Professional Documents
Culture Documents
UBRM05-104
500 Eldorado Blvd.
Broomeld, CO 80021
U.S.A.
Revision C, August 2001
Administering Security on the
Solaris 8 Operating
Environment
SC-300
Student Guide
Please
Recycle
Copyright 2001 Sun Microsystems, Inc., 901 San Antonio Road, Palo Alto, California 94303, U.S.A. All rights reserved.
This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and
decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of
Sun and its licensors, if any.
Third-party software, including font technology, is copyrighted and licensed from Sun suppliers.
Parts of the product may be derived fromBerkeley BSDsystems, licensed fromthe University of California. UNIX is a registered trademark
in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd.
Sun, Sun Microsystems, the Sun Logo, SunDocs, EJB, Enterprise JavaBeans, Forte Fusion, Java, Java 2 Platform, Enterprise Edition, Java API
for XML Parsing, Java Authentication and Authorization Service, JavaBeans, Java Community Process, JavaMail, Java Message Service,
JavaOne, JavaScript, Java Secure Socket Extension, JavaServer, JavaServer Pages, Java Virtual Machine, Java Web Server, J2EE, JDBC, JDK,
JSP, JVM, Solaris, and SunNet Manager are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.
All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and
other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc.
Netscape is a trademark or registered trademark of Netscape Communications Corporation in the United States and other countries.
Netscape Navigator is a trademark or registered trademark of Netscape Communications Corporation in the United States and other
countries.
U.S. Government approval required when exporting the product.
RESTRICTED RIGHTS: Use, duplication, or disclosure by the U.S. Government is subject to restrictions of FAR 52.227-14(g) (2)(6/87) and
FAR 52.227-19(6/87), or DFAR 252.227-7015 (b)(6/95) and DFAR 227.7202-3(a).
DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND
WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID.
Please
Recycle
Copyright 2001 Sun Microsystems Inc., 901 San Antonio Road, Palo Alto, California 94303, Etats-Unis. Tous droits rservs.
Ce produit ou document est protg par un copyright et distribu avec des licences qui en restreignent lutilisation, la copie, la distribution,
et la dcompilation. Aucune partie de ce produit ou document ne peut tre reproduite sous aucune forme, par quelque moyen que ce soit,
sans lautorisation pralable et crite de Sun et de ses bailleurs de licence, sil y en a.
Le logiciel dtenu par des tiers, et qui comprend la technologie relative aux polices de caractres, est protg par un copyright et licenci
par des fournisseurs de Sun.
Des parties de ce produit pourront tre drives du systmes Berkeley 4.3 BSDlicencis par lUniversit de Californie. UNIXest une marque
dpose aux Etats-Unis et dans dautres pays et licencie exclusivement par X/Open Company Ltd.
Sun, Sun Microsystems, the Sun Logo, SunDocs, EJB, Enterprise JavaBeans, Forte Fusion, Java, Java 2 Platform, Enterprise Edition, Java API
for XML Parsing, Java Authentication and Authorization Service, JavaBeans, Java Community Process, JavaMail, Java Message Service,
JavaOne, JavaScript, Java Secure Socket Extension, JavaServer, JavaServer Pages, Java Virtual Machine, Java Web Server, J2EE, JDBC, JDK,
JSP, JVM, Solaris, et SunNet Manager sont des marques de fabrique ou des marques dposes de Sun Microsystems, Inc. aux Etats-Unis et
dans dautres pays.
Toutes les marques SPARC sont utilises sous licence sont des marques de fabrique ou des marques dposes de SPARC International, Inc.
aux Etats-Unis et dans dautres pays.
Netscape est une marque de Netscape Communications Corporation aux Etats-Unis et dans d'autres pays.
Netscape Navigator est une marque de Netscape Communications Corporation aux Etats-Unis et dans dautres pays.
Les produits portant les marques SPARC sont bass sur une architecture dveloppe par Sun Microsystems, Inc.
LA DOCUMENTATION EST FOURNIE EN LETAT ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES
EXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, Y
COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A LAPTITUDE A UNE
UTILISATION PARTICULIERE OU A LABSENCE DE CONTREFAON.
v
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Table of Contents
About This Course .................................................................Preface-i
Course Goals............................................................................ Preface-i
Course Map.............................................................................. Preface-ii
Module-by-Module Overview.............................................Preface-iii
Course Objectives................................................................... Preface-vi
Topics Not Covered..............................................................Preface-vii
How Prepared Are You?.................................................... Preface-viii
Introductions .......................................................................... Preface-ix
How to Use Course Materials ............................................... Preface-x
Course Icons and Typographical Conventions ................. Preface-xi
Icons ................................................................................ Preface-xi
Typographical Conventions ....................................... Preface-xii
Security Overview ............................................................................1-1
Objectives ........................................................................................... 1-1
Relevance............................................................................................. 1-2
Additional Resources ........................................................................ 1-3
Tool Downloads ........................................................................ 1-3
Understanding Security................................................................... 1-4
Security and UNIX
................................................................. 1-5
Examples of Break-Ins....................................................................... 1-8
Chronology of a Host Compromise ....................................... 1-8
Western Union........................................................................... 1-9
Nuclear Power Station............................................................ 1-10
Travelocity ............................................................................... 1-10
FTP Server ................................................................................ 1-10
Yahoo! Web Server.................................................................. 1-11
Security Terminology..................................................................... 1-12
The Orange Book............................................................................. 1-14
Common Terms....................................................................... 1-16
Types of Security Attacks .............................................................. 1-21
Fraud and Theft....................................................................... 1-21
Terrorism and Sabotage ......................................................... 1-22
Privacy Violation..................................................................... 1-22
vi Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Publicity Attacks ..................................................................... 1-23
Denial of Service...................................................................... 1-24
Natural Causes and Environmental Influences.................. 1-24
Frequency of Security Attacks ....................................................... 1-25
Security Attacks Are Rare Or Are They?.......................... 1-26
Understanding Your Attackers..................................................... 1-28
Motivations of an Attacker .................................................... 1-30
Other Types of Attackers ....................................................... 1-31
Hackers..................................................................................... 1-32
Script Kiddies .......................................................................... 1-33
Terrorists .................................................................................. 1-33
Criminals .................................................................................. 1-33
Employees ................................................................................ 1-34
Top Enterprise-Wide Attacks................................................ 1-34
Running an Intrusion Detection System...................................... 1-36
Burglar Alarms and Honey Pots........................................... 1-37
Running Dummy Attacks...................................................... 1-38
Vulnerability Scanners ........................................................... 1-38
Security Policy................................................................................. 1-39
Purpose and Use of a Security Policy .................................. 1-41
Creating a Security Policy...................................................... 1-42
Using Third-Party Security Tools................................................. 1-43
Installation of Third-Party Tools .......................................... 1-44
Security Issues With Third-Party Tools............................... 1-46
Site Policy for Security Tools......................................................... 1-47
Exercise: Considering Security Issues........................................... 1-49
Task Example Security Attacks.......................................... 1-49
Task Security Policy............................................................. 1-49
Task System Configuration ................................................ 1-50
Exercise Summary............................................................................ 1-54
Exercise Solutions ............................................................................ 1-55
Example Security Attacks ...................................................... 1-55
Security Policy......................................................................... 1-55
System Configuration............................................................. 1-55
Using Solaris OE Log Files ......................................................... 2-1
Objectives ........................................................................................... 2-1
Relevance............................................................................................. 2-2
Additional Resources ........................................................................ 2-3
Tool Downloads ........................................................................ 2-3
Solaris OE Logging Files ................................................................... 2-4
Using /var/adm/lastlog Files.............................................. 2-5
Using /var/adm/loginlog Files ........................................... 2-6
Using utmpx and wtmpx Log Files .......................................... 2-6
Using the sulog File................................................................. 2-7
Using /var/adm/messages Files ........................................... 2-7
vii
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The System Logging Facility ........................................................... 2-8
Configuring the Syslog Utility................................................ 2-9
Why Use Centralized Logging?............................................ 2-13
The logger Utility .................................................................. 2-15
Using the swatch Tool ........................................................... 2-16
Solaris OE Monitoring Tools .......................................................... 2-23
Process Monitoring Using the top Tool ...................................... 2-25
The Solaris OE Accounting Package ............................................ 2-27
Why Use the Accounting Package?...................................... 2-28
Process Accounting................................................................. 2-29
Working With the Accounting Package .............................. 2-30
Setting Up Accounting........................................................... 2-35
Exercise: Using Logging as a Security Tool ................................. 2-38
Preparation............................................................................... 2-38
Tasks ......................................................................................... 2-38
Task Sample sulog Commentary File .............................. 2-38
Task Studying Processes .................................................... 2-39
Task Enabling the Syslog Facility to Report su
Command Activity .............................................................. 2-40
Task Enabling the Syslog Facility to Report Failed
Login Activity....................................................................... 2-40
Task Enabling ftp to Report Logins ................................. 2-40
Task Using the swatch Tool ............................................... 2-41
Task Starting Process Accounting ..................................... 2-43
Exercise Summary............................................................................ 2-45
Exercise Solutions ............................................................................ 2-46
Sample sulog Commentary File .......................................... 2-46
Studying Processes ................................................................. 2-47
Enabling the Syslog Facility to Report su Command
Activity .................................................................................. 2-48
Enabling the Syslog Facility to Report Failed Login
Activity .................................................................................. 2-48
Enabling ftp to Report Logins ............................................. 2-49
Using the swatch Tool ........................................................... 2-49
Starting Process Accounting.................................................. 2-49
The Solaris OE Basic Security Module...........................................3-1
Objectives ........................................................................................... 3-1
Relevance............................................................................................. 3-2
Additional Resources ........................................................................ 3-3
Solaris OE Basic Security Module Auditing ................................. 3-4
Identifying Major BSM Components ..................................... 3-6
Enabling BSM.......................................................................... 3-11
Disabling BSM......................................................................... 3-13
viii Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Creating an Audit Trail Using BSM............................................. 3-14
Setting Audit Flags ................................................................. 3-14
Generating an Audit Trail...................................................... 3-22
Interpreting and Filtering Audit Data ......................................... 3-26
Filtering Audit Data Using the auditreduce
Command.............................................................................. 3-26
Formatting Audit Data Using the praudit
Command.............................................................................. 3-28
Controlling the auditd Daemon Using the audit
Command.............................................................................. 3-29
Implementing BSM Device Management.................................... 3-30
Configuring BSM Device Management ............................... 3-31
Interpreting the /etc/security/device_maps File ........ 3-32
Interpreting the /etc/security/device_allocate
File.......................................................................................... 3-34
The Device-Clean Scripts ....................................................... 3-36
Authorizing Users to Access Devices .................................. 3-37
Device Allocation and De-Allocation .................................. 3-39
Managing Devices Using BSM.............................................. 3-40
Exercise: Using the Basic Security Module .................................. 3-42
Preparation............................................................................... 3-42
Tasks ......................................................................................... 3-42
Task Installing and Configuring BSM............................... 3-42
Task Monitoring Audit Data.............................................. 3-43
Task Securing a Peripheral Device.................................... 3-44
Task Disabling BSM Auditing............................................ 3-46
Exercise Summary............................................................................ 3-47
Exercise Solutions ............................................................................ 3-48
Installing and Configuring BSM........................................... 3-48
Monitoring Audit Data .......................................................... 3-48
Securing a Peripheral Device ................................................ 3-48
Disabling BSM Auditing........................................................ 3-48
Security Attacks............................................................................... 4-1
Objectives ........................................................................................... 4-1
Relevance............................................................................................. 4-2
Additional Resources ........................................................................ 4-3
Recognizing Trojan Horses.............................................................. 4-4
Example Trojan Horses ............................................................ 4-5
Identifying Back Doors................................................................... 4-12
Recognizing Common UNIX Back Doors ........................... 4-13
Using Devices to Create a Back Door................................... 4-15
Detecting and Preventing Trojan Horse and Back Door
Attacks .............................................................................................. 4-18
The Solaris OE Fingerprint Database................................... 4-18
TripWire ................................................................................... 4-19
ix
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Checklists, File Digests, and Checksums............................. 4-19
The BSM Audit Trail............................................................... 4-19
Using the find Command..................................................... 4-20
Preventing Trojan Horse and Back Door Attacks .............. 4-22
Rootkits Understanding How Attackers Use Them............... 4-24
Installing Back Doors and Trojan Horses............................ 4-25
Detecting Rootkit Use............................................................. 4-26
Kernel Rootkits........................................................................ 4-28
Identifying Denial of Service Attacks .......................................... 4-30
Malicious DoS Attacks ........................................................... 4-31
Preventing DoS Attacks ......................................................... 4-33
Recognizing Causes of Accidental DoS............................... 4-34
Exercise: Detecting Trojan Horses and Back Doors .................... 4-35
Task Detecting Trojan Horses and Back Doors ............... 4-35
Exercise Summary............................................................................ 4-36
Exercise Solutions ............................................................................ 4-37
Detecting Trojan Horses and Back Doors............................ 4-37
Administering User Accounts Securely.........................................5-1
Objectives ........................................................................................... 5-1
Relevance............................................................................................. 5-2
Additional Resources ........................................................................ 5-3
Administering Regular Users.......................................................... 5-4
Determining User and Group IDs .......................................... 5-4
Implications of Duplicate User IDs ........................................ 5-5
Selecting and Creating Groups and Group IDs (GIDs)....... 5-7
Customizing Default Profiles.................................................. 5-8
Setting Accounts to Expire..................................................... 5-11
Administering Superuser Accounts............................................. 5-13
Restricting Root Logins.......................................................... 5-14
Securing Guest Accounts ............................................................... 5-15
Protecting Dormant Accounts....................................................... 5-17
Deleting Dormant Accounts.................................................. 5-19
Checking User Security................................................................... 5-21
Configuring the /etc/default/su File.............................. 5-21
Classifying Non-Login Accounts.................................................. 5-22
Restricting Functionality Using a Non-Login Shell ........... 5-24
Limiting User Options With Restricted Shells............................ 5-27
Assessing the Limitations Enforced by Restricted
Shells ...................................................................................... 5-28
Configuring a Restricted Shell .............................................. 5-29
x Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise: Securing Guest and Restricted Accounts..................... 5-36
Preparation............................................................................... 5-36
Tasks ......................................................................................... 5-36
Task Creating a Guest Account With Automatic
Expiration.............................................................................. 5-36
Task Configuring a Restricted User Account .................. 5-37
Exercise Summary............................................................................ 5-38
Exercise Solutions ............................................................................ 5-39
Creating a Guest Account With Automatic
Expiration.............................................................................. 5-39
Configuring a Restricted User Account............................... 5-39
Password Security........................................................................... 6-1
Objectives ........................................................................................... 6-1
Relevance............................................................................................. 6-2
Additional Resources ........................................................................ 6-3
Passwords ........................................................................................... 6-4
Revisiting the Password and Shadow Files .......................... 6-4
The /etc/passwd File .............................................................. 6-5
The /etc/shadow File .............................................................. 6-7
Setting a Password Policy........................................................ 6-9
Choosing Good Passwords.................................................... 6-11
Revisiting the passwd Command......................................... 6-15
Configuring Password Aging ............................................... 6-16
Configuring Default Password Aging................................. 6-18
Checking for Accounts With No Password ........................ 6-19
Using Password Generators .................................................. 6-21
One-Time Passwords.............................................................. 6-23
Cracking Password Programs....................................................... 6-25
Cracking Passwords Using the crack Tool ................................. 6-26
Using the crack Tool to Find Weak Passwords................ 6-27
Installing and Running the crack Tool.............................. 6-28
