In the paper will discuss about some common security issues found in the Linux operating system on the host security and network security. In host security, will be discussed on a password, services, SUID programs, as well as data encryption, while the network security, which will be discussed are ftp, telnet, email security and web security. At the end of the paper, will be discussed on a couple of tools that can be used to improve the security of your network.
Security Host (host security)
Password
To be able to access the Linux operating system password mechanism is used. On Linux distributions that time, the password is stored in a text file located at / etc / passwd. This file must be readable by everyone (world readable) to be used by other programs that use the password mechanism.
Security Host (host security)
Password
To be able to access the Linux operating system password mechanism is used. On Linux distributions that time, the password is stored in a text file located at / etc / passwd. This file must be readable by everyone (world readable) to be used by other programs that use the password mechanism.
The following are examples of the contents of the file / etc / passwd:
root: .. CETo68esYsA: 0:0: root: / root: / bin / bash
bin: jvXHHBGCK7nkg: 1:1: bin: / bin:
daemon: i1YD6CckS: 2:2: daemon: / sbin:
adm: bj2NcvrnubUqU: 3:4: adm: / var / adm:
RMS: x9kxv932ckadsf: 100:100: Richard M Stallman: / home / rms: / bin / bash
DMR: ZeoW7CaIcQmjhl: 101:101: Dennis M Ritchie: / home / DMR: / bin / bash
Linus: IK40Bb5NnkAHk: 102:102: Linus Torvalds: / home / Linus: / bin / bash
bin: jvXHHBGCK7nkg: 1:1: bin: / bin:
daemon: i1YD6CckS: 2:2: daemon: / sbin:
adm: bj2NcvrnubUqU: 3:4: adm: / var / adm:
RMS: x9kxv932ckadsf: 100:100: Richard M Stallman: / home / rms: / bin / bash
DMR: ZeoW7CaIcQmjhl: 101:101: Dennis M Ritchie: / home / DMR: / bin / bash
Linus: IK40Bb5NnkAHk: 102:102: Linus Torvalds: / home / Linus: / bin / bash
Description:
The first field: login name
The second field: the encrypted password
Third Field: User ID
Field four: Group ID
Field five: The name is
The sixth field: home directory user
Seventh Field: User Shell
Login password contained in the file / etc / passwd is encrypted by DES algorithm that has been modified [1]. Nevertheless it does not reduce the possibility of such passwords dismantled (crack). Because the attacker (the attacker) can perform a dictionary-based attack by:
• copy the file / etc / passwd is
• running programs are useful to uncover passwords, for example, is Crack (www.users.dircon.co.uk/ ~ crypto) and John the Ripper (www.openwall.com/john/).
To overcome this problem on Linux distributions that use the new utility program that makes the shadow password file / etc / passwd no longer contain the password information is encrypted, the information is now stored in the file / etc / shadow is only readable by root.
Here is an example / etc / passwd that has been in-shadow:
root: x: 0:0: root: / root: / bin / bash
bin: x: 1:1: bin: / bin:
daemon: x: 2:2: daemon: / sbin:
adm: x: 3:4: adm: / var / adm:
RMS: x: 100:100: Richard M Stallman: / home / rms: / bin / bash
DMR: x: 101:101: Dennis M Ritchie: / home / DMR: / bin / bash
Linus: x: 102:102: Linus Torvalds: / home / Linus: / bin / bash
Thus, the use of shadow passwords will be difficult for the attacker to perform a dictionary-based attack against the password file.
In addition to using shadow passwords several Linux distributions also include the MD5 hashing program that makes the user entered password can be king-sized and relatively easy to remember because of a passphrase.
Mechanisms that have provided the operating system above is not useful when the user does not use a password that is “good”. Here are some criteria that can be used to create a password that is “good” [2]:
• Do not use your login name with all its variations.
• Do not use first or last name you with all the variations.
• Do not use the name of your spouse or child.
• Do not use other information easily obtained about you, such as phone number, date of birth.
• Do not use a password consisting of numbers or letters all the same.
• Do not use the words in the dictionary, or a list of other words.
• Do not use a password that size is less than six characters.
• Use a password that is a mixture of uppercase and lowercase letters.
• Use a password with characters of non-alphabet.
• Use a password that is easy to remember, so do not need to be written.
• Use a password that is easy typing, without the need to look at the keyboard.
Examples of Linux distributions that have included utility shadow passwords and MD5 hash is: RedHat 6.2, Trustix Secure Linux 1.1.
Services
Some Linux distributions during installation by default installs all the services available on the host, such as web service, email service, and so on. This is of course very harmful in terms of security, because it is not impossible that the services are not used and even worse that the services can be a hole that allows the attacker to attack your network or system. To overcome this, we recommend the services that are not in use turned off by using a particular scripts or eliminated by means removed.
For example in the distribution of Red Hat 6.2, if you do not need sendmail service, the software then delete the following manner:
rpm-e sendmail.
But before you may need to turn off the service:
/ etc / rc.d / init.d / sendmail stop
Some fruit service that can be turned off if your computer is the host computer:
• r utilities (rshd, rlogin, rwhod, and rexec)
• finger
• Sendmail
• Web server
• NFS
• NIS
If you do not know the usefulness of a service, it should drop the service. Edit the file / etc / inetd.conf and uncomment give (#) for the services you do not need. You can check the services the other with how to grep lines not beginning with #, use:
grep-v “^ #” / etc / inetd.conf
Then restart inetd (Internet Super Server) by way of:
kill-HUP inetd
In Trustix Secure Linux (TSL), the services contained on inetd Super Server by default eliminated. Here is an excerpt file / etc / inetd.conf is included on Trustix Secure Linux:
