Security: Not Just for SysAdmins

by S. Salman Ahmed

Security isn't a subject solely for SysAdmins responsible for maintaining and administering large corporate networks. It's a subject that every Linux user and certainly every Linux administrator must educate themselves on and always be aware of. As Linux continues to attract new users and becomes more popular in the server space, understanding security issues and knowing how to secure a Linux system becomes very important.

Upon opening this book for the first time, I was immediately impressed by the vast amount of information presented. Simply skimming through the book's table of contents, it is easy to appreciate the wide range of topics covered by Toxen.

The book is divided into three parts, with Part I of the book focused on ways to secure a Linux system.

Toxen gets off to a quick start with a chapter aptly titled "Quick Fixes for Common Problems", in which he discusses the basic and most common security issues that most SysAdmins have to face.

Each of these security issues, and the ones in the remaining chapters of the book, is assigned a danger level in the form of skull-and-crossbones symbols, with one symbol representing a minor risk to 5 symbols indicating a very major risk.

The "Seven Most Deadly Sins" covers some basic problems that can lead to a system or network being compromised. Part of the chapter discusses certain basic security topics, including password security, file permissions and firewall design.

Toxen does a particularly good job of emphasizing the risks associated with running unneeded services and leaving ports open that should not be. With the growing popularity of broadband Internet access (cable, DSL) and the ease with which some Linux distributions allow the novice Linux user or inexperienced SysAdmin to install a plethora of services during the base distribution install, its imperative that all Linux users understand the implications and risks of running various Linux services. Most home Linux users do not need FTP, Samba, NFS and Sendmail running on the same box.

Toxen spends a fair amount of time discussing Sendmail, FTP and NFC/RPC, all of which have had major exploits against them. He also talks about various Linux programs that have had major bugs and exploits in the recent past.

In Chapter 3, Toxen covers X security, physical security of a system and describes ways to really erase data from a hard-drive. This chapter also contains an excellent section discussing miscellaneous short topics.

Chapter 4 covers the vulnerabilities in major services commonly running on Linux servers. Toxen covers services including NFS, Sendmail, FTP, Samba and BIND. These are services typically found on Linux servers running in small-to-medium networks and even large corporate networks, either for departmental or company-wide use.

Sendmail is still one of the most widely used MTAs on Linux systems (and on non-Linux UNIX platforms), and Toxen discusses ways to secure Sendmail and control spam.

Likewise, there is a generous amount of information on securely setting up FTP, another service commonly found on Linux servers.

In contrast to the discussion of Sendmail, FTP and Samba, Toxen only briefly talks about BIND (the DNS daemon). This is a bit surprising given that BIND has had quite a few exploits against it in the past year.

The last section of this chapter, "Protecting your DNS Registration", feels out-of-place, as the rest of the chapter focuses on specific (configuration and setup) details about specific Linux services.

Chapter 5 contains excellent explanations of some of the more common types of attacks used against Linux systems, including Packet Spoofing, TCP Sequence Spoofing and DoS attacks like Packet Storms. The "Man in the Middle" attack is also clearly explained.

Chapter 6 covers some advanced security issues and was one of the most informative chapters of the book. I learned a few things that I wasn't aware of.

As Toxen points out, one might not imagine configuring Netscape to be an advanced topic. Nonetheless, he introduces some some good techniques to configure Netscape for higher security. Despite the growing popularity of newer browsers like Opera and Konqueror, Netscape is still one of the most widely used browsers in Linux-land (and UNIX-land, for that matter).

Toxen also discusses at length Apache security issues, as well as issues to be aware of when setting up web servers, including a lengthy section on CGI programs.

The next topic is Toxen's interesting design for increasing the security of an e-commerce site, specifically to ensure that customers' credit card data cannot be stolen if the site is cracked. He calls his approach the "One-way credit card data path".

There is also a section on hardening a Linux system for very high security. Buffer overflows, symlink attacks and an excellent section on login simulators round off the rest of this chapter.

Chapter 7 discusses a subject that is all too often overlooked or not given enough attention in some security books: security policies. Toxen covers pretty much every type of security policy that is important to the management and administration of networks. Policies covering things such as passwords, e-mail, user accounts and laptops are discussed in detail, and even though some of the suggestions are Linux- and UNIX-specific, they are presented in a manner such that SysAdmins of non-UNIX networks will be able to benefit from them. This chapter is a must-read for anyone involved in the design and management of networks, as well as non-technical manager-types from company IS/IT departments.

Chapter 10 is probably the most entertaining chapter of the book. Toxen provides interesting details about some successful break-ins, including the methods of the crackers in those incidents. The most entertaining incidents covered in this chapter are Toxen's own adventures cracking the UNIX systems at the University of California at Berkeley!

Chapter 11 covers some recent attacks, including IP fragmentation attacks, the Ping of Death and stealth scans. The best part of this chapter is Toxen's detailed explanation of (coordinated) distributed denial of service attacks, including explaining how the TFN2000 stealth trojan operates. While explaining how the TFN2000 stealth trojan works (by putting the network interface in Promiscuous mode on its target system), Toxen thoughtfully includes a brief table of kernel messages printed by the respective network card drivers when those cards are switched over to Promiscuous mode.

The only odd thing about this chapter was the discussion of privacy issues (the serial number in Pentium III chips and embedding GUIDs in documents produced by MS Word and Excel that haven't been patched to disallow that behaviour), which clearly did not belong in this chapter and, arguably, don't have anything to do with Linux.

Part II of the book focuses on preparing a system for the possibility of being cracked.

Chapter 12 is one of the longer chapters in the book, rightfully so, since Toxen discusses three very important Linux security tools: SSH, GPG and the kernel's firewalling capabilities. (Okay, so firewalling is a native feature of the Linux kernel as opposed to being a separate userspace tool).