Tools for Setting Good Passwords ............................................... 6-29
Exercise: Securing Passwords ........................................................ 6-30
Preparation............................................................................... 6-30
Tasks ......................................................................................... 6-30
Task Installing and Configuring the crack Tool ............ 6-30
Task Running the crack Tool Against the System
Passwords ............................................................................. 6-31
Task Using the crack Tool to Check Favorite
Passwords ............................................................................. 6-32
Exercise Summary............................................................................ 6-33
xi
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise Solutions ............................................................................ 6-34
Installing and Configuring the crack Tool......................... 6-34
Running the crack Tool Against the System
Passwords ............................................................................. 6-34
Using the crack Tool to Check Favorite Passwords ......... 6-35
Securing Root Access .....................................................................7-1
Objectives ........................................................................................... 7-1
Relevance............................................................................................. 7-2
Additional Resources ........................................................................ 7-3
Tool Downloads ........................................................................ 7-3
Controlling Root Access................................................................... 7-4
Solaris OE Role Based Access Control (RBAC) ............................ 7-5
Understanding RBAC Concepts ............................................. 7-6
Configuring RBAC Profiles ..................................................... 7-8
Adding RBAC Profiles ........................................................... 7-10
Using RBAC Roles and Profiles ............................................ 7-11
Assigning Roles and Profiles................................................. 7-15
Assuming a Role ..................................................................... 7-17
Evaluating RBAC.................................................................... 7-18
The sudo Utility............................................................................... 7-20
Using the sudo Utility ............................................................ 7-21
Introducing sudo Tickets ....................................................... 7-23
Configuring the sudo Utility................................................. 7-24
The sudoers Format............................................................... 7-25
Using Aliases ........................................................................... 7-27
Using Defaults ......................................................................... 7-29
Logging sudo Activity............................................................ 7-31
Security Implications of Using the sudo Utility................. 7-33
Evaluating the sudo Utility ................................................... 7-35
Exercise: Controlling Root Access ................................................. 7-36
Preparation............................................................................... 7-36
Tasks ......................................................................................... 7-36
Task Installing and Configuring the sudo Utility........... 7-36
Task Configuring RBAC..................................................... 7-37
Exercise Summary............................................................................ 7-38
Exercise Solutions ............................................................................ 7-39
Installing and Configuring the sudo Utility ....................... 7-39
Configuring RBAC.................................................................. 7-40
xii Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
File System Attacks......................................................................... 8-1
Objectives ........................................................................................... 8-1
Relevance............................................................................................. 8-2
Additional Resources ........................................................................ 8-3
Guidelines for Setting Up the root Partition ............................... 8-4
Preventing Users From Filling the /tmp File ........................ 8-5
Using Temporary File Systems ............................................... 8-6
Preventing DoS Due to Limited Swap Space........................ 8-8
Setting File System Permissions for Security............................... 8-10
Files Permissions..................................................................... 8-11
Directory Permissions ............................................................ 8-12
Permission Categories............................................................ 8-13
Review File Permissions ........................................................ 8-15
Implications of Lax Permissions ........................................... 8-17
Preventing Lax Permissions Using the umask Setting....... 8-18
Checking File Permissions..................................................... 8-19
Set-User-ID and Set-Group-ID Files............................................. 8-20
Identifying and Changing SUID and SGID Bits................. 8-22
Setting Sticky Bits and SGID on Directories................................. 8-24
Using Sticky Directories......................................................... 8-25
Setting SGID Directories ........................................................ 8-27
Securing Files Using Access Control Lists .................................. 8-29
Using the getfacl and setfacl Commands .................... 8-31
Deleting ACL Entries.............................................................. 8-37
Encrypting Data ............................................................................... 8-38
The crypt Command............................................................. 8-39
Securing Device Files...................................................................... 8-41
Unauthorized Device Files .................................................... 8-42
Guidelines for Protecting Systems Using Backups.................... 8-43
Restoring Data......................................................................... 8-47
Exercise: Securing File Systems...................................................... 8-48
Preparation............................................................................... 8-48
Tasks ......................................................................................... 8-48
Task Creating ACLs............................................................. 8-48
Task Creating a Group-Shared Directory......................... 8-49
Task Creating File System Hardening Checklist............. 8-50
Exercise Summary............................................................................ 8-51
Exercise Solutions ............................................................................ 8-52
Creating ACLs ......................................................................... 8-52
Creating a Group-Shared Directory..................................... 8-54
Creating a File System Hardening Checklist ...................... 8-57
Auditing File Systems ..................................................................... 9-1
Objectives ........................................................................................... 9-1
Relevance............................................................................................. 9-2
Additional Resources ........................................................................ 9-3
xiii
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
What Is Auditing?............................................................................. 9-4
Auditing Techniques ................................................................ 9-6
Using Audits to Detect Successful Security Attacks............ 9-8
File Digests and Checksums.................................................... 9-9
Checksum Algorithms ........................................................... 9-10
File Digest Algorithms ........................................................... 9-11
The Solaris OE Fingerprint Database................................... 9-13
Using TripWire to Audit File Systems......................................... 9-15
Obtaining the TripWire Tool................................................. 9-16
Editing the TripWire Configuration File ............................. 9-17
Configuration Templates ....................................................... 9-20
Generating a TripWire Database .......................................... 9-21
Checking a TripWire Database ............................................. 9-23
Identifying Inconsistencies .................................................... 9-24
Updating the Database........................................................... 9-25
Double-Checking Integrity.................................................... 9-25
Securing the TripWire Database................................................... 9-27
Exercise: Using the TripWire Tool................................................. 9-29
Preparation............................................................................... 9-29
Task Installing TripWire ..................................................... 9-29
Task Creating a TripWire Configuration ......................... 9-30
Task Running System Integrity Checks............................ 9-31
Exercise Summary............................................................................ 9-33
Exercise Solutions ............................................................................ 9-34
Installing TripWire.................................................................. 9-34
Creating a TripWire Configuration...................................... 9-36
Running System Integrity Checks ........................................ 9-37
Attacking Network Data .................................................................10-1
Objectives ......................................................................................... 10-1
Relevance........................................................................................... 10-2
Additional Resources ...................................................................... 10-3
Network Sniffing............................................................................. 10-4
Implications of Sniffing.......................................................... 10-6
How Sniffers Work ................................................................. 10-7
Detecting Sniffers .................................................................... 10-8
Defending Against Network Sniffers................................. 10-10
Network Sniffing Tools................................................................ 10-11
The snoop Utility .................................................................. 10-12
The snoop Options................................................................ 10-14
The snoop Packet Filters ...................................................... 10-17
The dsniff Utility ................................................................ 10-20
Running the dsniff Utility................................................. 10-21
Network Service Attacks.............................................................. 10-25
Packet Replay Attacks .......................................................... 10-26
Vulnerabilities of the sendmail Program......................... 10-28
xiv Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Buffer Overflow Attacks ...................................................... 10-30
Web (HTTP) Servers ............................................................. 10-32
Network Denial of Service Attacks .................................... 10-33
Types of Network Denial of Service Attacks .................... 10-35
TCP SYN Flood Attack......................................................... 10-35
Ping of Death Attack ............................................................ 10-38
Smurf Attack.......................................................................... 10-39
Smurf Countermeasures ...................................................... 10-41
Recognizing Network Attacks ............................................ 10-42
Port Scanning Using the nmap Utility ................................ 10-43
Host Information From the nmap Utility ........................... 10-45
Exercise: Using Network Sniffing................................................ 10-47
Preparation............................................................................. 10-47
Tasks ....................................................................................... 10-47
Task Using the snoop Utility to Sniff Network
Traffic................................................................................... 10-47
Task Installing the dsniff Utility ................................... 10-48
Task Using the dsniff Utility ......................................... 10-48
Exercise Summary.......................................................................... 10-49
Exercise Solutions .......................................................................... 10-50
Using the snoop Utility to Sniff Network Traffic............. 10-50
Installing the dsniff Utility................................................ 10-50
Using the dsniff Utility...................................................... 10-50
Securing Network Data.................................................................. 11-1
Objectives ......................................................................................... 11-1
Relevance........................................................................................... 11-2
Additional Resources ...................................................................... 11-3
Implementing Secure Communication Using SSL..................... 11-4
The Open SSL Project ............................................................. 11-5
Defining the SSL............................................................................... 11-6
Properties of SSL..................................................................... 11-7
Simplifying SSL Using the stunnel Program.................... 11-8
How Secure Is the SSL?........................................................ 11-10
Understanding the IP Security Architecture (IPsec)................ 11-12
Configuring IPsec Security Associations........................... 11-13
Adding IPsec Keys................................................................ 11-14
Configuring IPsec Policies .................................................. 11-17
Using the ipsecconf utility to Configure IPsec .............. 11-18
Syntax for the IPsec Configuration File ............................. 11-20
Rules for Parsing the Configuration File ........................... 11-23
Example IPsec Configurations ............................................ 11-24
Security Considerations With IPsec ................................... 11-26
xv
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using the SunScreen SKIP Utility........................................... 11-27
Configuring the SKIP Utility............................................... 11-28
Working With SKIP .............................................................. 11-30
Using Clear Text.................................................................... 11-31
Exercise: Configuring and Using IPsec....................................... 11-32
Preparation............................................................................. 11-32
Tasks ....................................................................................... 11-32
Task Configuring IPsec ..................................................... 11-33
Task Configuring IPsec Encryption ................................ 11-33
Task Configuring IPsec Authentication.......................... 11-35
Task Authenticating All Hosts With IPsec..................... 11-36
Task Using IPsec AH and ESP With All Hosts.............. 11-36
Task Removing IPsec......................................................... 11-37
Exercise Summary.......................................................................... 11-38
Exercise Solutions .......................................................................... 11-39
Configuring IPsec.................................................................. 11-39
Configuring IPsec Encryption............................................. 11-40
Configuring IPsec Authentication...................................... 11-40
Authenticating All Hosts With IPsec ................................. 11-40
Using IPsec AH and ESP With All Hosts .......................... 11-41
Removing IPsec ..................................................................... 11-41
Analyzing Network Services..........................................................12-1
Objectives ......................................................................................... 12-1
Relevance........................................................................................... 12-2
Additional Resources ...................................................................... 12-3
Tool Downloads ...................................................................... 12-3
Applying SAINT to Improve Network Security........................ 12-4
Assessing the Capabilities of SAINT.................................... 12-6
Comparing SAINT and SATAN........................................... 12-7
Installing and Using SAINT.......................................................... 12-8
Understanding How SAINT Works................................... 12-10
Using the SAINT Graphical User Interface....................... 12-12
Defining SAINT Data Management................................... 12-14
Setting SAINT Target Selection .......................................... 12-15
Defining the Level of Attack ............................................... 12-16
Allowing for Firewalls ......................................................... 12-17
Running a SAINT Scan......................................................... 12-18
Configuring SAINT ....................................................................... 12-21
Setting the Attack Level ....................................................... 12-22
Configuring Probes by Attack Level .................................. 12-23
Setting the Level of Password Guessing............................ 12-25
Setting Time-Outs ................................................................. 12-27
Determining Values for Proximity Variables.................... 12-28
xvi Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Interpreting SAINT Reports ......................................................... 12-31
Reporting Vulnerabilities by Type ..................................... 12-31
Reporting Potential Problems ............................................. 12-32
Detecting Network Analyzer Attacks........................................ 12-33
Detecting Attacks Using Courtney..................................... 12-34
Obtaining and Installing Courtney .................................... 12-35
Using Courtney ..................................................................... 12-36
Exercise: Using SAINT and Courtney......................................... 12-37
Preparation............................................................................. 12-37
Task Installing SAINT....................................................... 12-37
Task Running a SAINT Attack......................................... 12-38
Task Running SAINT From the Command Line........... 12-38
Task Installing Courtney................................................... 12-38
Task Using Courtney to Detect Attacks.......................... 12-39
Exercise Summary.......................................................................... 12-40
Exercise Solutions .......................................................................... 12-41
Installing SAINT ................................................................... 12-41
Running a SAINT Attack..................................................... 12-41
Running SAINT From the Command Line....................... 12-42
Installing Courtney............................................................... 12-42
Using Courtney to Detect Attacks...................................... 12-42
Security Network Services............................................................ 13-1
Objectives ......................................................................................... 13-1
Relevance........................................................................................... 13-2
Additional Resources ...................................................................... 13-3
Restricting Network Services ........................................................ 13-4
FTP Users ................................................................................. 13-7
Defending Network Services ........................................................ 13-8
Non-Standard Port Numbers................................................ 13-9
Dummy Services ..................................................................... 13-9
Berkeley r Commands ................................................................. 13-10
Trusted Hosts ........................................................................ 13-12
Determining Trusted Access ............................................... 13-15
Trusted Hosts Good or Bad? ............................................ 13-17
Securing Services With The chroot Command....................... 13-19
When to Use the chroot Command.................................. 13-20
How to Use the chroot Command.................................... 13-20
Anonymous FTP .................................................................. 13-22
Pluggable Authentication Module (PAM) ................................ 13-25
PAM Runtime Modules ....................................................... 13-26
PAM Configuration File....................................................... 13-29
PAM Control Flags ............................................................... 13-31
Deploying PAM .................................................................... 13-35
Adding a PAM Module........................................................ 13-36
Disabling Remote Access Using PAM............................... 13-38
xvii
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Initiating PAM Error Reporting.......................................... 13-40
Sun Enterprise Authentication Mechanism (SEAM) ................ 13-42
Enhancing Security Using Kerberos v5 ............................. 13-42
Logging in Using Kerberos v5 ............................................ 13-44
Kerberos Features ................................................................. 13-45
Understanding Kerberos Limitations ........................................ 13-47
Configuring SEAM Clients.................................................. 13-49
Exercise: Securing Network Services .......................................... 13-51
Preparation............................................................................. 13-51
Tasks ....................................................................................... 13-51
Task Disabling Network Services.................................... 13-51
Task Understanding Trusted Hosts ................................ 13-52
Task Configuring Trusted Hosts ..................................... 13-53
Task Disabling Trusted Hosts .......................................... 13-53
Task Configuring Anonymous FTP ................................ 13-53
Exercise Summary.......................................................................... 13-54
Exercise Solutions .......................................................................... 13-55
Disabling Network Services ................................................ 13-55
Understanding Trusted Hosts............................................. 13-55