#
# Inetd.conf This file describes the services that will be available
# Through the inetd TCP / IP super server. To re-configure
# The running inetd process, edit this file, then send the
# Inetd process a SIGHUP signal.
#
# Version:(#)/ etc / inetd.conf 3.10 05/27/93
#
# Authors: Original taken from BSD UNIX 4.3/TAHOE.
# Fred N. van Kempen,
#
# Modified for Debian Linux by Ian A. Murdock
#
# Modified for RHS Linux by Marc Ewing
#
# Modified for TSL by Erlend Midttun
#
################################################## #######################
# A word of warning: This is a place where little is better.
#
################################################## #######################
#
#
# Echo, discard, daytime, and chargen are used primarily for testing.
# There are certain security aspects of these. Recommended setting is
# Off.
#
# To re-read this file after changes, just do a ‘killall-HUP inetd’
#
# echo stream tcp nowait root internal
# echo dgram udp wait root internal
# discard stream tcp nowait root internal
# discard dgram udp wait root internal
# daytime stream tcp nowait root internal
# daytime dgram udp wait root internal
# chargen stream tcp nowait root internal
# chargen dgram udp wait root internal
# time stream tcp nowait root internal
# time dgram udp wait root internal
#
# These are standard services.
#
# Telnet allows for user logins using plain text passwords.
# A far superior way is using SSH (www.ssh.org) for this
# Telnet stream tcp nowait root / usr / sbin / tcpd in.telnetd
#
# Shell, login, exec, COMSAT and talk are BSD protocols.
#
# Again, these allow for sending plain text passwords over the wire,
# And again proves the SSH better.
# shell stream tcp nowait root / usr / sbin / tcpd in.rshd
# login stream tcp nowait root / usr / sbin / tcpd in.rlogind
#
# Pop and imap mail services et al
#
# pop-2 stream tcp nowait root / usr / sbin / tcpd ipop2d
# pop-3 stream tcp nowait root / usr / sbin / tcpd ipop3d
# imap stream tcp nowait root / usr / sbin / tcpd imapd
#
# The Internet UUCP service.
#
# uucp stream tcp nowait uucp / usr / sbin / tcpd / usr / lib / uucp / uucico-l
#
# TFTP service is provided primarily for booting. Most sites
# Run this only on machines acting as “boot servers.” Do not Uncomment
# This unless you * need * it.
#
# tftp dgram udp wait root / usr / sbin / tcpd in.tftpd
# bootps dgram udp wait root / usr / sbin / tcpd bootpd
#
# Finger, systat and netstat give out user information which may be
# Valuable to potential “system crackers.” Many sites choose to disable
# Some or all of these services to improve security.
#
# finger stream tcp nowait nobody / usr / sbin / tcpd in.fingerd
# systat stream tcp nowait guest / usr / sbin / tcpd / bin / ps-auwwx
# netstat stream tcp nowait guest / usr / sbin / tcpd / bin / netstat-f inet
#
# Authentication
#
# Identd is run standalone now
#
# auth stream tcp wait root / usr / sbin / in.identd in.identd-e-o
#
# End of inetd.conf
The first field: login name
The second field: the encrypted password
Third Field: User ID
Field four: Group ID
Field five: The name is
The sixth field: home directory user
Seventh Field: User Shell
Login password contained in the file / etc / passwd is encrypted by DES algorithm that has been modified [1]. Nevertheless it does not reduce the possibility of such passwords dismantled (crack). Because the attacker (the attacker) can perform a dictionary-based attack by:
• copy the file / etc / passwd is
• running programs are useful to uncover passwords, for example, is Crack (www.users.dircon.co.uk/ ~ crypto) and John the Ripper (www.openwall.com/john/).
To overcome this problem on Linux distributions that use the new utility program that makes the shadow password file / etc / passwd no longer contain the password information is encrypted, the information is now stored in the file / etc / shadow is only readable by root.
Here is an example / etc / passwd that has been in-shadow:
root: x: 0:0: root: / root: / bin / bash
bin: x: 1:1: bin: / bin:
daemon: x: 2:2: daemon: / sbin:
adm: x: 3:4: adm: / var / adm:
RMS: x: 100:100: Richard M Stallman: / home / rms: / bin / bash
DMR: x: 101:101: Dennis M Ritchie: / home / DMR: / bin / bash
Linus: x: 102:102: Linus Torvalds: / home / Linus: / bin / bash
Thus, the use of shadow passwords will be difficult for the attacker to perform a dictionary-based attack against the password file.
In addition to using shadow passwords several Linux distributions also include the MD5 hashing program that makes the user entered password can be king-sized and relatively easy to remember because of a passphrase.
Mechanisms that have provided the operating system above is not useful when the user does not use a password that is “good”. Here are some criteria that can be used to create a password that is “good” [2]:
• Do not use your login name with all its variations.
• Do not use first or last name you with all the variations.
• Do not use the name of your spouse or child.
• Do not use other information easily obtained about you, such as phone number, date of birth.
• Do not use a password consisting of numbers or letters all the same.
• Do not use the words in the dictionary, or a list of other words.
• Do not use a password that size is less than six characters.
• Use a password that is a mixture of uppercase and lowercase letters.
• Use a password with characters of non-alphabet.
• Use a password that is easy to remember, so do not need to be written.
• Use a password that is easy typing, without the need to look at the keyboard.
Examples of Linux distributions that have included utility shadow passwords and MD5 hash is: RedHat 6.2, Trustix Secure Linux 1.1.
Services
Some Linux distributions during installation by default installs all the services available on the host, such as web service, email service, and so on. This is of course very harmful in terms of security, because it is not impossible that the services are not used and even worse that the services can be a hole that allows the attacker to attack your network or system. To overcome this, we recommend the services that are not in use turned off by using a particular scripts or eliminated by means removed.
For example in the distribution of Red Hat 6.2, if you do not need sendmail service, the software then delete the following manner:
rpm-e sendmail.
