin is well prepared for this. Perhaps 5-25 percent of SysAdmins who have secured their Linux boxes still will have to deal with an intrusion. Even the author's own quiet site on a Dynamic IP over PPP suffers weekly intrusion attempts (with no successes so far), but it has been prepared for intrusion attempts and even for fast recovery from a possible successful intrusion.

Switching to another platform will not reduce this risk, in my opinion. I have seen many reports of security bugs in various competing systems. Almost weekly I see a report on a newly discovered severe vulnerability in software long running and widely distributed on these closed-source platforms. Software written by independent vendors also has its share of problems.

Part III deals with detecting intrusions (both attempts and successes) and sophisticated notification and logging in detail. Part IV discusses recovering from intrusions successfully, completely, and quickly! It also covers tracking down the intruder and dealing with law enforcement officers and the courts, and what to expect from them. Outages can cost millions of dollars a day in lost revenue and bad publicity can mean more lost business and worse-the dismissal of the SysAdmins. A quick recovery may get no publicity and might even be blamed on a glitch in the Internet.

This book covers many security problems. These include problems of incorrect configuration, some services whose design prevents them from being made secure, some inherent limitations in the TCP/IP, UDP/IP, ICMP/IP, ARP, and related protocols, bugs in programs that have come with various Linux distributions or which get installed on Linux systems, and even some physical security and human factors (social engineering) matters.

Please do not get the idea that Linux is a hard-to-configure, buggy, half-baked idea not worthy of your attention! Nothing could be further from the truth. Many security experts consider Linux and FreeBSD UNIX to be the most secure general purpose operating systems. This is because the open source allows many more talented white hats to inspect each line of code for problems and to correct these problems and "fold the fixes back into the master code base" maintained by Linus, the Free Software Foundation, and the creators of the major distributions.

There now is much sharing of code between Linux and the various BSD releases of UNIX and even versions of UNIX supported by the various vendors. This is to the advantage of all users of these systems, since there are more developers improving the code. By following the steps in this book, even a major intrusion can be detected and recovered from in a few minutes, rather than the many hours or days that The White House, Lloyd's of London, eBay.com, and other major, but apparently unprepared, sites required to recover.

1.2.1 Conventions in This Book

The Table of Contents is designed to allow one to scan it quickly for applicable issues. The Index is extensive and most items are cross-referenced, both by the subsystem or program that is affected and the type of problem, e.g., vulnerability. Some Internet resources (URLs) are listed in whatever sections discuss them; many popular Internet resources are discussed in Appendix A. Many URLs are listed in the Index too. Appendix B discusses non-Internet resources; these include books, CD-ROMs, and videos; some of these are free for the asking. Other appendices contain source code or other data that is too massive to appear in running text. These items also appear on the companion CD-ROM as do a number of open-source tools that are discussed in the text. These are mirrored on the associated Web site, ...

Customer Reviews

Most Helpful Customer Reviews

See All Customer Reviews