Configuring Trusted Hosts.................................................. 13-56
Disabling Trusted Hosts ...................................................... 13-57
Configuring Anonymous FTP............................................. 13-57
Hardening the System....................................................................14-1
Objectives ......................................................................................... 14-1
Relevance........................................................................................... 14-2
Additional Resources ...................................................................... 14-3
System Hardening .......................................................................... 14-4
Commonly Available Hardening Tools............................... 14-5
COPS......................................................................................... 14-6
Tiger .......................................................................................... 14-8
Solaris Security Toolkit .......................................................... 14-9
Using Titan..................................................................................... 14-11
Titan Design Goals................................................................ 14-12
Using Titan Modules ............................................................ 14-13
Configuring Titan ................................................................. 14-18
Running Titan........................................................................ 14-19
Creating a Titan Configuration........................................... 14-20
Running a Single Module .................................................... 14-21
Writing Your Own Titan Modules ..................................... 14-22
Module Structure .................................................................. 14-23
Enhancing System Security Using ASET................................... 14-26
Using ASET Security Levels................................................ 14-27
Running ASET Manually..................................................... 14-29
Restoring the System............................................................ 14-32
Monitoring Task Status ........................................................ 14-32
xviii Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Running ASET Periodically................................................. 14-33
Interpreting ASET Reports .................................................. 14-35
Confirming Security Improvements Using the aset
Command............................................................................ 14-36
Interpreting and Configuring the tune.* Files................ 14-36
Exercise: Hardening the System.................................................. 14-39
Preparation............................................................................. 14-39
Tasks ....................................................................................... 14-39
Task Installing and Configuring Titan............................ 14-39
Task Using Titan to Report on Security Problems ........ 14-40
Task Creating and Running a Titan Configuration ...... 14-41
Task Running ASET Interactively ................................... 14-41
Task Configuring ASET Periodically.............................. 14-42
Exercise Summary.......................................................................... 14-43
Exercise Solutions .......................................................................... 14-44
Installing and Configuring Titan........................................ 14-44
Using Titan to Report on Security Problems .................... 14-44
Creating and Running a Titan Configuration................... 14-44
Running ASET Interactively................................................ 14-46
Configuring ASET Periodically .......................................... 14-48
Authenticating Network Services................................................. 15-1
Objectives ......................................................................................... 15-1
Relevance........................................................................................... 15-2
Additional Resources ...................................................................... 15-3
Understanding Network Authentication.................................... 15-4
Using TCP Wrappers...................................................................... 15-6
Obtaining and Installing TCP Wrappers............................ 15-8
Configuring TCP Wrappers ........................................................... 15-9
Installing Hidden TCP Wrappers....................................... 15-10
Installing Visible TCP Wrappers ........................................ 15-11
Checking TCP Wrappers Configuration .......................... 15-12
Configuring Client Access Logging ........................................... 15-14
Configuring Host Access Control............................................... 15-16
Access File Format ................................................................ 15-17
Using Banners With TCP Wrappers........................................... 15-19
Building Banner Files ........................................................... 15-21
Customizing a Banner Message.......................................... 15-22
Using Banners Without TCP Wrappers..................................... 15-24
Using TCP Wrappers to Spawn Commands ............................ 15-25
Checking Host Access Configuration........................................ 15-27
Exercise: Authenticating Network Services............................... 15-29
Preparation............................................................................. 15-29
Tasks ....................................................................................... 15-29
Task Installing TCP Wrappers ......................................... 15-29
Task Enabling Logging for telnet Connections .......... 15-30
xix
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Task Denying Access to Specific Hosts........................... 15-30
Task Configuring TCP Wrappers to Warn of Denied
telnet Access .................................................................... 15-30
Task Configuring TCP Wrappers to Deny Access
to All Hosts Except Those Specified................................ 15-30
Task Removing Host Access Control.............................. 15-31
Exercise Summary.......................................................................... 15-32
Exercise Solutions .......................................................................... 15-33
Installing TCP Wrappers ..................................................... 15-33
Enabling Logging for telnet Connections....................... 15-33
Denying Access to Specific Hosts....................................... 15-34
Configuring TCP Wrappers to Warn of Denied
telnet Access .................................................................... 15-35
Configuring TCP Wrappers to Deny Access to
All Hosts Except Those Specified.................................... 15-36
Removing Host Access Control .......................................... 15-36
Securing Remote Access ..............................................................16-1
Objectives ......................................................................................... 16-1
Relevance........................................................................................... 16-2
Additional Resources ...................................................................... 16-3
Identifying the Benefits of the Secure Shell................................. 16-4
OpenSSH Tools........................................................................ 16-6
Using Encryption and Compression.................................... 16-8
Security Benefits of Server Authentication ......................... 16-9
Client Authentication........................................................... 16-11
Forwarding TCP/IP Ports Using OpenSSH...................... 16-12
Copying Files and Executing Commands ......................... 16-14
Benefits of the Password Agent .......................................... 16-15
Configuring the OpenSSH Server............................................... 16-16
Creating the Host Key.......................................................... 16-19
Starting the Secure Shell Daemon....................................... 16-21
Installing the Secure FTP Server ......................................... 16-22
Using OpenSSH Clients ............................................................... 16-23
Determining Known Hosts.................................................. 16-25
Generating Client Keys ........................................................ 16-27
Granting Access to Other Users.......................................... 16-29
Using OpenSSH With RSA Authentication ...................... 16-30
Using the ssh-agent Program........................................... 16-31
Using the Secure FTP Client ................................................ 16-33
Configuring the Client ......................................................... 16-35
Exercise: Using Secure Shell ......................................................... 16-38
Preparation............................................................................. 16-38
Task Using Secure Shell .................................................... 16-38
Task Installing OpenSSH.................................................. 16-38
Task Using OpenSSH........................................................ 16-38
xx Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Task Checking Secure Shell Encryption ......................... 16-39
Task Configuring Client Keys.......................................... 16-40
Task Using the ssh-agent Program............................... 16-40
Exercise Summary.......................................................................... 16-41
Exercise Solutions .......................................................................... 16-42
Installing OpenSSH .............................................................. 16-42
Using OpenSSH..................................................................... 16-42
Checking Secure Shell Encryption...................................... 16-44
Configuring Client Keys ...................................................... 16-46
Using the ssh-agent Program........................................... 16-47
Securing Physical Access ............................................................ 17-1
Objectives ......................................................................................... 17-1
Relevance........................................................................................... 17-2
Additional Resources ...................................................................... 17-3
Assessing the Risk From Physical Intrusion............................... 17-4
Physical Intrusion Solutions.................................................. 17-5
Types of Physical Intrusion................................................... 17-6
Securing IT Equipment .......................................................... 17-8
Implementing Physical Network Security ........................ 17-10
Securing Network Infrastructure........................................ 17-11
Appraising the Risk of Eavesdropping.............................. 17-13
Using Encryption .................................................................. 17-15
Strengthening Help Desk Processes................................... 17-17
User Authentication Techniques ........................................ 17-18
Applying Physical Security Measures ........................................ 17-20
The Stop-A Key ..................................................................... 17-21
Disabling the Stop-A Key .................................................... 17-22
Enabling EEPROM Security ................................................ 17-23
EEPROM Passwords............................................................. 17-26
Exercise: Working With Physical Security ................................. 17-28
Preparation............................................................................. 17-28
Task Disabling the Stop-A Key........................................ 17-28
Task Considering the Physical Security of Your
Systems ................................................................................ 17-28
Exercise Summary.......................................................................... 17-29
Exercise Solutions .......................................................................... 17-30
Disabling the Stop-A Key .................................................... 17-30
Considering the Physical Security of Your Systems ........ 17-30
Connecting the Enterprise Network to the Outside World ........ 18-1
Objectives ......................................................................................... 18-1
Relevance........................................................................................... 18-2
Additional Resources ...................................................................... 18-3
Designing the Network to Improve Security............................... 18-4
Improving Security With a Firewall..................................... 18-5
Using Solaris SunScreen Firewall ......................................... 18-7
xxi
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Evaluating IPsec as a Firewall Replacement....................... 18-8
Using Routing Security Features ........................................ 18-10
Masking Hosts Using a Proxy Server................................. 18-12
Securing Routers, Proxy Servers, and Firewalls............... 18-14
Creating Demilitarized Zones (DMZ)................................ 18-16
Providing Secure Access Using a Virtual Private
Network............................................................................... 18-17
Sample Architectures............................................................ 18-19
Running Enterprise Security Audits ........................................... 18-21
Running Trial Attacks .......................................................... 18-22
Using Third Parties to Run Trial Attacks .......................... 18-22
Applying Ongoing Network Security Measures...................... 18-24
Identifying Ongoing Tasks .................................................. 18-25
Keeping Current With Security Issues........................................ 18-28
Identifying Information Sources......................................... 18-29
On-Line Security Resources .......................................................... A-1
Advisory and Certification Bodies ................................................ A-1
CERT.......................................................................................... A-1
INFOSEC - Information Systems Security
Organization.......................................................................... A-1
Computer Security Technology Center ................................ A-2
Security Standards ............................................................................ A-3
Common Criteria ..................................................................... A-3
National Security Agency (NSA)........................................... A-3
CSRC Computer Security Division .................................... A-3
ITSEC (Europe)......................................................................... A-4
IEEE Computer Society........................................................... A-4
IETF............................................................................................ A-4
The Open Group ...................................................................... A-5
Useful Web Sites................................................................................ A-6
Sun Security Coordination Team........................................... A-6
The Computer Incident Advisory Center ............................ A-6
Computer and Internet Security Resources ......................... A-6
Computer Security Institute ................................................... A-7
InfoWar.com............................................................................. A-7
InfoWorld.com ......................................................................... A-7
Risks Digest............................................................................... A-7
SecurityFocus.com................................................................... A-8
Security Portal .......................................................................... A-8
SecuritySearch.net.................................................................... A-8
SecurityStats.com..................................................................... A-8
USENIX...................................................................................... A-8
xxii Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Solaris OE Security Tools Summary..............................................B-1
The Trusted Solaris 8 OE.............................................................. B-1
Security Extensions...................................................................B-1
The SunScreen Firewall Product.........................................B-2
SKIP.............................................................................................B-3
IPsec ............................................................................................B-3
Sun Enterprise Authentication Mechanism (SEAM) ...........B-4
Pluggable Authentication Modules (PAM)...........................B-4
Sun Enterprise Network Security Service (SENSS)..............B-5
Solaris OE Fingerprint Database.............................................B-5
PATCHDIAG.............................................................................B-5
ASET ...........................................................................................B-6
Third-Party Security Tools..............................................................C-1
SAINT (SATAN/SARA) ......................................................... C-1
Courtney.................................................................................... C-2
Gabriel ....................................................................................... C-3
TripWire .................................................................................... C-3
Top ............................................................................................. C-3
TCP Wrappers .......................................................................... C-3
Crack.......................................................................................... C-4
John the Ripper......................................................................... C-4
AntiCrack .................................................................................. C-4
The npasswd Command.......................................................... C-5
Secure Shell (SSH) .................................................................... C-5
The nmap Utility........................................................................ C-6
Titan ........................................................................................... C-7
COPS.......................................................................................... C-7
Tiger ........................................................................................... C-7
The dsniff Sniffer................................................................... C-8
The sudo Utility........................................................................ C-8
Cerberus Internet Scanner (CIS) ............................................ C-8
Nessus........................................................................................ C-8
Whisker...................................................................................... C-9
The tcpdump Tool .................................................................. C-10
SWATCH......................................................................................... C-10
Pretty Good Privacy (PGP) ........................................................... C-10
Kerberos........................................................................................... C-10
Virtual Private Networks.............................................................. C-11
Anti-Sniffing Tools......................................................................... C-11
Security Recommendations............................................................D-1
Index...........................................................................................Index-1
Preface-i
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Preface
About ThisCourse
Course Goals
In this course, system security is covered at two main levels: the physical
security of the systems, covering access to systems and networks, and the
protection of the system data.
This course provides you with the practical skills required to implement,
administer, and maintain a secure Solaris Operating Environment
(Solaris OE). This course should enable you to do the following:
G Control authorized and unauthorized access to a computer or
network
G Manage computer users and accounts
G Apply data copy protection, including database information
G Defend against viruses, worms, and other hacks
Course Map
Preface-ii Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Course Map
The following course map shows the structure of the course. This enables
you to track your progress with reference to the course goals.
Module-by-Module Overview
About This Course Preface-iii
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Module-by-Module Overview
This course contains the following modules:
G Module 1, Security Overview
This module explores what security means in computing terms, and
denes the required security terminology. Different types of security
violation are identied, and the most likely sources of those security
violations explained.
G Module 2, Using Solaris OE Log Files
This module explores the logging and tracing capabilities that can
help to monitor and detect security breaches. The key security log
les found on Solaris OE are described, and their locations given.
G Module 3, The Solaris OE Basic Security Module
This module explains the role of the Basic Security Module (BSM) in
auditing and controlling system usage. In this module, you congure
and use UNIX
Message
Digesting Algorithm
2 Snefru, the Xerox Secure Hash Function
3 CRC-32, POSIX 1003.2 compliant 32-bit Cyclic
Redundancy Check
4 CRC-16, the standard (non-CCITT) 16-bit Cyclic
Redundancy Check
5 MD4, the RSAData Security, Inc. Message Digesting
Algorithm
6 MD2, the RSAData Security, Inc. Message Digesting
Algorithm
7 SHA, the NIST Secure Hash Algorithm
(NIST FIPS 180)
8 Haval, a strong 128- bit signature algorithm
9 Null signature (reserved for future expansion)
Using TripWire to Audit File Systems
Auditing File Systems 9-19
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
If a character is prexed with a + (for example, +pugs1m for /fred),
those respective attributes are used when checking a le. Attributes
prexed with a - are not checked.
Using TripWire to Audit File Systems
9-20 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Configuration Templates
Using the character codes to specify the audit attributes for les and
directories can be tedious and prone to error. The TripWire tool contains
templates that can import a set of attributes. Table 9-2 shows the
templates that are dened.
By default, TripWire uses the R template, which ignores only the access
time stamp.
Table 9-2 TripWire Conguration Templates
Template Description Attributes
R Read-only +pinugsm012-a3456789
L Log le +pinug-samc0123456789
> Growing log le +pinug-samc0123456789
N Nothing -pinugsamc0123456789
E Everything +pinugsamc0123456789
Using TripWire to Audit File Systems
Auditing File Systems 9-21
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
You can use the templates in a modied manner by appending additional
characters. For example, use the sequence L+c-p for a log le where inode
creation and modication time (c) should be monitored, but the
permissions (p) can be ignored.
The only difference between the log le template (L) and the growing log le
template (>), is that the growing log le template is the only template that
ignores les that increase in size, by ignoring the > attribute. However, it
still checks that the le does not decrease in size.
A tw.config le is shown in Code 9-3.