But before you may need to turn off the service:
/ etc / rc.d / init.d / sendmail stop
Some fruit service that can be turned off if your computer is the host computer:
• r utilities (rshd, rlogin, rwhod, and rexec)
• finger
• Sendmail
• Web server
• NFS
• NIS
If you do not know the usefulness of a service, it should drop the service. Edit the file / etc / inetd.conf and uncomment give (#) for the services you do not need. You can check the services the other with how to grep lines not beginning with #, use:
grep-v “^ #” / etc / inetd.conf
Then restart inetd (Internet Super Server) by way of:
kill-HUP inetd
In Trustix Secure Linux (TSL), the services contained on inetd Super Server by default eliminated. Here is an excerpt file / etc / inetd.conf is included on Trustix Secure Linux:
#
# Inetd.conf This file describes the services that will be available
# Through the inetd TCP / IP super server. To re-configure
# The running inetd process, edit this file, then send the
# Inetd process a SIGHUP signal.
#
# Version:(#)/ etc / inetd.conf 3.10 05/27/93
#
# Authors: Original taken from BSD UNIX 4.3/TAHOE.
# Fred N. van Kempen,
#
# Modified for Debian Linux by Ian A. Murdock
#
# Modified for RHS Linux by Marc Ewing
#
# Modified for TSL by Erlend Midttun
#
################################################## #######################
# A word of warning: This is a place where little is better.
#
################################################## #######################
#
#
# Echo, discard, daytime, and chargen are used primarily for testing.
# There are certain security aspects of these. Recommended setting is
# Off.
#
# To re-read this file after changes, just do a ‘killall-HUP inetd’
#
# echo stream tcp nowait root internal
# echo dgram udp wait root internal
# discard stream tcp nowait root internal
# discard dgram udp wait root internal
# daytime stream tcp nowait root internal
# daytime dgram udp wait root internal
# chargen stream tcp nowait root internal
# chargen dgram udp wait root internal
# time stream tcp nowait root internal
# time dgram udp wait root internal
#
# These are standard services.
#
# Telnet allows for user logins using plain text passwords.
# A far superior way is using SSH (www.ssh.org) for this
# Telnet stream tcp nowait root / usr / sbin / tcpd in.telnetd
#
# Shell, login, exec, COMSAT and talk are BSD protocols.
#
# Again, these allow for sending plain text passwords over the wire,
# And again proves the SSH better.
# shell stream tcp nowait root / usr / sbin / tcpd in.rshd
# login stream tcp nowait root / usr / sbin / tcpd in.rlogind
#
# Pop and imap mail services et al
#
# pop-2 stream tcp nowait root / usr / sbin / tcpd ipop2d
# pop-3 stream tcp nowait root / usr / sbin / tcpd ipop3d
# imap stream tcp nowait root / usr / sbin / tcpd imapd
#
# The Internet UUCP service.
#
# uucp stream tcp nowait uucp / usr / sbin / tcpd / usr / lib / uucp / uucico-l
#
# TFTP service is provided primarily for booting. Most sites
# Run this only on machines acting as “boot servers.” Do not Uncomment
# This unless you * need * it.
#
# tftp dgram udp wait root / usr / sbin / tcpd in.tftpd
# bootps dgram udp wait root / usr / sbin / tcpd bootpd
#
# Finger, systat and netstat give out user information which may be
# Valuable to potential “system crackers.” Many sites choose to disable
# Some or all of these services to improve security.
#
# finger stream tcp nowait nobody / usr / sbin / tcpd in.fingerd
# systat stream tcp nowait guest / usr / sbin / tcpd / bin / ps-auwwx
# netstat stream tcp nowait guest / usr / sbin / tcpd / bin / netstat-f inet
#
# Authentication
#
# Identd is run standalone now
#
# auth stream tcp wait root / usr / sbin / in.identd in.identd-e-o
#
# End of inetd.conf
SUID Root Programs
Root SUID programs are the programs that run with root access, though the run was not the root. These programs will be very dangerous especially if the user can write to him. To that needs to be checked by means of:
mkdir-M700 / etc / info
find /-type f \ (-perm -04000-o-perm -02000 \)-ls> / etc / info / Suid-results
Then you must think of SUID programs what is needed and the location and allow these programs. But if the SUID programs you do not need or know the benefits, Change their permissions to 700 (chmod 700 *) or even better by changing their permissions to 700 and move it to a temporary directory to be sure they are not needed, and can be removed .
Data Encryption
To secure the data, you can use some encryption programs such as GNU Privacy Guard (www.gnupg.org) or Pretty Good Privacy (www.pgpi.com). The second program is freely available and available for a variety of major operating systems.
Both programs can be used to encrypt / decrypt data or email. In addition they can be used for data encryption using the private key and public key.
Network Security (network security)
FTP
FTP is a protocol that defines the standard for transferring data over a network (RFC 765). Ftp programs can be categorized into two namely ftp server and ftp client. FTP was originally intended to facilitate the transfer of data from various computer farther apart. This can be known by objectives to be achieved by FTP as found in RFC 765:
The objectives of FTP are:
1. to promote sharing of files (computer programs and / or data),
2. to encourage indirect or implicit (via programs) use of remote computers,
3. to shield a user from variations in file storage systems among hosts, and
4. to transfer data reliably and efficiently. FTP, though usable directly by a user at a terminal, is designed mainly for use by programs.
Root SUID programs are the programs that run with root access, though the run was not the root. These programs will be very dangerous especially if the user can write to him. To that needs to be checked by means of:
mkdir-M700 / etc / info
find /-type f \ (-perm -04000-o-perm -02000 \)-ls> / etc / info / Suid-results
Then you must think of SUID programs what is needed and the location and allow these programs. But if the SUID programs you do not need or know the benefits, Change their permissions to 700 (chmod 700 *) or even better by changing their permissions to 700 and move it to a temporary directory to be sure they are not needed, and can be removed .
Data Encryption
To secure the data, you can use some encryption programs such as GNU Privacy Guard (www.gnupg.org) or Pretty Good Privacy (www.pgpi.com). The second program is freely available and available for a variety of major operating systems.
Both programs can be used to encrypt / decrypt data or email. In addition they can be used for data encryption using the private key and public key.
Network Security (network security)
FTP
FTP is a protocol that defines the standard for transferring data over a network (RFC 765). Ftp programs can be categorized into two namely ftp server and ftp client. FTP was originally intended to facilitate the transfer of data from various computer farther apart. This can be known by objectives to be achieved by FTP as found in RFC 765:
The objectives of FTP are:
1. to promote sharing of files (computer programs and / or data),
2. to encourage indirect or implicit (via programs) use of remote computers,
3. to shield a user from variations in file storage systems among hosts, and
4. to transfer data reliably and efficiently. FTP, though usable directly by a user at a terminal, is designed mainly for use by programs.