Chapter 12 starts off with a good section on SSH, its installation and basic usage. The part describing how to wrap SSH around any TCP-based service was difficult to follow, and a diagram would definitely have helped.

PGP is discussed, but Toxen spends more time discussing the usage of FSF's PGP replacement, the GNU Privacy Guard (GnuPG).

Linux 2.2's IP chains firewalling capabilities are explained quite well, and he goes through a fairly detailed example showing how to set up a firewall script for a small company network or a home network. What's particularly good is how Toxen explains each rule (or set of rules) meant to perform a specific type of packet filtering.

Toxen also briefly covers IP masquerading rules and rules for creating a DMZ (DeMilitarized Zone).

Chapter 14 discusses the popular TCP Wrappers program that is now installed by default in most distributions. Besides basic usage and configuration, Toxen suggests additional ways in which TCP Wrappers can be used to alert the SysAdmin of intrusion attempts and take further actions on the intruder by spawning programs (in this case a custom shell script written by the author). Toxen calls his approach "Adaptive TCP Wrappers".

Toxen also talks about the importance of testing networks and systems for their level of security by conducting intrusion drills before a real intrusion occurs. He also suggest testing network security by using Tiger Teams.

Scanners are the subject of the unusually short Chapter 15. While Toxen does discuss the usage of Nmap very well, other scanning tools, such as Nessus, SARA and SAINT, are only mentioned in passing. Also, the password file cracking tool "John the Ripper" is mentioned very briefly, as is the IDS tool Snort.

Part III of the book discusses ways in which intrusion attempts can be detected on a system. In Chapter 16, Toxen presents ways in which logfiles, ports and running processes on a system can be monitored to check for intrusion attempts, using a combination of shell scripts and common tools found on all Linux (and most UNIX) systems. like find, ps, fuser, and tcpdump.

Toxen also discusses in detail how custom shell scripts can be created to page a SysAdmin if certain suspicious events occur on a network, such as failed Telnet logins or failed su attempts.

In Chapter 17, Toxen explains how to periodically check for system anomalies that might be indications of intrusions and/or cracker activity. Toxen shows how to use the ubiquitous find utility to check for files with incorrect and/or suspicious permissions and ownership modes. Installation and configuration of Tripwire is also discussed in this chapter. There is also a discussion of useful shell scripts for detecting promiscuous network interface cards and the process(es) that might have put the NICs into that mode.

Automatic detection of defaced web pages is also covered using a combination of scripts and programs written by the author. Given the number of large and high-profile sites that have had their web pages defaced in the last year alone, Toxen is doing a public service by showing techniques that automate the detection of defaced web pages.

Part IV of the book talks about recovering from an intrusion.

Chapter 18 gives hands-on tips for gaining control of a system that has been cracked by trying to find out as much as possible about the intrusion and the cracker responsible for it, while at the same time minimizing further damage to the system(s). Toxen shows how to find the cracker's running processes and, once found, how to obtain information from these processes about the nature, source, etc. of the intrusion.

In Chapter 19, Toxen shows how to find and repair the damage caused by a cracker. Some of the more important log files and the types of entries to look for in them when trying to determine the extent of the damage caused during an intrusion are presented.

Toxen makes an important point about the necessity of having a set of secure boot floppies with copies of untampered, secure versions of common UNIX utilities like ls, ps, top, find, etc. Once a system has been cracked, the SysAdmin cannot be sure of how many trojans have been installed on the system by the cracker, and certainly cannot trust that important system binaries have not been tampered with or trojaned.

Toxen suggests comparing files on the cracked system with previous backups (if there are recent enough backups) and using package managers like RPM to verify the integrity of installed packages. However, many people (including myself) consider a safer alternative to be reinstalling the entire system from known and trusted sources, after having recovered as much user data as possible from the cracked system.

Chapter 20 shows how to find the cracker's system using a combination of network tools commonly found on Linux, including traceroute, ping, whois, nslookup and dig. Along the way, Toxen also brings up some good points to remember when dealing when SysAdmins of systems found on the trail to the attacker's system, as well as with users whose accounts have been compromised by a cracker.

The last chapter in this section (and in the book) talks about some of the major American law enforcement agencies and their policies and methods when dealing with incidents of computer attacks and crime. Toxen also mentions the criterion by which some of these law enforcement agencies decide to initiate investigations and go after the perpetrator of such crimes. Some issues relating to the legalities in such cases and how SysAdmins should go about preparing and securing evidence when working with law enforcement agencies to track down a cracker is presented.

The appendices contain useful information about many security-related resources, including important web sites (Bugtraq, Cert), mailing lists and the many security tools mentioned in the book (and where to download them from). Appendix H contains a list of all the important security issues and topics discussed in the book, sorted by their danger level (one to five skull-and-crossbones symbols, with five being the most dangerous), with the most dangerous ones at the top of the list. This sort makes it easy to check for a specific issue and then drill to that section and page of the book.

The book's companion CD-ROM contains all the scripts that Toxen has mentioned throughout the book, as well as the source code to some of the programs he wrote that are mentioned in the book. Also included on the CD-ROM are most of the security tools mentioned in the book and its appendix.

I found that the book had an easy-to-read style, and Toxen's explanations are to-the-point, concise and clear. Toxen's writing style has just the right touch of humour to make this book an engaging, entertaining and informative read on the subject of Linux security.

I would highly recommend this book to any Linux SysAdmin (and user) interested in securing their Linux systems. From practical hands-on tips and techniques to detailed explanations of attacks and other Linux security issues, this book is a must-read for anyone interested in Linux security.

Load Disqus comments