Code 9-3 Simple TripWire Conguration
# more tw.config
/etc/passwd +pugs1m-a
/etc/shadow +pugs1m-a
/usr/sbin +pugs1m-a
/usr/bin +pugs1m-a
/var/log/messages >
Go to the online manual page for tw.config (5) for information about
additional switches and templates where switches can be grouped
together.
Generating a TripWire Database
You can create a new TripWire database by running TripWire with the
-initialize argument. If you also provide the verbose ag (the -v
argument), then each le name and directory appears as it is scanned, as
shown in Code 9-4.
Code 9-4 Creating a New TripWire Database
# tripwire -initialize
Tripwire(tm) ASR (Academic Source Release) 1.3.1
File Integrity Assessment Software
(c) 1992, Purdue Research Foundation, (c) 1997, 1999 Tripwire
Security Systems, Inc. All Rights Reserved. Use Restricted to
Authorized Licensees.
### Phase 1: Reading configuration file
### Phase 2: Generating file list
### Phase 3: Creating file information database
###
Using TripWire to Audit File Systems
9-22 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
### Warning: Database file placed in ./databases/tw.db_grommit.
###
### Make sure to move this file and the configuration
### to secure media!
###
### (Tripwire expects to find it in '/var/tripwire'.)
Using TripWire to Audit File Systems
Auditing File Systems 9-23
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Checking a TripWire Database
When you generate or initialize the database, you should archive it
securely. The TripWire tool can check the integrity of the system by
comparing the archived database with the current system.
Copy the TripWire database Code 9-4 on page 9-21 to the default TripWire
database directory location (/var/tripwire in this example), and run the
TripWire tool to determine if any les on the system have changed, as
shown in Code 9-5.
Note The name of the database le depends upon the hostname of the
system. These examples use the hostname grommit, and the database le
is tw.db_grommit. You must modify the examples to suit your server;
check the contents of the databases directory to determine what le
name you should use.
Code 9-5 Running TripWire to Identify Changed Files
# cp databases/tw.db_grommit /var/tripwire
Using TripWire to Audit File Systems
9-24 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
# tripwire
### Phase 1: Reading configuration file
### Phase 2: Generating file list
### Phase 3: Creating file information database
### Phase 4: Searching for inconsistencies
###
### All files match Tripwire database. Looks okay!
###
This example indicates that no les were modied.
Identifying Inconsistencies
To show TripWire recognizing an inconsistency, modify one of the les
that is being checked, and run TripWire again, as shown in Code 9-6.
Code 9-6 Running TripWire to Identify Inconsistencies
# touch /usr/bin/ksh
# tripwire
### Phase 1: Reading configuration file
### Phase 2: Generating file list
### Phase 3: Creating file information database
### Phase 4: Searching for inconsistencies
###
### Total files scanned: 617
### Files added: 0
### Files deleted: 0
### Files changed: 1
###
### Total file violations: 1
###
changed: -r-xr-xr-x root 795 Jul 6 12:28:28 2001 /usr/bin/clear
### Phase 5: Generating observed/expected pairs for changed files
###
### Attr Observed (what it is) Expected (what it should
be)
### =========== ======================================================
/usr/bin/clear
st_mtime: Fri Jul 6 12:28:28 2001 Thu Apr 26 17:56:50 2001
st_ctime: Fri Jul 6 12:28:28 2001 Thu Apr 26 17:56:50 2001
Using TripWire to Audit File Systems
Auditing File Systems 9-25
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Updating the Database
You can update the database to accommodate sanctioned changes by
running the TripWire tool in the update mode, as shown in Code 9-7,
where directories or les can be specied.
Code 9-7 Running TripWire in the Update Mode
# tripwire -update /usr/bin/clear
Tripwire(tm) ASR (Academic Source Release) 1.3.1
File Integrity Assessment Software
(c) 1992, Purdue Research Foundation, (c) 1997, 1999 Tripwire
Security Systems, Inc. All Rights Reserved. Use Restricted to
Authorized Licensees.
### Phase 1: Reading configuration file
### Phase 2: Generating file list
Updating: update file: /usr/bin/clear
### Phase 3: Updating file information database
###
### Old database file will be moved to `tw.db_grommit.old'
### in ./databases.
###
### Updated database will be stored in './databases/tw.db_grommit'
### (Tripwire expects it to be moved to '/var/tripwire'.)
###
### Database cleanup started
### Database cleanup finished
# cp ./databases/tw.db_grommit /var/tripwire
Double-Checking Integrity
Copy the database to the default TripWire database directory location
(/tmp in this example), and perform another integrity check to determine
if the changes to the /fred directory are reported after a database update.
# cp databases/tw.db_grommit /tmp
# tripwire
### Phase 1: Reading configuration file
### Phase 2: Generating file list
### Phase 3: Creating file information database
### Phase 4: Searching for inconsistencies
###
### All files match Tripwire database. Looks okay!
###
Using TripWire to Audit File Systems
9-26 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
For additional information about the TripWire tool, read the README le in
the TripWire directory or the tripwire(8) and tw.config(5) manual
pages.
Securing the TripWire Database
Auditing File Systems 9-27
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Securing the TripWire Database
You should store TripWire databases in a secure manner. For example,
use:
G Read-only media
G Removable media
G A trusted secure server
G A copy on a machine that is not connected to a network
The database must be secured in this way to ensure that TripWire reports
any changes made to the database (for example, an intruder might
perform a TripWire initialize operation after installing modied programs,
to try to avoid changes being reported).
Securing the TripWire Database
9-28 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
A typical approach to this problem is to store a copy of the TripWire
database ofine (for example, on removable media). This copy can
regularly overwrite the database stored on the le system. Alternatively,
you can compare the secure ofine database to the le system copy using
MD5 signatures.
This security is also required with the TripWire executables and the
tw.config conguration le. Again, this is because the executables and
conguration le could be modied by an intruder so that the le system
audit does not report certain changes. However, you can easily rebuild the
executables and the conguration le once in a while.
Exercise: Using the TripWire Tool
Auditing File Systems 9-29
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise: Using the TripWire Tool
In this exercise, you complete the following tasks:
G Congure, compile, and install the TripWire tool
G Create and update a TripWire database for a set of les
G Generate some TripWire reports
G Modify one or more of the les that TripWire monitors to ensure that
the changes are reported
Preparation
Ensure that you have installed the GNU C++ compiler and the make
utility.
Task Installing TripWire
The TripWire download site is listed in Additional Resources on
page 9-3. A copy of the download le (swatch.tar) is also in the
/usr/local/pkg directory.
To install TripWire:
1. Extract the TripWire archive into a subdirectory under /usr/local
and read the installation instructions.
2. Edit the makefile to use the install utility in the
/usr/ucb/install directory. Search for the pattern ucb in the le
and uncomment this line and comment out the previous line. The
lines should now read:
#INSTALL= /usr/bin/install # common
INSTALL= /usr/ucb/install # Pyramid DC/OSx (SVR4)
3. Also edit the makefile to set the following parameters (dened at
the top of the le):
DESTDIR=/usr/local/bin
DATADIR=/var/tripwire
MANDIR=/usr/local/man
Exercise: Using the TripWire Tool
9-30 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
4. Before installing TripWire you need two directories for the manual
pages. If these directories do not exist, enter these commands.
# mkdir /usr/local/man/man5
# mkdir /usr/local/man/man8
Note If you install TripWire without rst creating these directories, the
installation process incorrectly creates plain les with these names and
fails to install the manual pages. Remove the plain les with the rm
command, create the directories as above, and install TripWire again.
5. Follow the instructions in the README le in the TripWire directory to
install TripWire. You must update the include/config.h le to
make sure that the installation and data directories match the values
of the variables in the makefile. Set the appropriate lines in this le
to:
#define CONFIG_PATH "/usr/local/tripwire"
#define DATABASE_PATH "/var/tripwire"
Task Creating a TripWire Configuration
1. Congure the TripWire tool to generate a database for these
directories:
G /etc/passwd
G /etc/shadow
G /usr/bin
2. Select the following options for all checked les:
a. Check the user, group, permissions, and le size attributes.
b. Use le digest algorithm SHA signatures in addition to MD5.
c. Do not check the access time attributes.
3. You must rename the existing tw.config database le you created
when you installed TripWire, otherwise the TripWire le checking
process takes too long (about 45 minutes for the standard
conguration).
4. Generate a database and use the verbose ag to make sure that the
correct les and directories are being checked.
Exercise: Using the TripWire Tool
Auditing File Systems 9-31
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Task Running System Integrity Checks
For this part of the exercise, you make changes to the system and run
TripWire to detect those changes. Ask your instructor if you have any
questions about the purpose of any of the tests or the outcome of the
integrity checks.
To run system integrity checks:
1. Perform an integrity check on the system. What changes were
found?
2. Change the comment eld for the daemon entry in the /etc/passwd
le.
3. Perform an integrity check on the system. Did the TripWire tool
report the change?
4. Refer to the TripWire manual page and run the TripWire tool in quiet
mode. Record your results here.
Command: _______________________________
Results: _________________________________
5. Update the database to include the change to the /etc/passwd le.
6. Perform an integrity check on the database. Explain the results.
7. Refer to the tw.config manual page and determine which template
to use with the log les that are expected to grow.
8. Create a le called my-log.
9. Add an entry to your tw.config le called
configs/tw.check to monitor your my-log log le.
10. Add text to your log le.
11. Initialize your database.
12. Perform a quiet mode integrity check of the system. Record your
results here and explain the results:
____________________________________________________
13. Add text to your log le.
14. Perform a quiet mode integrity check of the system. Record your
results here and explain the results:
____________________________________________________
Exercise: Using the TripWire Tool
9-32 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
15. Remove some text from your log le.
16. Perform a quiet mode integrity check of the system. Record your
results here and explain the results:
____________________________________________________
17. Update the TripWire database.
18. Perform a quiet mode integrity check of the system. Record your
results here and explain the results:
____________________________________________________
19. Change text in your log le, taking care not to change the le size.
20. Perform a quiet mode integrity check of the system. Record your
results here and explain the results:
____________________________________________________
21. What conclusions can you draw from this result?
Exercise Summary
Auditing File Systems 9-33
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise Summary
?
!
Discussion Take a few minutes to discuss what experiences, issues, or
discoveries you had during the lab exercise.
G Experiences
G Interpretations
G Conclusions
G Applications
Exercise Solutions
9-34 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise Solutions
The following are the solutions to the tasks.
Installing TripWire
The TripWire download site is listed in Additional Resources on
page 9-3. A copy of the download le (Tripwire-1.3.1-1.tar) is also in
the /usr/local/pkg directory.
To install TripWire:
1. Extract the TripWire archive into a subdirectory under /usr/local
and read the installation instructions.
1 # cd /usr/local
2 # tar xvf pkg/Tripwire-1.3.1-1.tar
3 # cd tw_ASR_1.3.1_src
4 # more README
2. Edit the ./include/config.h le as follows:
a. Change the location of the conguration and database les
from:
#define CONFIG_PATH "/usr/local/bin/tw"
#define DATABASE_PATH "/var/tripwire"
to
#define CONFIG_PATH "/usr/local/tripwire"
#define DATABASE_PATH "/var/tripwire"
b. Create a directory for the conguration le and copy the default
conguration le to the new directory. (You will overwrite this
conguration later in this exercise.)
# mkdir -p /usr/local/tripwire /var/tripwire
# cp configs/tw.conf.sunos5 /usr/local/tripwire/tw.config
The tw.config le contains a list of all les and directories that are
checked and veried by TripWire.
Exercise Solutions
Auditing File Systems 9-35
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
c. Edit the makefile and use the install utility in
/usr/ucb/install. Search for the pattern ucb in the le and
uncomment this line and comment out the previous line. The
lines should now read:
#INSTALL= /usr/bin/install # common
INSTALL= /usr/ucb/install # Pyramid DC/OSx (SVR4)
3. Also edit the makefile to set the following parameters (dened at
the top of the le):
DESTDIR=/usr/local/bin
DATADIR=/var/tripwire
MANDIR=/usr/local/man
4. Before installing TripWire you need two directories for the manual
pages. If these directories do not exist, enter these commands:
# mkdir /usr/local/man/man5
# mkdir /usr/local/man/man8
Note If you install TripWire without rst creating these directories the
installation process incorrectly creates plain les with these names and
fails to install the manual pages. Remove the plain les with the rm
command, create the directories as above, and install TripWire again.
5. Build and install TripWire with:
# make install
If this fails, correct the config.h le and/or Makefile and run the
command:
# make clean
Before re-running the make install command, verify that the
compilation was successful.
# make test
6. Verify that the tripwire executable is in your path.
# tripwire -version
Tripwire(tm) ASR (Academic Source Release) 1.3.1
File Integrity Assessment Software
(c) 1992, Purdue Research Foundation, (c) 1997, 1999 Tripwire
Security Systems, Inc. All Rights Reserved, Use Restricted to
Authorized Licensees.
Exercise Solutions
9-36 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Creating a TripWire Configuration
1. Congure the TripWire tool to generate a database for these
directories:
G /etc/passwd
G /etc/shadow
G /usr/bin
2. Select the following options for all checked les:
a. Check the user, group, permissions, and le size attributes.
b. Use le digest algorithm SHA signatures in addition to MD5.
c. Do not check the access time attributes.
3. Rename the existing tw.config database le you created when you
installed TripWire.
# cd /usr/local/tripwire
# mv tw.config sunos5.conf
4. Edit a new conguration le:
# vi tw.config
5. Add the following to the le:
/etc/passwd +ugps17-a2345689
/etc/shadow +ugps17-a2345689
/usr/bin +ugps17-a2345689
6. Generate a database and use the verbose ag to make sure that the
correct les and directories are being checked.
# tripwire -v -initialize
7. Copy the database to the default TripWire database directory
location (/var/tripwire in this example).
# cp databases/tw.db_grommit /var/tripwire
Exercise Solutions
Auditing File Systems 9-37
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Running System Integrity Checks
For this part of the exercise you make changes to the system and run
TripWire to detect those changes. Ask your instructor if you have any
questions about the purpose of any of the tests or the outcome of the
integrity checks.
1. Perform an integrity check on the system.
# tripwire -v
What changes were found?
No changes should have been found or reported.
2. Change the comment eld for the daemon entry in the /etc/passwd
le.
Change the entry to something like this:
daemon:x:1:1:TripWire was here:/:
3. Perform an integrity check on the system.
# tripwire -v
Did TripWire report the change?
Yes, TripWire reported that /etc/passwd had been modied.
###
changed: -rw-r--r-- root 431 May 7 18:23:14 2001 /etc/passwd
### Phase 5: Generating observed/expected pairs for changed files
###
### Attr Observed (what it is) Expected (what it should
be)
### ========= ============================= =============================
/etc/passwd
st_size: 431 414
...
4. Refer to the TripWire manual page and run the TripWire tool in quiet
mode. Record your results here.