Therefore, security issues become less important, but with more extensive use of the Internet, so security becomes one of the main issues.
FTP has several weaknesses as follows:
• FTP using the authentication mechanism based on username / password standards. As a result the server could not be sure that the user is really like what he said.
• By default the password is sent in plaintext form, so by using a sniffer, the attacker can retrieve their password.
• FTP session is not encrypted, so there is no privacy.
Also if your server is a directory that can be used by all people to enter the data it is possible your server will be used as a pirate softwares repository.
Some things that can be done to reduce the possibility of holes on the FTP server is:
• Using ftp server software is relatively safe, for example proftpd (www.proftpd.org) and FTP BSD (www.openbsd.org).
• Restrict orang-orang/host-host may access it by modifying the files / etc / ftphosts and / etc / ftpusers.
• If no directory is for uploading files, limit the space provided.
• Make sure the file access permissions for the following files are correct. If you have not set the following files:
• chmod 555 [ftp-home] ftp /
• chmod 555 [ftp-home] ftp / bin
• chmod 111 [ftp-home] ftp / bin / ls
• chmod 555 [ftp-home] ftp / etc
• chmod 444 [ftp-home] ftp / etc / passwd
and set all file ownership over to the root
chown-R root [ftp-home] ftp /
• Make sure the directory / bin does not have a shell script that can run something that we do not want.
• Use replacement programs like scp (client) and sshd (server) which are in OpenSSH (www.openssh.com). By using these two programs, data transmission is in encrypted form.
FTP has several weaknesses as follows:
• FTP using the authentication mechanism based on username / password standards. As a result the server could not be sure that the user is really like what he said.
• By default the password is sent in plaintext form, so by using a sniffer, the attacker can retrieve their password.
• FTP session is not encrypted, so there is no privacy.
Also if your server is a directory that can be used by all people to enter the data it is possible your server will be used as a pirate softwares repository.
Some things that can be done to reduce the possibility of holes on the FTP server is:
• Using ftp server software is relatively safe, for example proftpd (www.proftpd.org) and FTP BSD (www.openbsd.org).
• Restrict orang-orang/host-host may access it by modifying the files / etc / ftphosts and / etc / ftpusers.
• If no directory is for uploading files, limit the space provided.
• Make sure the file access permissions for the following files are correct. If you have not set the following files:
• chmod 555 [ftp-home] ftp /
• chmod 555 [ftp-home] ftp / bin
• chmod 111 [ftp-home] ftp / bin / ls
• chmod 555 [ftp-home] ftp / etc
• chmod 444 [ftp-home] ftp / etc / passwd
and set all file ownership over to the root
chown-R root [ftp-home] ftp /
• Make sure the directory / bin does not have a shell script that can run something that we do not want.
• Use replacement programs like scp (client) and sshd (server) which are in OpenSSH (www.openssh.com). By using these two programs, data transmission is in encrypted form.
Email
Email is one of the Internet facilities of the most widely used by people. Protocol used to transport mail is Simple Mail Transport Protocol (SMTP). SMTP server may work as follows:
• receiving incoming messages
• check the address of the recipient:
• if for a local address, messages will be received and stored.
• if for a remote address, the message will be forwarded
SMTP server has a major weakness is that they believe every person, so the user can specify an email address that they want and SMTP servers will process the email with a fake address this.
There are two things that must be done to address them are:
• protect the server from the penetration, so the attacker can not access your system.
• protect against unauthorized SMTP service so that Outsiders can not send spam or fake mail using your mail server.
To send email, but need the SMTP server is also required Mail Transport Agent (MTA). MTA One of the most widely used is sendmail. On the distribution of Red Hat 7.2, when using the default installation, sendmail will be installed and run as one service on your host.
Sendmail is often the target of the attacker because:
• sendmail has a long history of security, has found many bugs in sendmail program which can be fatal.
• sendmail is a service that is available publicly, so that everyone can use it.
• sendmail is usually run as root, if the attacker can find the hole then it is likely he could have root access on hosts running sendmail.
• sendmail is a complex program and difficult to configure and hoping the attacker configuration error occurred.
To protect your system from attacks that the attacker tried to use sendmail weakness can be done the following things:
• Protecting against unauthorized relaying. In the 8.9.x version of sendmail you can configure your server to relay only from the hosts allowed.
• Real-time blacklists. Sendmail can be used to determine to accept or reject mail from particular domains. This is very useful to overcome the known spammers.
• Disabling EXPN and VRFY commands. Both these SMTP commands cause information leakage. Attacker using both these commands to identify a valid user and expands the distribution list.
• Use TCP Wrappers to block traffic. If your site only to process small quantities of email, sendmail security can be integrated d ith TCP Wrappers to improve security.
• Always update your sendmail program. Make sure you have the latest sendmail program which has been fixing bugs that have been identified.
Use replacement MTA: qmail (www.qmail.org), postfix (www.postfix.org). If you have trouble with all these things, you should probably use another MTA.
Telnet
Telnet protocol goal is to provide two-way communication facility, 8-bit oriented. Its main purpose is to allow a standard method of interfacing terminal devices and terminal oriented processes to each other.
Telnet consists of two programs, namely the telnetd, which functions as a server, and telnet, which functions as a client. In general, telnet is a program that allows one to access the computer from a remote machine. Because not designed with security considering the many weaknesses which emerges is:
• the password used to login to the remote machine is not encrypted.
• data running on the network is not encrypted
• does not apply integrity checking session
It is recommended to replace telnet with other programs such as secure shell (SSH), but still want to use it if there are several alternate programs are relatively more secure:
• deslogin: network login services with secure authentication. The transmitted data is encrypted with DES, which are protected from electronic eavesdropping. can be obtained at deslogin ftp://ftp.uu.net/pub/security/des/
• STEL (Secure Telnet). Can be obtained at ftp://idea.sec.dsi.unimi.it/pub/security/cert-it/
• CFS Telnet. Authentication is used based on RFC 1416. Can be obtained at http://www.net.tamu.edu/ftp/security/TAMU/
• SRP (Stanford University). Can be obtained at ftp://srp.stanford.edu/pub/srp/
Web
Web Servers
Web server is the service which must be implemented if we want the site that has been built can be accessed from the Internet. Here are some web server program that is widely used:
• Apache (www.apache.org)
• IIS (www.microsoft.com)
• Netscape (www.netscape.com)
By installing a web server to be accessed by many people, it opens the opportunity for the attacker to attack your web server. To reduce the possibility of the attacker to attack the data contained in the web server, then the data should be placed on the web server is not a secret, but public documents. In addition, the computer that serves as a web server should minimize the software that is installed, because as more software is installed, there is the possibility of bugs that interfere with the system will be even greater. Besides minimizing the services are installed.
If a computer only works as a web server so some of the following services can be eliminated:
• lpd (line printer daemon)
• r services (rshd, rlogin, rwhod, and rexec)
• ftp
• finger
• NFS (Network File System)
• SMB (Server Message Block)
• ypbind and ypserv
• amd
• portmap
Later after securing your web server, need secured web server software. Which will be discussed here is the Apache, as Apache web server software is the most widely used today, all Linux distributions have been included as an Apache web server software.
Apache httpd is the successor of the National Center for Supercomputer Applications. Apache has provided a security mechanism that has built-in, including:
• Host-based network access control
• Full to configure the location of the CGI script
• Full to reconfigure your settings.
Email is one of the Internet facilities of the most widely used by people. Protocol used to transport mail is Simple Mail Transport Protocol (SMTP). SMTP server may work as follows:
• receiving incoming messages
• check the address of the recipient:
• if for a local address, messages will be received and stored.
• if for a remote address, the message will be forwarded
SMTP server has a major weakness is that they believe every person, so the user can specify an email address that they want and SMTP servers will process the email with a fake address this.
There are two things that must be done to address them are:
• protect the server from the penetration, so the attacker can not access your system.
• protect against unauthorized SMTP service so that Outsiders can not send spam or fake mail using your mail server.
To send email, but need the SMTP server is also required Mail Transport Agent (MTA). MTA One of the most widely used is sendmail. On the distribution of Red Hat 7.2, when using the default installation, sendmail will be installed and run as one service on your host.
Sendmail is often the target of the attacker because:
• sendmail has a long history of security, has found many bugs in sendmail program which can be fatal.
• sendmail is a service that is available publicly, so that everyone can use it.
• sendmail is usually run as root, if the attacker can find the hole then it is likely he could have root access on hosts running sendmail.
• sendmail is a complex program and difficult to configure and hoping the attacker configuration error occurred.
To protect your system from attacks that the attacker tried to use sendmail weakness can be done the following things:
• Protecting against unauthorized relaying. In the 8.9.x version of sendmail you can configure your server to relay only from the hosts allowed.
• Real-time blacklists. Sendmail can be used to determine to accept or reject mail from particular domains. This is very useful to overcome the known spammers.
• Disabling EXPN and VRFY commands. Both these SMTP commands cause information leakage. Attacker using both these commands to identify a valid user and expands the distribution list.
• Use TCP Wrappers to block traffic. If your site only to process small quantities of email, sendmail security can be integrated d ith TCP Wrappers to improve security.
• Always update your sendmail program. Make sure you have the latest sendmail program which has been fixing bugs that have been identified.
Use replacement MTA: qmail (www.qmail.org), postfix (www.postfix.org). If you have trouble with all these things, you should probably use another MTA.
Telnet
Telnet protocol goal is to provide two-way communication facility, 8-bit oriented. Its main purpose is to allow a standard method of interfacing terminal devices and terminal oriented processes to each other.
Telnet consists of two programs, namely the telnetd, which functions as a server, and telnet, which functions as a client. In general, telnet is a program that allows one to access the computer from a remote machine. Because not designed with security considering the many weaknesses which emerges is:
• the password used to login to the remote machine is not encrypted.
• data running on the network is not encrypted
• does not apply integrity checking session
It is recommended to replace telnet with other programs such as secure shell (SSH), but still want to use it if there are several alternate programs are relatively more secure:
• deslogin: network login services with secure authentication. The transmitted data is encrypted with DES, which are protected from electronic eavesdropping. can be obtained at deslogin ftp://ftp.uu.net/pub/security/des/
• STEL (Secure Telnet). Can be obtained at ftp://idea.sec.dsi.unimi.it/pub/security/cert-it/
• CFS Telnet. Authentication is used based on RFC 1416. Can be obtained at http://www.net.tamu.edu/ftp/security/TAMU/
• SRP (Stanford University). Can be obtained at ftp://srp.stanford.edu/pub/srp/
Web
Web Servers
Web server is the service which must be implemented if we want the site that has been built can be accessed from the Internet. Here are some web server program that is widely used:
• Apache (www.apache.org)
• IIS (www.microsoft.com)
• Netscape (www.netscape.com)
By installing a web server to be accessed by many people, it opens the opportunity for the attacker to attack your web server. To reduce the possibility of the attacker to attack the data contained in the web server, then the data should be placed on the web server is not a secret, but public documents. In addition, the computer that serves as a web server should minimize the software that is installed, because as more software is installed, there is the possibility of bugs that interfere with the system will be even greater. Besides minimizing the services are installed.
If a computer only works as a web server so some of the following services can be eliminated:
• lpd (line printer daemon)
• r services (rshd, rlogin, rwhod, and rexec)
• ftp
• finger
• NFS (Network File System)
• SMB (Server Message Block)
• ypbind and ypserv
• amd
• portmap
Later after securing your web server, need secured web server software. Which will be discussed here is the Apache, as Apache web server software is the most widely used today, all Linux distributions have been included as an Apache web server software.
Apache httpd is the successor of the National Center for Supercomputer Applications. Apache has provided a security mechanism that has built-in, including:
• Host-based network access control
• Full to configure the location of the CGI script
• Full to reconfigure your settings.
Here are some options that can affect Web server security:
• ExecCGI: specify that CGI scripts can be run in this directory hierarchy.
• FollowSymlink: let a user create a symbolic link with just clicking on their hyperlinks.
• Includes: specifies that the Apache will process a server side include.