# tripwire -q
changed: -rw-r--r-- root 414 May 7 18:28:41 2001 /etc/passwd
5. Update the database to include the change to the /etc/passwd le.
# tripwire -v -update /etc/passwd
# cp databases/tw.db_grommit /var/tripwire
Exercise Solutions
9-38 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
6. Perform an integrity check on the database.
# tripwire -v
What did TripWire report?
No changes should have been found or reported.
7. Refer to the tw.config manual page and determine which template
to use with log les that are expected to grow.
The > template reports when the le checked is smaller than the last
recorded size. This function also reports if someone removes entries from a
log le.
8. Create a le called my-log.
# touch /export/home/my-log
9. Add an entry to your tw.config le to monitor your my-loglog le.
# vi /usr/local/tripwire/tw.config
10. Add the following to the le:
/export/home/my-log >
The > ag is the log le template described earlier.
11. Add text to your log le.
# echo Hey there >> /export/home/my-log
# cat /export/home/my-log
Hey there
#
12. Initialize your database.
# tripwire -v -initialize
# cp databases/tw.db_grommit /var/tripwire
13. Perform a quiet mode integrity check of the system.
# tripwire -q
Record your results here.
Nothing should be reported.
Explain the results.
No changes have been made to the database.
Exercise Solutions
Auditing File Systems 9-39
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
14. Add text to your log le.
1 # echo Hey there >> /export/home/my-log
2 # cat /export/home/my-log
3 Hey there
4 Hey there
5 #
15. Perform a quiet mode integrity check of the system.
# tripwire -q
Record your results here.
Nothing should be reported.
Explain the results.
The > template only reports if the le is smaller than that recorded in the
database.
16. Remove some text from your log le.
1 # vi /export/home/my-log
2 # cat /export/home/my-log
3 Hey there
4 Hey
5 #
17. Perform a quiet mode integrity check of the system.
# tripwire -q
Record your results here.
Nothing should be reported.
Explain the results.
The le is still larger than the image in the database. The > template only
reports if the le is smaller.
18. Update the TripWire database.
# tripwire -update /export/home/my-log
19. Copy the database to the expected directory.
# cp databases/tw.db_grommit /var/tripwire
Exercise Solutions
9-40 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
20. Perform a quiet mode integrity check of the system.
# tripwire -q
Record your results here.
Nothing should be reported.
Explain the results.
The > template reports only if the le size is smaller than when it was last
checked.
21. Change text in your log le, taking care to not change the le size.
1 # vi /export/home/my-log
2 # cat /export/home/my-log
3 Way hello
4 Day
5
22. Perform a quiet mode integrity check of the system.
# tripwire -q
Record your results here.
Nothing should be reported.
Explain the results.
The le size remained the same, even though the data was completely
changed.
23. What conclusions can you draw from this result?
The > template is open to exploitation if crackers know that they can cover
their tracks in a log le monitored by TripWire if they change or add data
instead of removing data entries.
10-1
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Module 10
AttackingNetworkData
Objectives
Upon completion of this module, you should be able to:
G Describe the term network snifng
G Describe use of common sniffer tools
G Describe common network service attacks
G Describe network DoS attacks
Relevance
10-2 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Relevance
?
!
Discussion The following questions are relevant to understanding
attacks on network data:
G Can you restrict access to your network:
G So that unauthorized systems cannot connect to the network?
G So that there is no unauthorized software on authorized
systems?
G Does your network extend to a public telecommunications backbone
(for example Internet access)?
G Do any of your users send unencrypted user names and passwords
across the network?
Hint: If your users use telnet, ftp, Simple Network Management
Protocol (SNMP), Post Ofce Protocol 3 (POP3), HTTP, and other
TCP/IP services without using secure sockets, then they are sending
plain text passwords regularly.
Additional Resources
Attacking Network Data 10-3
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Additional Resources
Additional resources The following references provide additional
information on the topics described in this module:
G Schneier, Bruce. Secrets & Lies. John Wiley & Sons, 2000.
G Scambray, McClure, Kurtz. Hacking Exposed. Osborne McGraw-Hill,
2001.
G Garnkel, Simson, and Spafford, Gene. Practical UNIX & Internet
Security. OReilly & Associates, Inc. 1996.
G Online manual pages for snoop(1).
G Solaris OE Answerbook 2.
G The dsniff utility ported to Solaris OE 2.x,
[http://www.sunfreeware.com]
Network Sniffing
10-4 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Network Snifng
A network sniffer is a program or special device which monitors your
network and collects some or all of the data that it nds. The term sniffer
is used because sniff was the name of the original program developed to
analyze network trafc (the sniff program is owned and marketed by
Network Associates, Inc.).
Sniffers were developed to enable engineers to debug networking
problems. They provide packet analysis capabilities letting the engineer
view the data in its raw form (streams of octets). Modern sniffers interpret
standard protocols and provide a user-readable summary of data gathered
from the network.
Network Sniffing
Attacking Network Data 10-5
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Code 10-1 shows what output from a sniffer can look like.
Code 10-1 Sniffer Output
192.168.1.1 -> 192.168.1.2 length: 124 TELNET R port=1239
0: 0001 02de 3436 0800 20c1 0efe 0800 4500 ....46.. .. ..E.
16: 006e 9a34 4000 3c06 2102 c0a8 0101 c0a8 .n.4@.<.!.......
32: 0102 0017 04d7 743b f92a 01c5 f61f 5018 ......t;.*....P.
48: 60f4 9c6c 0000 6c6f 6361 6c2e 6373 6872 `..l..local.cshr
64: 6320 2020 206c 6f63 616c 2e6c 6f67 696e c local.login
80: 2020 2020 6c6f 6361 6c2e 7072 6f66 696c local.profil
96: 6520 206d 6b66 7470 2020 2020 2020 2020 e mkftp
112: 2020 6e73 6d61 696c 0d0a 2320 nsmail..#
Code 10-1 is output from the standard Solaris OE snoop utility which
includes a complete hexadecimal dump of the packet data after a
summary line. The summary tells you that this is a telnet packet from
host 192.168.1.1 to 192.168.1.2.
This output is a listing from the ls command. The packet data starts at
offset 54 and at offset 120 there is a carriage return and a line feed (CR and
LF) pair (hex codes 0D/0A), and a shell prompt (#).
Network Sniffing
10-6 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Implications of Sniffing
Network snifng allows potential access to all the data transmitted on the
network. With modern clientserverbased architectures, especially with
the dominance of Web-based services, a network sniffer can collect large
amounts of data in a very short amount of time.
?
!
Discussion Consider the network you have in your organization and
the type of data that is transmitted across it. For example, do you work
from a PC and administer your Solaris OE servers using telnet (or
X-Windows)? If so, every character you send and receive is transmitted,
un-encrypted, across the network. Do you ever use the su command to
log in as the root user? If so, you might have just handed your root user
password over to an intruder.
Network Sniffing
Attacking Network Data 10-7
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
How Sniffers Work
A network interface card (NIC) can usually only pick up trafc addressed
to itself, or broadcast and multicast packets. To sniff the network, the card
must be put into a special mode, called promiscuous mode, where it picks
up all network trafc.
All network cards support promiscuous mode and some operating systems
can provide a means for programs to switch the card into this mode. The
Solaris OE does support the ability to switch a network card into this
mode but restricts access to the physical device (/dev/hme) to the root
user. PC-based systems running Microsoft Windows 95/98/ME normally
cannot deny user access to low-level hardware devices, which allows any
PC user to run snifng tools.
Because of promiscuous mode security implications, some network cards
can have promiscuous mode disabled in the rmware (effectively
preventing sniffers from working). However, the rmware can be
modied to re-enable promiscuous mode using standard tools provided
by the network card manufacturer.
Network Sniffing
10-8 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Detecting Sniffers
Detecting whether your network is being sniffed is almost impossible. A
few tools, such as cpm (check promiscuous mode) from Carnegie Mellon
University (ftp://infor.cert.org/pub/tools), can detect if a network
interface is in promiscuous mode. However, this tool must run on the host
concerned.
General logging mechanisms show network sniffers using up inordinate
amounts of network I/O (a very high proportion of input to output) and
network sniffers often generate large data capture les over time.
Regular monitoring of suspicious activities can help detect snifng activity
on a host. However, an intelligent intruder can usually hide the sniffer so
that it does not show up in the system logging and monitoring activities.
Network Sniffing
Attacking Network Data 10-9
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Detecting snifng on the network itself is currently in its infancy. Two
tools that detect snifng on a network are:
G AntiSniff Runs on Microsoft Windows only. Available from
Security Software Technologies, Inc.
http://www.securitysoftwaretech.com/antisniff/
G Sentinel Runs on UNIX. Available from
http://www.packetfactory.net/Projects/Sentinel
Network Sniffing
10-10 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Defending Against Network Sniffers
There is only one sure way to defend against network snifng and that is
to encrypt all network trafc. Technologies like Secure Sockets Layer (SSL)
and Internet Protocol Security (IPSec) are low-level protocol encryption
tools. You can achieve higherlevel encryption by using applications
which encrypt their data. Tools like Secure Shell (SSH) provide a better
alternative than unencrypted tools like telnet and remote login with the
rlogin and rsh commands.
Network Sniffing Tools
Attacking Network Data 10-11
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Network Snifng Tools
There are many snifng tools on the market. Some are expensive and
require specialized equipment. In fact, all LAN analyzers are specialized
network sniffers.
There are many low-cost or free software products for UNIX and
Microsoft Windows platforms which do a good job of network snifng.
They might drop an occasional packet of data here and there, but they can
still collect a large amount of data.
The Solaris 8 OE comes with its own sniffer utility called snoop. There is
also a freeware simple-to-use product called dsniff that can harvest
passwords froma network. Harvesting data means collecting only the data
you are interested in while discarding the rest.
Note Many other tools are available on the market. The tcpdump utility
is popular and widely ported [http://www.tcpdump.org].
Network Sniffing Tools
10-12 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The snoop Utility
The Solaris OE comes with a basic network sniffer in the
/usr/sbin/snoop directory (etherfind on SunOS 4). It can be invoked
by anyone, but access to the network device is restricted to the root user,
effectively making it a superuser-only utility.
However, if an intruder breaks in and assumes the root user identity on
any Solaris OE system on your network, the intruder can run snoop to
detect network trafc, which might allow the intruder to break into other
systems.
By default, snoop displays a summary of all packet data sniffed:
Network Sniffing Tools
Attacking Network Data 10-13
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
# snoop
Using device /dev/hme (promiscuous mode)
grommit -> wallace TELNET C port=1079
wallace -> grommit TELNET R port=1079 Using device /dev/hm
grommit -> wallace TELNET C port=1079
wallace -> grommit TELNET R port=1079 grommit -> wall
grommit -> wallace TELNET C port=1079
wallace -> grommit TELNET R port=1079 wallace -> grom
grommit -> wallace TELNET C port=1079
The protocol is identied together with the host names (if known) and the
rst few bytes of text in the packet (if the data is readable text).
The snoop output is usually redirected to a le for later analysis. Sending
output to the screen slows down the operation of the snoop utility, which
can cause snoop to miss (or drop) packets of data. Redirecting the data to
a le introduces a lower I/O overhead than sending data directly to the
screen. Redirecting the data to a le also avoids recursively collecting the
data sent to the screen when using the telnet command.
Network Sniffing Tools
10-14 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The snoop Options
Collect raw network data with snoop using the -o option:
# snoop -o /tmp/snooped
All data is saved to this le, so the le must be on a disk with sufcient
free space. Stop the data collection by killing the snoop utility with
Control-C or the kill command.
To examine the results of a data capture, use the -i option with the name
of the raw data le:
# snoop -i /tmp/snooped
Network Sniffing Tools
Attacking Network Data 10-15
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The snoop utility has many options and capabilities for ltering or
displaying the data which are fully described in the manual pages.
Table 10-1 shows some of the more commonly used options.
Table 10-1 The snoop Utility Options
Option Usage
-N Creates a names le when capturing data, which maps IP
addresses to host names (same format as /etc/hosts).
-n filename Uses the named les for IP address resolution instead of using the
/etc/hosts le and DNS.
-r Does not map network addresses into host names, which avoids
generating DNS trafc while capturing data. You can use a names
le (see -n and -N options) for name lookup.
-S Includes the packet size on the summary line.
-V Verbose summary mode, which includes additional summary data
for each protocol layer in the captured packet.
Network Sniffing Tools
10-16 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
For example, Code 10-1 on page 10-5 used the following command line:
# snoop -rSx 0
-v Verbose mode, includes extra header information in the summary
line.
-x
start[,leng
th]
Includes the packet data in the output, starting from the given
offset for the specied number of octets (or the entire packet if no
length is specied).
Table 10-1 The snoop Utility Options (Continued)
Option Usage
Network Sniffing Tools
Attacking Network Data 10-17
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The snoop Packet Filters
The snoop command line uses optional expressions to lter the data being
viewed. Some common optional expressions are:
G Only include packets to and from the named host:
# snoop host hostname
G Only include packets to and from the specied address (which can
be a dotted decimal IP address or a colon-separated 8byte Ethernet
address):
# snoop address
# snoop net address
G Prex a host or net address with to or from to view incoming or
outgoing packets.
# snoop to host hostname
# snoop from address
Network Sniffing Tools
10-18 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G Only include packets for the specied port number, which can be a
number (such as 23) or an entry from the /etc/services directory
(such as the telnet command):
# snoop port service
Several other ltering options require more knowledge of the network
packet structure. Read the snoop manual page for all of the available
commandline parameters.
You can make ltering more selective by combining options and
expressions with the logical operators and, or, and not (or !).
Network Sniffing Tools
Attacking Network Data 10-19
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G To select only ftp packets use:
# snoop port ftp
G To monitor all incoming telnet data to the host grommit use:
# snoop port telnet and host grommit
G To look for SNMP between wallace and grommit and show the data
packet use:
# snoop -x 0 port snmp and wallace and grommit
Network Sniffing Tools
10-20 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The dsniff Utility
The dsniff utility is a network and password sniffer that obtains
passwords off of the network. It can be downloaded from the Sun
Freeware Web site.
The dsniff utility handles ftp, telnet, SMTP, HTTP, POP, SNMP, LDAP,
Rlogin, NIS, X11, Symantec pcAnywhere, Microsoft SMB, Oracle
SQL*Net, Sybase, Microsoft SQL protocols, and many other protocols.
The dsniff utility automatically detects and minimally parses each
application protocol, only saving the interesting pieces of information. For
example, with the telnet command, the dsniff utility saves data sent
from the client to the server (in other words, the dsniff utility saves what
the user types in).
The dsniff utility can save its data to a Berkeley DB database format data
le for later analysis or it can write the data to standard output.
Network Sniffing Tools
Attacking Network Data 10-21
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Running the dsniff Utility
To run dsniff and save the data to a le called dsniffed, type:
# dsniff -w dsniffed
To read this data le, type:
# dsniff -r dsniffed
The dsniff utility has additional command line options which you can
use if you have special network requirements. However, like the snoop
utility, the dsniff utility allows ltering expressions on its command line.