• Index: allows the display of the directory listing when no default page found.
Apache can also be configured by adding password protection and access control at the level of the directory with htpasswd. Htpasswd system provides access control to the user and group level through three configuration files, namely:
•. Htpasswd. This file is a database storing passwords and user name and password. She looks like the file / etc / passwd.
•. Htgroup. Is a password database file groups. He kept the group membership information, and in this case resembles the file / etc / group. . htgroup is optional, required if you want to implement access control group.
•. Htaccess. Htpasswd access the file is. He kept the rules of access (allow, deny), the location of configuration files, authentication methods, and so on.
Web Client
Use a browser such as Netscape Communicator and Internet Explorer also has a security risk. Because these programs are not free of software bugs. In addition to the growing number of sites that use dynamic web technologies like Javascript, ActiveX will heighten security risks.
In August 2000, Netscape Communicator version 4.0 to 4.74 for the Windows operating system, UNIX and Macintosh has a weakness in the distribution of Java is included, which allows Java to open a server that can be accessed by any client, but it also allows Java to access any URL including the file local [3].
• ExecCGI: specify that CGI scripts can be run in this directory hierarchy.
• FollowSymlink: let a user create a symbolic link with just clicking on their hyperlinks.
• Includes: specifies that the Apache will process a server side include.
• Index: allows the display of the directory listing when no default page found.
Apache can also be configured by adding password protection and access control at the level of the directory with htpasswd. Htpasswd system provides access control to the user and group level through three configuration files, namely:
•. Htpasswd. This file is a database storing passwords and user name and password. She looks like the file / etc / passwd.
•. Htgroup. Is a password database file groups. He kept the group membership information, and in this case resembles the file / etc / group. . htgroup is optional, required if you want to implement access control group.
•. Htaccess. Htpasswd access the file is. He kept the rules of access (allow, deny), the location of configuration files, authentication methods, and so on.
Web Client
Use a browser such as Netscape Communicator and Internet Explorer also has a security risk. Because these programs are not free of software bugs. In addition to the growing number of sites that use dynamic web technologies like Javascript, ActiveX will heighten security risks.
In August 2000, Netscape Communicator version 4.0 to 4.74 for the Windows operating system, UNIX and Macintosh has a weakness in the distribution of Java is included, which allows Java to open a server that can be accessed by any client, but it also allows Java to access any URL including the file local [3].
Tool for your network security
Sniffer
Sniffer is a device that is connected to the computer network and listen to all the network traffic [4]. A sniffing program allows someone to listen to the conversations on the computer.
Sniffer is usually used for things the following:
• Capture clear text password and login name of the network.
• Conversion of data to form a network that is easy to understand humans.
• Fault analysis to discover problems in the network.
• Performance analysis to discover bottlenecks in the network.
• Network intrusion detection to find the hacker / cracker.
• Network traffic logging, to create a log that are not modified and deleted by hackers.
Sniffer can be hardware or software, usually sniffer is to obtain data from transactions that took place and can retrieve data from a variety of protocols (TCP / IP, IPX / SPX, etc.).
Here are various sniffer which can be obtained for free:
• tcpdump. Wiretap program and the oldest terumum. In the simplest mode, it will produce one line decode packets to the commandline, one line per packet. tcpdump is a packet capture program UNIX standards. Can be obtained at http://www.tcpdump.org/.
• Ethereal. Sniffing program is the best GUI for UNIX. Available at http://ethereal.zing.org
• sniffit (http://reptile.rug.ac.be/ ~ coder / sniffit / sniffit.html) is useful when trying to analyze the application layer data.
• Snort. Libcap-based Packet-sniffer/logger with extensive filtering. Available at http://www.clark.net/ ~ Roesch / security.html
• trinux. Containing tcpdump and sniffit in one bootable floppy disk. Available at http://www.trinux.org/
• karpski (http://niteowl.userfriendly.net/linux/RPM/karpski.html). GUI packet sniffer program.
• SuperSniffer v1.3 (http://www.mobis.com/ ~ ajax / projects /). Is a libpcap-based packet sniffer that improved with many modifications such as a log file that is encrypted DES, actions are logged traffic can be matched by the regular expression pattern, POP and FTP connections actions are logged on one line, telnet negotiation garbage ignored, ignoring multiple connections, tcp packet reassembly, parellel tcp connection logging.
• exdump (http://exscan.netpedia.net/exdump.html). Lightweight packet sniffer for Linux?
• linux_sniffer.c. This program consists of 175 lines of code in C, is distributed primarily at cracker sites on the Internet. This program is specifically Linux. Are free and are an easy way to learn the packet traffic. Available at www.catch22.com/Twilight.NET/phuncnet/hacking/proggies/sniffers/
In theory, it is impossible to detect sniffer programs because they only collect packets, they do not transmit anything. But in practice, sometimes possible to detect a sniffer program.
Here are some tools that can be used to detect sniffers:
• ifconfig
By default, workstations just to listen and respond to packets addressed to him. However, when the network was transferred to a workstation interface for promiscuous mode, the workstation can monitor and capture all network traffic and packets that pass, regardless of the destination.
To detect whether an interface is in promiscuous mode on your local host, use ifconfig.
Here is the ifconfig reports on the status of all interfaces without the sniffer:
eth0 Link encap: Ethernet HWaddr 00:50: DA: 0C: 16:19
inet addr: 192.168.21.12 Bcast: 192.168.21.255 Mask: 255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric: 1
RX packets: 1869 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 1090 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 100
Interrupt: 10 Base address: 0xb000
Sniffer
Sniffer is a device that is connected to the computer network and listen to all the network traffic [4]. A sniffing program allows someone to listen to the conversations on the computer.
Sniffer is usually used for things the following:
• Capture clear text password and login name of the network.
• Conversion of data to form a network that is easy to understand humans.
• Fault analysis to discover problems in the network.
• Performance analysis to discover bottlenecks in the network.
• Network intrusion detection to find the hacker / cracker.
• Network traffic logging, to create a log that are not modified and deleted by hackers.
Sniffer can be hardware or software, usually sniffer is to obtain data from transactions that took place and can retrieve data from a variety of protocols (TCP / IP, IPX / SPX, etc.).