Some of the useful ones are:
G Only include packets to and from the named host:
# dsniff host hostname
G Only include packets to and from the specied address, which can
be a dotted decimal IP address or a colon-separated 8-byte Ethernet
address:
# dsniff net address
Network Sniffing Tools
10-22 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G Prex a host or net address with to or from to view incoming or
outgoing packets:
# dsniff to host hostname
# dsniff from host address
G Only include packets for the specied port number, which can be a
number (such as 23) or an entry from /etc/services (such as the
telnet command):
# dsniff port service
Like the snoop utility, there are several other ltering options and you can
make the ltering more selective by using the expressions combined with
the logical operators and, or, and not (or !).
Network Sniffing Tools
Attacking Network Data 10-23
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
By default, the dsniff utility captures all the interesting data it sees. This
can be a lot of information to examine, so you should lter the data you
want to save by specifying the host or protocol that you are interested in.
The dsniff utility captures data until you stop the program using
Control-C or the kill command (if you run the dsniff utility in the
background).
The dsniff utility captures an entire TCP session, so it only saves data if
the connection is established and torn down while the dsniff utility is
running (that is, you do not capture data if someone is already logged in
using the telnet command when you start running the dsniff utility).
Code 10-2 shows how to use the dsniff utility to examine telnet data
for the host wallace.
Code 10-2 Using the dsniff Utility
1 # dsniff -w dsniffed port telnet and host wallace&
2 [1] 3088
3 <continue working>
4 # kill %1
5 # dsniff -r dsniffed
6 listening on hme0 [port telnet and host wallace]
7 trigger_tcp: decoding port 23 as telnet
8 -----------------
9 04/26/01 15:21:35 tcp 192.168.1.2.1090 -> wallace.23 (telnet)
10 alice
11 w0nder
12 su
13 s3cr3t
14 passwd eve
15 password
16 password
17 passwd -f eve
18 exit
19 exit
Code 10-2 shows everything typed in for one telnet session. At line 10,
alice supplies the login name and then the password (w0nder" on line
11). The rst action that alice uses is the su command to log in as root
user, supplying the root user password (s3cr3t). alice then resets eves
password to the string password.
Network Sniffing Tools
10-24 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
If an intruder was running the dsniff utility on your network, the
intruder would now be in possession of the passwords for the root user
account as well as two non-administration accounts. The intruder is likely
to be installing back doors on wallace while continuing to run the
dsniff utility to try to compromise security on the rest of your systems.
?
!
Discussion Now that you know about the dsniff utility, would you
allow users on your network to use the telnet command? What
alternatives are there?
Network Service Attacks
Attacking Network Data 10-25
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Network Service Attacks
Network attacks probably form the majority of attacks on a system in a
modern IT conguration. Nearly ever computer is connected to a network
and many networks are connected to the Internet.
As an administrator, you have no control over the Internet. All you can do
is install defensive measures at the boundary where your network
connects to the Internet. These measures involve rewalls, proxy servers,
demilitarized zones (DMZs), and other techniques.
Your network is vulnerable even if you have taken steps to prevent
unauthorized systems and users from tapping into the network
infrastructure. When intruders have access to your network, they can
begin to attack the systems on the network.
Many network attacks can only be undertaken by someone with a good
knowledge of the low-level protocols. This module discusses some
network attacks which can be undertaken by an intruder with only a
small amount of networking knowledge.
Network Service Attacks
10-26 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Packet Replay Attacks
One form of attack that network snifng can lead to is the Packet Replay
Attack. In this attack, packets of data which have been sniffed from the
network are replayed back to a server, usually with a different source
address, trying to fool a server into providing information. Replay attacks
are often used to try to obtain Kerberos tickets granting access to other
network services.
Every TCP/IP packet has a sequence number which increments as
packets are sent. Replay attacks can predict the next valid sequence
number and spoof the network packets.
Network Service Attacks
Attacking Network Data 10-27
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
In Solaris OE, the le /etc/default/inetinit can set different initial
sequence number generation parameters using the TCP_STRONG_ISS
variable. Possible values are shown in Table 10-2.
You are strongly advised to set the parameter value to 2 to guard against
replay attacks.
# grep TCP_STRONG /etc/default/inetinit
TCP_STRONG_ISS=2
Table 10-2 Possible Values of the TCP_STRONG_ISS Variable
Value Meaning
0 Old-fashioned, sequential, initial
sequence number generation
1 Improved sequential generation, with
random variance in increment
2 RFC 1948 sequence number
generation, unique-per-connection-ID
Network Service Attacks
10-28 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Vulnerabilities of the sendmail Program
Several network attacks target known weaknesses in standard network
services. The most notorious network service for being exploited in this
way is the sendmail program. The sendmail program listens on port 25
and accepts incoming simple mail transfer protocol (SMTP) requests.
SMTP, like many Internet protocols, is text-based. You can use the telnet
command to connect into an SMTP server and initiate a SMTP dialog, as
shown in Code 10-3.
Code 10-3 SMTP Dialog
# telnet localhost 25
220 wallace ESMTP Sendmail 8.9.3+Sun/8.9.3; Fri, 27 Apr 2001 14:32:39
+0100 (BST)
HELO wallace
250 wallace Hello [192.168.1.1], pleased to meet you
Network Service Attacks
Attacking Network Data 10-29
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
In Code 10-3 on page 10-28, you connected to the sendmail program and
can now enter commands to send email. The original version of the
sendmail program also allowed you to enter a command to debug the
sendmail server, which was a very useful feature during development.
The debug command allowed you to run a shell (for debugging) with
root user privileges.
This debug feature was removed fromsendmail years ago. But sendmail
has other features which could let an intruder break in to systems. These
have slowly been closed down, but even now, there are regular security
alerts about new sendmail vulnerabilities.
You can use several SMTP servers as alternatives to sendmail, such as
iPlanet Messaging Server and DMail, because they are more secure.
Network Service Attacks
10-30 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Buffer Overflow Attacks
The sendmail program, and many other network servers such as the
fingerd daemon, have suffered from a common problem known as
buffer overow.
In basic terms, buffer overow occurs when the programmer writing the
network server fails to limit the amount of data that the client can enter
into the program. When the client program (or an intruder typing in from
the keyboard) enters too much data for the buffer, the data overwrites
other data or the server program itself.
In paper-based terms, buffer overow is like when you are lling in a
form where the box you need to complete is too small to contain the
information. You continue writing outside the box and hope that is
acceptable to the person reading the form. You have just caused the paper
equivalent of a buffer overow.
Network Service Attacks
Attacking Network Data 10-31
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
If the form was printed with a black background and the only white area
was inside the box then you could not cause the buffer overow (you
would just have to write smaller letters). Many programmers take the
same precautions when writing code, but not all programmers are aware
of the problems of buffer overow and security weakness keeps cropping
up in software systems.
When a server buffer overow occurs, several problems can happen:
G The excess data corrupts part of the program and the server crashes.
The service is now unavailable. While some systems might
automatically restart crashed services, many do not. This is an
example of a DoS attack.
G The excess data overwrites valid data in the program, which can
corrupt the data. This corruption might not be noticed for some time
(if ever).
G The excess data overwrites part of the server program with a
program of its own which, when executed, can enable an intruder to
break into the system. The infamous Internet Worm released in 1988
used this technique to inltrate copies of itself into a signicant
portion of the Internet.
Most buffer overow problems have been found and xed in common
network servers. However, new servers and enhancements to existing
code often show buffer overow weaknesses.
If a new buffer overow weakness is discovered, check to see if a
temporary wrapper is available from http://www.auscer.org.au/,
which you can use until a patch is released from the vendor.
Network Service Attacks
10-32 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Web (HTTP) Servers
Web servers are also vulnerable to attack. Web servers are becoming more
vulnerable because of the demands on organizations to provide
Web-based services with sophisticated features.
Many Web servers use Common Gateway Interface (CGI) scripts to
provide dynamic content. Most CGI scripts are written using languages
like Perl or Personal Home Page (PHP), which were written for speed and
ease of program development and not for security. A knowledgeable
intruder can exploit the security holes in these languages.
The trend towards using Java technology Servlets and JavaServer
Pages (JSP) as a more secure alternative is helping improve Hypertext
Transfer Protocol (HTTP) server security.
Network Service Attacks
Attacking Network Data 10-33
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Network Denial of Service Attacks
A general discussion of DoS attacks was given in Module 4. DoS attacks
are quite common. While they might appear to be just a nuisance they are
often serious:
G Losing a server for a few minutes costs most organizations money
and can adversely affect future business. Losing a server for longer
than a few minutes can have dire consequences for your business.
G If your service is unresponsive (especially if it is a Web service), you
might lose business to a competitor who has not been attacked.
G If the press is told about your poor service, you might get bad
publicity, which can cause your customers to worry and potentially
take their business elsewhere.
Network Service Attacks
10-34 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G If your service becomes unavailable, an intruder might spoof
(impersonate) your system (borrow your IP address) to collect
information about your customers.
G After a successful attack, you can clean your system and reboot.
Rebooting is sometimes what an intruder wants you to do. Perhaps
the intruder has successfully broken into your system and needs you
to reboot to activate a back door or complete a rootkit installation. A
DoS attack is a good way to force a reboot.
Network Service Attacks
Attacking Network Data 10-35
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Types of Network Denial of Service Attacks
There are many types of DoS ranging from the brute-force approach of
sending large numbers of requests to a server to more subtle attacks using
network protocol features.
Three of the network protocol attacks are:
G TCP SYN ooding
G Ping of death
G Smurf
TCP SYN Flood Attack
As part of the initiation of a TCP service connection (such as ftp, telnet,
HTTP, or SMTP), a three-way handshake must take place as shown in
Figure 10-1 on page 10-36.
Network Service Attacks
10-36 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Figure 10-1 TCP Three-Way Handshake
The steps in a three-way handshake are:
1. The client sends a synchronize (SYN) message to the server.
2. The server responds with a synchronize acknowledgment
(SYN/ACK) message to the client.
3. The client completes the initialization of the TCP session by sending
an ACK back to the server.
In a TCP SYN ood attack, the client sets a non-existent system as the
reply address of the initial SYN message. The server sends the SYN/ACK
response to the non-existent server and never gets the nal ACK response.
Eventually the server times out the connection (the time-out can range
from 75 seconds to 23 minutes depending upon network conguration
parameters). During the time-out period the server is holding onto kernel
resources required during the TCP session initialization.
TCP initialization generally requires more kernel resources than when the
session is established. While a server might support hundreds or
thousands of concurrent TCP sessions, it might only be able to support a
few tens of connections in the initialization phase. If the client sends a
falsied SYN packet every 10 seconds, it could completely disable TCP
services on a server by causing the kernel to run out of resources.
Network Service Attacks
Attacking Network Data 10-37
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
TCP SYN ood attacks are popular because the client has little work to do
to disable a server.
If the clients SYN packet mistakenly species a reply address of a valid
system then that system sends a reset (RST) message to the server for the
unexpected SYN/ACK message. The server resets the TCP session
releasing all the kernel resources tied up for the initialization which
effectively nullies the TCP SYN ood.
Note See the Sun Microsystems Security Bulletin: #00136, 9 Oct. 1996 for
more information (available in the Security Bulletin Archive at
http://sunsolve.sun.com/pub-cgi/secBulletin.pl). A general,
cross-environment discussion of this issue is available from CERT at
http://www.cert.org/advisories/CA-1996-21.html.
Network Service Attacks
10-38 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Ping of Death Attack
The Ping of Death attack is another DoS attack. The attack involves
sending an IP packet that is too large to be a legal packet (more than 65535
bytes in size). The attack usually uses the low-level Internet Control
Message Protocol (ICMP) packets that the ping command uses.
The packet is fragmented into packets at the Maximum Transfer Unit
(MTU) size for transmission over the network. The reassembly stage on
the remote machine overows memory because so many larger-than-
expected packets are received in a short period of time.
Note The default MTU on a Solaris OE platform using Ethernet is
1500 bytes. The Solaris OE on the SPARC system is immune to this
attack. Unpatched Solaris OE x86 systems (2.5.1 and lower) are
vulnerable.
Network Service Attacks
Attacking Network Data 10-39
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Smurf Attack
A Smurf attack is simple and effective. It uses the same low-level ICMP
protocol that the ping utility uses.
Usually, the ping utility tests to see if a particular server is online. A client
sends a ping message to the server and the server automatically sends the
message back to the client (the name ping derives from the sound made
by sonar echo detection devices used during World War II).
A Smurf attack falsies the reply address in the ping ICMP packet by
setting it to the address of the system under attack. The client then sends
the ping message to the broadcast address for the network containing the
system under attack.
The result is immediate and dramatic. Every host on the network receives
the ping message and echoes it back, not to the intruder, but to the system
whose address was in the ICMP reply eld. The system under attack
receives up to 254 ping responses in a very short period of time.
Network Service Attacks
10-40 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
If the system were attacked only once, the system might survive and
process the ping replies, but the targets network is temporarily
overloaded. However, if you broadcast a ping packet every second to the
network, you tie up all available network bandwidth and swamp the
target system with network packets. As network and CPU resources are
exhausted, the system slows to a crawl.
A user with a 28.8-kilobit-per-second modem can put out enough
bandwidth to ll one-third of the capacity of a T1 (1.54 megabits/sec.)
line. Yale University removed its Internet Relay Chat (IRC) server because
of these attacks and New York University was once ooded so badly it
was off the network for two weeks.
Network Service Attacks
Attacking Network Data 10-41
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Smurf Countermeasures
Smurf is so nasty that you should always implement the Solaris OE
countermeasure. The solution is to disable ping replies to broadcast
addresses. Do this by adding the following line to the /etc/init.d/inet
le as part of the network startup:
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
Network Service Attacks
10-42 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Recognizing Network Attacks
It is difcult from a Solaris OE server to recognize network attacks.
Specialized network monitoring is often required to detect attacks like
TCP SYN, Ping of Death, and Smurf.
On a server, network attacks are usually seen after the event; they are not
detected until they have been successful. In fact, many network attacks go
entirely unnoticed unless they are DoS attacks.
Network Service Attacks
Attacking Network Data 10-43
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Port Scanning Using the nmapUtility
One technique intruders use while setting up a network attack is to scan a
server for all the services running. This process is know as a port scan and
the best known utility for this is nmap (nmap can be obtained from
http://www.insecure.org/nmap).
The nmap utility attempts to connect to every port on your server. If the
nmap utility makes a successful connection, it attempts to identify the
service on that port by analyzing any data sent out by the server, as
shown in Code 10-4.