Here are various sniffer which can be obtained for free:
• tcpdump. Wiretap program and the oldest terumum. In the simplest mode, it will produce one line decode packets to the commandline, one line per packet. tcpdump is a packet capture program UNIX standards. Can be obtained at http://www.tcpdump.org/.
• Ethereal. Sniffing program is the best GUI for UNIX. Available at http://ethereal.zing.org
• sniffit (http://reptile.rug.ac.be/ ~ coder / sniffit / sniffit.html) is useful when trying to analyze the application layer data.
• Snort. Libcap-based Packet-sniffer/logger with extensive filtering. Available at http://www.clark.net/ ~ Roesch / security.html
• trinux. Containing tcpdump and sniffit in one bootable floppy disk. Available at http://www.trinux.org/
• karpski (http://niteowl.userfriendly.net/linux/RPM/karpski.html). GUI packet sniffer program.
• SuperSniffer v1.3 (http://www.mobis.com/ ~ ajax / projects /). Is a libpcap-based packet sniffer that improved with many modifications such as a log file that is encrypted DES, actions are logged traffic can be matched by the regular expression pattern, POP and FTP connections actions are logged on one line, telnet negotiation garbage ignored, ignoring multiple connections, tcp packet reassembly, parellel tcp connection logging.
• exdump (http://exscan.netpedia.net/exdump.html). Lightweight packet sniffer for Linux?
• linux_sniffer.c. This program consists of 175 lines of code in C, is distributed primarily at cracker sites on the Internet. This program is specifically Linux. Are free and are an easy way to learn the packet traffic. Available at www.catch22.com/Twilight.NET/phuncnet/hacking/proggies/sniffers/
In theory, it is impossible to detect sniffer programs because they only collect packets, they do not transmit anything. But in practice, sometimes possible to detect a sniffer program.
Here are some tools that can be used to detect sniffers:
• ifconfig
By default, workstations just to listen and respond to packets addressed to him. However, when the network was transferred to a workstation interface for promiscuous mode, the workstation can monitor and capture all network traffic and packets that pass, regardless of the destination.
To detect whether an interface is in promiscuous mode on your local host, use ifconfig.
Here is the ifconfig reports on the status of all interfaces without the sniffer:
eth0 Link encap: Ethernet HWaddr 00:50: DA: 0C: 16:19
inet addr: 192.168.21.12 Bcast: 192.168.21.255 Mask: 255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric: 1
RX packets: 1869 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 1090 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 100
Interrupt: 10 Base address: 0xb000
lo Link encap: Local Loopback
inet addr: 127.0.0.1 Mask: 255.0.0.0
Loopback UP RUNNING MTU: 3924 Metric: 1
RX packets: 5 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 5 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 0
While the next display is the status of the interface with a sniffer:
inet addr: 127.0.0.1 Mask: 255.0.0.0
Loopback UP RUNNING MTU: 3924 Metric: 1
RX packets: 5 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 5 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 0
While the next display is the status of the interface with a sniffer:
eth0 Link encap: Ethernet HWaddr 00:50: DA: 0C: 16:19
inet addr: 192.168.21.12 Bcast: 192.168.21.255 Mask: 255.255.255.0
Promisc UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric: 1
RX packets: 1869 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 1090 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 100
Interrupt: 10 Base address: 0xb000
inet addr: 192.168.21.12 Bcast: 192.168.21.255 Mask: 255.255.255.0
Promisc UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric: 1
RX packets: 1869 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 1090 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 100
Interrupt: 10 Base address: 0xb000
lo Link encap: Local Loopback
inet addr: 127.0.0.1 Mask: 255.0.0.0
Loopback UP RUNNING MTU: 3924 Metric: 1
RX packets: 5 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 5 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 0
Seen that the interface eth0 running in promiscuous mode.
• ifstatus
ifstatus check all the network interfaces and system interfaces are reported to debug or promiscuous mode.
inet addr: 127.0.0.1 Mask: 255.0.0.0
Loopback UP RUNNING MTU: 3924 Metric: 1
RX packets: 5 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 5 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 0
Seen that the interface eth0 running in promiscuous mode.
• ifstatus
ifstatus check all the network interfaces and system interfaces are reported to debug or promiscuous mode.
can be obtained at ifstatus http://cert.unisa.it/pub/Tools/Network/ifstatus/
• Antisniff
Sniffer-detection tool is the most comprehensive. Antisniff can be obtained at http://www.l0pht.com/antisniff/
• NePED (promiscuous Ethernet Network Detector)
A tool from The Apostols that can detect a sniffer running on the local segment. Can be obtained from NePED http://www.apostols.org/projectz/neped/
Scanner
Scanner is a tool that checks the security vulnerabilities. Scanner can be divided into two namely:
System Scanner
To view the security hole on localhost, usually occurs because of an error in granting access to files, the default account, a duplicate UID.
Scanner system example is COPS (Computer Oracle and Password System). COPS was written by Dan Farmer. COPS analyzes your system for common configuration problems, and the signs are still there on UNIX systems, including:
- Files, directories and permissions invalid device or Erroneous.
- A weak password.
- Poor security on password and group files.
- The bits SUID / SGID is not exactly on those files.
- The changes in the checksum file suspicious.
Network Scanner
Network scanners are used to seeing on the network security gap. Examples of network scanners are:
• ISS (Internet Security Scanner). ISS was written by Christopher Klaus and can be obtained at www.atomicfrog.com / archives / exploits / crack-scan / iss.tar.gz
• SATAN (Security Administor’s Tool for Analyzing Networks), functions to remote systems scan for weaknesses in the following areas: FTP, NFS, NIS, rsh, Rexd, sendmail, Trivial FTP, and Xserver. Can be obtained at www.fish.com / satan
• SAINT (Security Administrator’s Integrated Network Tool). SATAN SATAN is a version that has been repaired and support vulnerabilities such date: CGI-based Web attack, DoS (denial of service) attack POP server, SSH vulnarabilities, and a remote buffer overflow. SAINT can be obtained from www.wwdsi.com/saint/
• Nessus. Nessus is a free scanner that is very good and sophisticated. Written by Renaud Deraison, Nessus is always growing. Can run on Linux, Windows NT, and UNIX systems. Nessus supports various attacks through the use of plug-ins. Nessus uses an attractive GUI and intuitive. More information about the Nessus can be found in www.nessus.org
• nmap (Network Mapper). Nmap is a utility for port scanning large networks. In particular, nmap supports: TCP connect scan, TCP half open scanning, and various other network facilities. In addition nmap also supports the performance and reliability features such as dynamic delay time calculations, parallel port scanning, detection of down hosts via parallel pings. Nmap is also able to provide a log results easily readable by humans. Nmap can be obtained at www.insecure.org/nmap/
Firewall
A firewall is a system or group of systems that establish access control policy between two networks. In principle, the firewall can be considered as a pair of mechanisms: the first block traffic, which both allow the network traffic. Firewalls can be used to protect your network from attack by outside network, but firewalls can not protect from attacks that do not through the firewall, and attack from someone inside your network, and firewalls can not protect you from application programs written with bad.
Conceptually, there are two kinds of network-level firewalls and application level. Level network firewall based their decision on the source address, destination address and port contained in each IP packet. Network-level firewalls is very fast and very transparent to the user. Application level firewalls generally are hosts running as a proxy server, which does not allow traffic between networks, and perform logging and auditing of traffic through it. Application-level firewalls provide audit reports more detailed and more likely to impose a security model that is more conservative than the network-level firewalls.
Free Firewall:
• ipchains. Ipchains is the user-space portion of the latest code filter package which was introduced in Linux kernel version 2.1.102.
• Falcon Project (Free Application-Level Connection Kit) is an open firewall project with the aim of developing a free firewall systems, secure and OS-independent. Falcon consists of three main modules of the proxy Falcon (written in Perl), 3rd-party proxies (squid/qmail/BIND8) were modified for chroot environment and general concepts for OS hardening. For more information, please see http://falcon.naw.de/
• Juniper firewall toolkit is the product. He intended as a tool for building a secure Internet firewall and effective. In other words, Juniper is designed to work on dual-homed hosts that do not bastions memforwarrd packets between interfaces.
• Antisniff
Sniffer-detection tool is the most comprehensive. Antisniff can be obtained at http://www.l0pht.com/antisniff/
• NePED (promiscuous Ethernet Network Detector)
A tool from The Apostols that can detect a sniffer running on the local segment. Can be obtained from NePED http://www.apostols.org/projectz/neped/
Scanner
Scanner is a tool that checks the security vulnerabilities. Scanner can be divided into two namely:
System Scanner
To view the security hole on localhost, usually occurs because of an error in granting access to files, the default account, a duplicate UID.
Scanner system example is COPS (Computer Oracle and Password System). COPS was written by Dan Farmer. COPS analyzes your system for common configuration problems, and the signs are still there on UNIX systems, including:
- Files, directories and permissions invalid device or Erroneous.
- A weak password.
- Poor security on password and group files.
- The bits SUID / SGID is not exactly on those files.
- The changes in the checksum file suspicious.
Network Scanner
Network scanners are used to seeing on the network security gap. Examples of network scanners are:
• ISS (Internet Security Scanner). ISS was written by Christopher Klaus and can be obtained at www.atomicfrog.com / archives / exploits / crack-scan / iss.tar.gz
• SATAN (Security Administor’s Tool for Analyzing Networks), functions to remote systems scan for weaknesses in the following areas: FTP, NFS, NIS, rsh, Rexd, sendmail, Trivial FTP, and Xserver. Can be obtained at www.fish.com / satan
• SAINT (Security Administrator’s Integrated Network Tool). SATAN SATAN is a version that has been repaired and support vulnerabilities such date: CGI-based Web attack, DoS (denial of service) attack POP server, SSH vulnarabilities, and a remote buffer overflow. SAINT can be obtained from www.wwdsi.com/saint/
• Nessus. Nessus is a free scanner that is very good and sophisticated. Written by Renaud Deraison, Nessus is always growing. Can run on Linux, Windows NT, and UNIX systems. Nessus supports various attacks through the use of plug-ins. Nessus uses an attractive GUI and intuitive. More information about the Nessus can be found in www.nessus.org
• nmap (Network Mapper). Nmap is a utility for port scanning large networks. In particular, nmap supports: TCP connect scan, TCP half open scanning, and various other network facilities. In addition nmap also supports the performance and reliability features such as dynamic delay time calculations, parallel port scanning, detection of down hosts via parallel pings. Nmap is also able to provide a log results easily readable by humans. Nmap can be obtained at www.insecure.org/nmap/
Firewall
A firewall is a system or group of systems that establish access control policy between two networks. In principle, the firewall can be considered as a pair of mechanisms: the first block traffic, which both allow the network traffic. Firewalls can be used to protect your network from attack by outside network, but firewalls can not protect from attacks that do not through the firewall, and attack from someone inside your network, and firewalls can not protect you from application programs written with bad.
Conceptually, there are two kinds of network-level firewalls and application level. Level network firewall based their decision on the source address, destination address and port contained in each IP packet. Network-level firewalls is very fast and very transparent to the user. Application level firewalls generally are hosts running as a proxy server, which does not allow traffic between networks, and perform logging and auditing of traffic through it. Application-level firewalls provide audit reports more detailed and more likely to impose a security model that is more conservative than the network-level firewalls.
Free Firewall:
• ipchains. Ipchains is the user-space portion of the latest code filter package which was introduced in Linux kernel version 2.1.102.
• Falcon Project (Free Application-Level Connection Kit) is an open firewall project with the aim of developing a free firewall systems, secure and OS-independent. Falcon consists of three main modules of the proxy Falcon (written in Perl), 3rd-party proxies (squid/qmail/BIND8) were modified for chroot environment and general concepts for OS hardening. For more information, please see http://falcon.naw.de/
• Juniper firewall toolkit is the product. He intended as a tool for building a secure Internet firewall and effective. In other words, Juniper is designed to work on dual-homed hosts that do not bastions memforwarrd packets between interfaces.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.