Code 10-4 Sample nmap Output
# nmap -P0 192.168.0.250
Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
Interesting ports on sunfrog (192.168.0.250):
(The 1505 ports scanned but not shown below are in state: closed)
Port State Service
7/tcp open echo
9/tcp open discard
Network Service Attacks
10-44 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
13/tcp open daytime
19/tcp open chargen
21/tcp open ftp
23/tcp open telnet
37/tcp open time
111/tcp open sunrpc
139/tcp open netbios-ssn
512/tcp open exec
513/tcp open login
514/tcp open shell
515/tcp open printer
540/tcp open uucp
2049/tcp open nfs
4045/tcp open lockd
6000/tcp open X11
6112/tcp open dtspc
7100/tcp open font-service
8888/tcp open sun-answerbook
32774/tcp open sometimes-rpc11
32775/tcp open sometimes-rpc13
32776/tcp open sometimes-rpc15
32777/tcp open sometimes-rpc17
32778/tcp open sometimes-rpc19
32779/tcp open sometimes-rpc21
32780/tcp open sometimes-rpc23
32786/tcp open sometimes-rpc25
32787/tcp open sometimes-rpc27
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
Network Service Attacks
Attacking Network Data 10-45
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Host Information From the nmap Utility
If the nmap utility is connected to the sendmail port shown in Code 10-3
on page 10-28, it could detect from the prompt string that this is an
Extended Simple Mail Transfer Protocol (ESMTP) server (it supports a
newer version of the SMTP which is a superset of the SMTP service).
Using the information it obtains from a services data output, the nmap
utility can determine a lot about your server. For example, the nmap utility
can look at Code 10-3 on page 10-28 and determine the following:
G Server name wallace
G Operating system and version Solaris OE 8.9.3
G Server version sendmail 8.9.3
G Date The date and time on the server
Network Service Attacks
10-46 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
With this information, the intruder can look up known weaknesses in the
operating system and in the program versions and then attempt to break
in to the system. Even knowing which ports are open and which are
closed can enable the nmap utility to determine the system type (rewall,
router, UNIX, Solaris OE, and so on).
Detecting Port Scanning
Port scanning usually involves a large number of connections arriving at
your server over a short period of time. Often, the connections step
through the port numbers in numeric order.
Scanning defense products, such as PortSentry (obtainable from
http://www.psionic.com/abacus) can recognize this activity. The usual
defense is to recongure the kernel (or network interface) to refuse to
accept connections from the system attempting the port scan. The kernel
conguration can be automated in some of the scanning defense tools.
Note Some legitimate tools, such as SAINT, can be detected by port
scanning defenses.
Exercise: Using Network Sniffing
Attacking Network Data 10-47
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise: Using Network Snifng
In this exercise, you will complete the following tasks:
G Use the snoop utility to sniff network trafc
G Install the dsniff utility
G Use the dsniff utility to harvest user names and passwords from
the network
Preparation
There is no special preparation required for these tasks.
Tasks
Working in pairs, use the snoop and dsniff utilities to sniff Telnet
network trafc between two different workstations created by the telnet
command. Due to the implementation of the Solaris TCP/IP stack, you
cannot correctly sniff network trafc if the source and destination
workstations are the same machine.
Task Using the snoop Utility to Sniff Network Traffic
Follow these steps:
1. Obtain the IP addresses of your system and the workstation of the
person next to you. Run the snoop utility to collect data between the
two workstations.
2. With your colleagues approval, log in to the other workstation using
the telnet command.
3. Log out and connect again using the ftp command.
4. Stop the snoop command and examine the data you have collected.
Identify the login name and password you used for both telnet and
ftp commands.
Exercise: Using Network Sniffing
10-48 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
5. Run the snoop utility again. Watch for ftp connections into your
host. Use the ftp command to connect to your host to make sure
that you see your connection.
6. Examine the data you collected and identify the login name and
password you used. It should be easier this time, because you have
only ftp data to examine.
Task Installing thedsniffUtility
You can download the dsniff utility from the Sun Freeware Web site. A
copy has already been downloaded and saved in the /usr/local/pkg
directory. Install this SVR4 package using the pkgadd command. You also
need to install the OpenSSL and libpcap libraries, which are available
from the same Web site and the /usr/local/pkg directory.
Task Using thedsniffUtility
Follow these steps:
1. Obtain the IP address of your system and run the dsniff utility to
collect telnet data for your workstation and place the data into a
data le.
2. In a separate window, use the telnet command to log in to your
workstation and then use the su command to log in as root user.
3. Log out, stop the dsniff utility, and examine the passwords that you
captured.
4. Run the dsniff utility for the whole network and collect passwords
from your colleagues. Because they are doing the same to you, give
them some data to work with by using the telnet command to
login to your own machine (or a colleagues with their approval). Do
not forget to log out again so that the session data can be captured.
Note If you have used one of your favorite passwords for an account on
your system, do not log in to this account. You do not want your
colleagues to be aware of passwords that you use back in the ofce. Use
the sample accounts for alice, bob, and eve for the passwords, because
these accounts are known to all users on the course.
Exercise Summary
Attacking Network Data 10-49
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise Summary
?
!
Discussion Take a few minutes to discuss what experiences, issues, or
discoveries you had during the lab exercise.
G Experiences
G Interpretations
G Conclusions
G Applications
Exercise Solutions
10-50 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise Solutions
The following are solutions to the exercises. If you have any questions
about either the exercises or the given solutions please ask your instructor.
Using the snoop Utility to Sniff Network Traffic
1. Assuming your workstation IP address is 192.168.1.107 and your
colleagues is 192.168.1.108, use the following command to monitor
trafc between the two systems:
# snoop 192.168.1.107 and 192.168.1.108
5. To monitor incoming ftp trafc on your host use:
# snoop 192.168.1.107 and port ftp
or
# snoop host localhost and port ftp
Installing the dsniff Utility
Install the dsniff utility using:
# cd /usr/local/pkg
# pkgadd -d libpcap-0_6_1-sol8-sparc-local
# pkgadd -d openssl-0_9_6-sol8-sparc-local
# pkgadd -d dsniff-2.3-sol8-sparc-local
Using the dsniff Utility
1. Save telnet data to a le called data1 for your system only with:
# dsniff -w data1 host localhost and port telnet
2. In a separate window, use the telnet command to log in to your
workstation and then use the su command to log in as root user.
Exercise Solutions
Attacking Network Data 10-51
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
3. Type Control-C to stop this command after running your telnet
session from another window. View the collected data using:
# dsniff -r data1
4. Collect all telnet data on the network with:
# dsniff port telnet
This displays the captured data as it is collected, but only when the
captured telnet session terminates.
11-1
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Module 11
SecuringNetworkData
Objectives
Upon completion of this module, you should be able to:
G Describe the basic aspects of the Secure Sockets Layer (SSL)
G Explain why SSL is required, and what it does
G Congure secure communications between hosts using IPsec
Relevance
11-2 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Relevance
?
!
Discussion The following questions are relevant to understanding the
purpose of securing the low-level data transferred across your networks:
G How do you secure low-level communications between hosts?
G Is there a mechanism that allows you to use the telnet program
securely to log in to your hosts?
Additional Resources
Securing Network Data 11-3
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Additional Resources
Additional resources The following references provide additional
information on the topics described in this module:
The following additional resources may be found useful when attempting
to understand SSL.
G For information on SSL:
[http://www.openssl.org]
G General cryptography:
[http://www.ssh.com/tech/crypto]
G System administration:
[http://darkwing.uoregon.edu/~hak/unix.html]
G Menezes, Alfred J., Paul C. van Oorschot, and Scott A. Vanstone.
Handbook of Applied Cryptography. CRC Press, 1996.
G Veeraraghavan, Sriranga and Paul Watters. Solaris 8: The Complete
Reference. Osborne McGraw Hill, 1999.
G Winsor, Janice. Solaris 8 System Administrator's Reference Guide,
Prentice-Hall PTR, 2000.
G Sun Security Enhancements Online:
[http://www.sun.com]
G Online manual pages for ipsecconf(1M), ipseckey(1M), and
ipsec(7P)
Implementing Secure Communication Using SSL
11-4 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Implementing Secure Communication Using SSL
While security measures that protect physical devices attached to, or
forming part of, host machines are essential, it is also important for
communications between machines to be secure. SSL provides secure
communications between machines. SSL is a non-proprietary protocol and
is widely used.
The most common implementation of SSL (but not the only one) is
supported and maintained by the Open SSL group, online at
http://www.openssl.org.
Implementing Secure Communication Using SSL
Securing Network Data 11-5
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The Open SSL Project
The OpenSSL Project is an open development project designed to produce
a commercial-grade open-source toolkit implementation for SSL and the
Transport Layer Security (TLS) protocols. SSL incorporates a general
purpose cryptography library (for the full-strength version you must use
one of the non-U.S. Web sites for the source code download). OpenSSL is
based on the SSLeay library developed by Eric A. Young and
Tim J. Hudson.
Caution Some countries still prohibit the use of strong encryption.
Before implementing the full-strength versions of SSL, ensure that the use
of this type of encryption does not break the national law of the country in
which the machine resides.
Defining the SSL
11-6 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Dening the SSL
The SSL protocols goal is to provide privacy and reliability between two
communicating applications. The applications can be operating system
components, such as a client talking to a server, or two (or more) peer
machines swapping data. A specic advantage of SSL is that it is
application protocol independent. In other words, SSL works with both high
level and low level protocols.
SSL is always composed of two layers. The lower layer consists of a
reliable transport protocol. This is most commonly TCP/IP and its
wrappers. This is known as the SSL Record Protocol. The SSL Record
Protocol encapsulates the various higher level protocols. Atypical example
is the SSL Handshake Protocol, which allows a server and client to
mutually authenticate and negotiate an encryption algorithm and
associated cryptographic keys. A second, higherlevel protocol is used
transparently on top of the SSL Record Protocol.
Often, a specic daemon encapsulates the SSL layers. Applications can
continue to use open and non-secure ports, but those ports are actually
fully encrypted by the SSL daemon. This is sometimes known as
transparent encryption because the encryption is hidden from the
application, but is still there.
Defining the SSL
Securing Network Data 11-7
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Properties of SSL
The SSL protocol provides connection security with three basic properties:
G The connection is private between the two machines.
G The peer's identity can be authenticated using asymmetric
cryptography. Asymmetric cryptography provides for mutual
authentication using keys from a certicate authority (CA),
sometimes known as a trusted third party. This process is essentially
the digital signature provision.
G The connection is reliable.
SSL uses an asymmetric (public key) cipher to dene a secret session key.
Symmetric cryptography (for example Data Encryption Standard (DES) or
RC4) is used for actual data encryption, because symmetric encryption is
faster than asymmetric encryption.
The message transport includes a message integrity check. Because secure
hash functions, for example, Secure Hash Algorithm (SHA-1) or Message
Digest 5 (MD5) are used for the integrity check computations, there is a
built-in defense against someone tampering with the packets.
Defining the SSL
11-8 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Simplifying SSL Using the stunnel Program
A convenient method of providing SSL between clients is to use the open
source program stunnel. The stunnel program is an SSL wrapper
daemon which, when running between machines, provides an encrypted
portal.
For example, host A has an application that does not use SSL but uses
simple sockets instead (at port 1234). Host B has the same application (on
port 1235). Congure the stunnel program on both machines and
provide the appropriate sockets. Host As application still connects to port
1234, but the socket is redirected through the secure stunnel program.
Host Bs application still connects to port 1235, but its socket is also
redirected through the secure stunnel program. Hosts A and B are now
using SSL, even if their applications are unsuitable for SSL conguration.
The stunnel daemon is widely used in conguring Virtual Private
Networks (VPNs) and for communications between clients and remote
Lightweight Directory Access Protocol (LDAP) servers.
Defining the SSL
Securing Network Data 11-9
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The stunnel program is not a complete SSL product. You still need an
SSL library, such as OpenSSL, to provide the handshaking and encryption.
Information on the stunnel program can be obtained from:
http://www.stunnel.org/.
Defining the SSL
11-10 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
How Secure Is the SSL?
The SSL is probably sufciently secure for most practical purposes.
However, even in its most secure form, the SSL is not totally secure.
The SSL works by encrypting information transmitted between machines.
It uses public-private key encryption to authenticate hosts and to swap
session keys. The session key then encrypts the data between the hosts.
There are problems with this encryption method.
The rst problem is the session key length. Many governments are
uncomfortable with the thought of private citizens sending information
which cannot be decrypted, even by governmental organizations. The key
lengths of encryption ciphers are restricted in many countries. The cipher
is easier to break with a shorter key length.
Defining the SSL
Securing Network Data 11-11
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The second problem is a group of hackers known as the Key Cracking
Ring. This group has given notice that they plan to publish methods for
compromising the security of SSL for all systems. Currently, some low
security versions of SSL have been compromised. Versions of SSL using
strong (128-bit) encryption are still believed to be unbroken and secure
and they are likely to remain so until a new method for factorizing keys is
developed.
Understanding the IP Security Architecture (IPsec)
11-12 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Understanding the IP Security Architecture (IPsec)
For the Solaris OE, and most other operating systems, the implementation
of network encryption is provided by IP security architecture (IPsec). IPsec
provides both encryption and validation of data. IPsec is a set of
standards developed by the Internet Engineering Task Force (IETF). IPsec
is an open source product available for most major versions of UNIX
(including Linux) and Microsoft Windows.
Processing is performed within the IP processing layer (like the stunnel
program), but the processing operates at a lower level. When in place and
congured, IPsec encrypts all IP trafc irrespective of the application
using the stunnel program without the knowledge of the application.
IPsec also provides host-to-host authentication. IPsec implements and
controls security in a transparent manner. Because IPsec works at the level
of the IP transport, it can be applied at both the system level and at the
level of the individual socket. You congure IPsec for the system with a
suite of command line utilities. The socket layer implementation requires
programming expertise and is not covered here.
Note Ensure that the IPsec protocol controls the authentication of IP
addresses and the encryption of data. The two should not be separated.
Understanding the IP Security Architecture (IPsec)
Securing Network Data 11-13
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Configuring IPsec Security Associations
IPsecs secure communication is managed by security associations (SAs),
also known as key management. Two machines require at least two
security associations to communicateone for the inbound and one for
the outbound trafc. IPsec does not currently support automatic security
association management.
IPsec provides two types of IP packet protection: an authentication header
(AH), that provides the authentication component, and the encapsulating
security payload (ESP) that provides encryption. You can use both ESP and
AH in the same datagram.
Datagrams originating from within the system, or that have the system as
their target, are affected by the IPsec settings. Datagrams which are
forwarded are not affected by the IPsec settings, because they do not
belong to the system.
Understanding the IP Security Architecture (IPsec)
11-14 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Adding IPsec Keys
Use the ipseckey utility to congure the authentication and encryption
keys. The ipseckey utility accepts single-line commands from the
command line or, if no command line parameters are specied, enters an
interactive session. Useful ipseckey commands are:
add Adds a new key denition
flush Removes all existing denitions
dump Outputs stored key denitions
The ipseckey command allows commands to be stored in les using the
following command line options:
-f filename Reads commands from le
-s filename Saves commands to le (use the le name to list the
key commands to standard output)
Understanding the IP Security Architecture (IPsec)
Securing Network Data 11-15
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
To improve security, the add command cannot be used on the command
line and it must be read from a le. Code 11-1 is an example key le that
sets ESP encryption between two hosts.
Code 11-1 Example Encryption Key Management File
1 # Example SA key management file - encryption
2
3 add esp spi 0x2112 src <this host> dst <other host>\
4 encralg des encrkey be02938e7def2839
5
6 add esp spi 0x5150 src <other host> dst <this host> \
7 encralg des encrkey 8bd4a52e10127deb
Note Each IPsec key command must be on a single line, which explains
the use of the line continuation backslash (\) character.
The source and destination addresses must either be named hosts in the
/etc/hosts le or IP addresses. This pair of security associations uses
DES to encrypt the data.
The spi parameter species the security association security parameters
index. The spi parameter is a 32-bit integer that is sent to the receiving
host. You can use any unique random 32-bit number as long as the
number is the same as the spi on the receiving host.
Conguring AH authentication requires a similar set of key denitions for
each pair of communicating hosts. Code 11-2 shows the Example
Authentication Key Management File
Code 11-2 Example Authentication Key Management File
1 # Example SA key management file - authentication
2
3 add ah spi 0x2112 src <this host> dst <other host>\
4 authalg md5 authkey bde359723576fdea08e56cbe876e24ad
5
6 add ah spi 0x5150 src <other host> dst <this host> \
7 authalg md5 authkey 930987dbe09743ade09d92b4097d9e93
Understanding the IP Security Architecture (IPsec)
11-16 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
There is no standard method of conguring the IPsec key denitions les
but it is common practice to store the keys in a le called
/etc/inet/ipseckeys and load the keys as part of the system boot
process, as shown in Code 11-3.
Code 11-3 Example ipseckeys File
# more /etc/inet/ipseckeys
add esp spi 0x2112 src wallace dst grommit \
encralg des encrkey be02938e7def2839
add esp spi 0x5150 src grommit dst wallace \
encralg des encrkey 8bd4a52e10127deb
add ah spi 0x2113 src wallace dst grommit \
authalg md5 authkey bde359723576fdea08e56cbe876e24ad \
add ah spi 0x5151 src grommit dst wallace \
authalg md5 authkey 930987dbe09743ade09d92b4097d9e93 \
Then create a boot script in the /etc/rc3.d/s99ipsec_startup
directory and add the following lines, as shown in Code 11-4.
Code 11-4 Example ipsec_startup Script
1 case $1 in
2 start)
1 if [ -f /etc/inet/ipseckeys ]
2 then
3 /usr/sbin/ipseckey -f /etc/inet/ipseckeys
4 fi
5 ;;
6 stop)
7 /usr/sbin/ipseckey flush
8 ;;
9 esac
Understanding the IP Security Architecture (IPsec)
Securing Network Data 11-17
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Configuring IPsec Policies
Regular host congurations are held in the
/etc/inet/ipsecpolicy.conf le. You can add entries to this le with
the ipsecconf conguration utility.
Changes made with the command line tools are not preserved after a
shutdown. This means that a machine defaults to insecure
communications after a reboot. To avoid this problem, add IPsec
congurations for required communications to the
/etc/inet/ipsecinit.conf le, which is read during the boot process.
If this le exists, the inet initialization script applies the IPsec security
policies during the startup process.
Note IPsec is enabled if the /etc/inet/ipsecinit.conf le does not
exist at system boot time.
Understanding the IP Security Architecture (IPsec)
11-18 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using the ipsecconf utility to Configure IPsec
The ipsecconf utility is a command line utility that sets the policy and
rules that apply to system-level IP trafc. Table 11-1 describes the
ipsecconf options.
Table 11-1 The IPsec Conguration File
Flag Option
None Queries the current conguration status. Entries
are shown with an index number.
-a file Adds one or more new policies listed in file to
the system.
-d index Deletes the policy identiedby the index number
from the system.
-f Flushes policies.
-l Provides a listing of the policy entries.
Understanding the IP Security Architecture (IPsec)
Securing Network Data 11-19
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
IPsec congurations are stored in the /etc/inet/ipsecpolicy.conf le.
The ipsecconf utility maintains this le with precedence rules. Do not
edit this le manually or you might alter the precedence of policies and
compromise the security of your system.
-n Displays the network addresses and their
associated ports. You must use the -n option
with the -l option.
-q Prevents the display of the warning and banner
messages (quiet mode).
Table 11-1 The IPsec Conguration File (Continued)
Flag Option
Understanding the IP Security Architecture (IPsec)
11-20 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Syntax for the IPsec Configuration File
The IPsec conguration le syntax is:
{patterns} action {properties}
where:
pattern is a name value pair as shown in Table 11-2 on page 11-21
action a policy action, as shown in Table 11-3 on page 11-21
properties a policy property, as shown in Table 11-4 on page 11-22
Understanding the IP Security Architecture (IPsec)
Securing Network Data 11-21
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Table 11-2 Denitions for IPsec Policy Patterns
Pattern Denition
saddr The source address for the datagram
being congured. A daddr entry is
required to complete the pair.
daddr The destination address of the pair.
smask Provides a source mask to allow
subnet addresses to be specied. Use
either hexadecimal (0xffff0000) or
internet dot (255.255.0.0) notation.
dmask Provides a destination mask using the
same notations as smask.
dport Species the destination port to be
controlled (for example telnet). After
the port is specied, a rule can be
applied.
Table 11-3 Denitions for IPsec Policy Actions
Action Denition
apply Applies IPsec to the datagram (valid
outbound only)
permit Permits the datagram if it matches the
constraints (inbound only)
bypass Bypasses any policy checks if the
datagram matches the pattern
Understanding the IP Security Architecture (IPsec)
11-22 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Table 11-4 Denitions for IPsec Policy Properties
Property Denition
auth_algs
encr_auth_algs
The authentication algorithm. It
shouldbeMD5or HMAC-MD5, SHA1,
or HMAC-SHA1. Use ANY if there is
no preference for the authentication.
encr_algs Species the encryption algorithm to
use. Must be one of two possibilities:
DES, DES-CBC (for single pass DES),
or 3DES, 3DES-CBC (triple DES
encryption). Use NULL for no
encryption.
Understanding the IP Security Architecture (IPsec)
Securing Network Data 11-23
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Rules for Parsing the Configuration File
When the le is loaded, each statement writes a separate policy to the
system. Policies are applied in the order in which they are found in the le
with the following exceptions:
G Bypass action always has the highest precedence.
G An ESP policy is stronger than an AH policy. When a policy denes
a stronger level of protection further in the le, the stronger policy
has higher precedence. The strongest rules contain ESP and AH
components.
To specify a policy with ESP and AH components, dene both auth_algs
(AH) and encr_algs (ESP) or encr_auth_algs (ESP) in the same policy.
Understanding the IP Security Architecture (IPsec)
11-24 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Example IPsec Configurations
The hostB example in Code 11-5 species that any packet from hostA to
hostB should be encrypted with 3DES and authenticated with SHA1.
Code 11-5 Example IPsec Conguration to Encrypt and
Authenticate
1 #
2 # Encrypt data from hostA to hostB
3 #
4 {
5 saddr hostA
6 daddr hostB
7 }
8 permit
9 {
10 encr_algs 3DES
11 encr_auth_algs SHA1
12 }
Understanding the IP Security Architecture (IPsec)
Securing Network Data 11-25
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Code 11-6 species that any trafc originating from the 134.56.0.0 network
be authenticated.
Code 11-6 Example IPsec Conguration to Authenticate All
Data From Network 134.56.0.0
1 #
2 # Authenticate 134.56.x.x
3 # Allow any authentication scheme
4 #
5 {
6 daddr 134.56.0.0 # Network address
7 dmask 0xffff0000
8 }
9 permit
10 {
11 auth_algs any
12 }
Code 11-7 species all trafc sent to hostB fromhostA be encrypted using
the DES encryption.
Code 11-7 Example IPsec Conguration to Encrypt Data
1 #
2 # Protect the outbound TCP traffic between machines
3 # using ESP and use DES algorithm.
4 #
5 {
6 saddr hostA
7 daddr hostB
8 ulp tcp # only TCP datagrams.
9 } apply {
10 encr_algs DES # Use DES to encrypt
11 SA shared # Use shared SA
12 }
Understanding the IP Security Architecture (IPsec)
11-26 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Security Considerations With IPsec
The security of IPsec can be compromised if intruders have access to the
conguration le. Follow these guidelines to use IPsec securely:
G Do not transport the le in plain text over the network.
G Do not mount the le on an NFS le system.
G Ensure that the policies are in force before starting any
communication.
G Do not change policies in the middle of a communication.
G Names are not trustworthy if your naming system is compromised
and the host source address is known. Use the IP address instead.
G Use AH and ESP together to provide the highest level of security.
G If any host using IPsec is compromised, all IPsec congurations must
be regenerated.
G Impractical for large numbers of hosts: 10 hosts require 110 keys for
ESP alone.
Using the SunScreenSKIP Utility
Securing Network Data 11-27
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using the SunScreenSKIP Utility
Another utility available from the Solaris OE besides IPsec that you can
use effectively for network protocols is SKIP. SKIP is bundled with
SunScreen Secure Net 3.0 and SunScreen Lite; it can also be obtained
as a separate standalone product.
The SKIP utility builds an encrypted channel between two hosts, and
authenticates every network packet using an authentication algorithm. It
is especially useful between local hosts that are not located behind a
rewall. Administrators like using SunScreen SKIP because it is easy to
add and remove systems, and turn encryption and authentication off and
on without major network alterations.
SKIP runs a kernel process on each host that can be visualized as residing
between the network interface of the host system and the IP software
layer. SKIP intercepts data packets and performs encryption and
authentication in the transmission and reception processes, making the
packet unreadable to someone monitoring the devices.
Using the SunScreenSKIP Utility
11-28 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Configuring the SKIP Utility
Install the SKIP cluster on each workstation that will use it. This cluster
consists of the following packages:
G SUNWbdc SKIP Bulk Data Crypt 1.5 Software
G SUNWbdcx SKIP Bulk Data Crypt (64-bit) 1.5 Software
G SUNWrc2 SKIP RC2 Crypto Module 1.5 Software
G SUNWrc4 SKIP RC4 Crypto Module 1.5 Software
G SUNWrc4x SKIP RC4 Crypto Module (64-bit) 1.5 Software
G SUNWes SKIP End System 1.5-FCS Software
G SUNWesx SKIP End System 1.5-FCS (64-bit) Software
G SUNWkeymg SKIP Key Manager Tools 1.5 Software
G SUNWkisup SKIP I-Support Module 1.5 Software
G SUNWsman SKIP I-Man page Module 1.5 Software
Before the network interface device can be modied for SKIP, you must
generate a unique key pair; two independent codes for every host that will
run SKIP on the network. This is done using the skiplocal command
with the keygen argument. This command prompts you to enter 50 or
more random characters as input to the program to ensure that the
algorithm generates a unique key pair.
Prior to using the SKIP Local ID database, you must initialize it under the
/etc/skip directory using:
# skiplocal -i
Code 11-8 shows an example SKIP key generation.
Code 11-8 Example SKIP Key Generation
# skiplocal -k
generating local secret with 512 modulus size
It would help the quality of the random numbers if you would
type 50-100 random keys on the keyboard. Hit return when
you are done. < 50 or more random keystrokes are entered here>
52 <
Format: Hashed Public Key (MD5)
Name/Hash: 5b 50 28 e7 7c ea 9b 13 06 dd 01 d3 59 89 7f 0d
Using the SunScreenSKIP Utility
Securing Network Data 11-29
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Not valid Before: Mon Jun 22 18:00:00 1998
Not valid After: Sun Jun 22 18:00:00 2003
g: 2
p:
f52aff3ce1b1294018118d7c84a70a72d686c40319c807297aca950cd9969fabd00a509b0
2463083d66a45d419f9c7cbd894b221926baaba25ec355e92a055f
public key:
795195d7b0e80a357945f1d1c9c60bae8fb50ec64b84cb26554a81f149e7bbd672bd272a5
e6f4a1d9591f704f1b022ce873e790da5135c7cd02ed4c93a7322b
Added local identity slot 0
This example creates a unique key pair for this host. Repeat this process
on every host that will be running SKIP.
To list the existing key pairs, use the skiplocal command with the list
argument. The following text indicates that a single key pair was
generated. There would be an additional listing if there were more than
one device with a SKIP key pair.
# skiplocal -l
Local ID Slot Name: 0 Type: Software Slot
NSID: 8 MKID (name): 5b5028e77cea9b1306dd01d359897f0d
Not Valid Before: Mon Jun 22 18:00:00 1998
Not Valid After: Sun Jun 22 18:00:00 2003
Modulus size: 512 bits
When you have a key pair dened and can list it using the skiplocal
list command, you must update the system with the skipif -a
command and boot the system. This must be done on all systems running
SKIP.
# skipif -a
# init 6
Before rebooting, you should save the current ACL, otherwise its setting is
not preserved across the reboots. Use the skipif command with the -s
ag to save the SKIP status.
# skipif -s
Using the SunScreenSKIP Utility
11-30 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Working With SKIP
After the system has been rebooted, you build the encrypted channel. This
requires the exchange of keys between the two hosts so that the channel is
built between them. The skiplocal export command outputs the key
in a format that is perfect for either cutting and pasting to the command
line, or for sending to another user using email. One of the easiest ways to
do this on a single terminal is to log in remotely from one host to another,
and cut and paste the key from one window to another. Code 11-9 shown
how to list a ship key.
Code 11-9 Listing a SKIP Key
# skiplocal -x
skiphost -a grommit -R 0x9864c2c14ed58510173da60b52739b59 -r 8 -s 8 -k
des-cbc -t rc2-40 -m md5
The output from the skiplocal -x command can be cut and pasted into
a shell window on the remote host, as shown in Code 11-10.
Code 11-10 Setting a SKIP Key (From Another Host)
# skiphost -a grommit -R 0x9864c2c14ed58510173da60b52739b59 -r 8 -s 8 -k
des-cbc -t rc2-40 -m md5
Adding metz: SKIP params:
IP mode: tunneling
Tunnel address: grommit
Kij alg: DES-CBC
Crypt alg: RC2-40
MAC alg: MD5
Receiver NSID: MD5 (DH Pub.Value)
Receiver key id: 0x9864c2c14ed58510173da60b52739b59
Sender NSID: MD5 (DH Pub.Value)
...done.
When the keys have been exchanged, both hosts must enable SKIP to
communicate. To enable SKIP for encrypted transmission, use the
skiphost command with a -o option, followed by the on ag, as shown
in Code 11-11 on page 11-31.
Using the SunScreenSKIP Utility
Securing Network Data 11-31
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Code 11-11 Enabling SKIP for Encrypted Transmissions
# skiphost -o on
hme0: access control enabled, only authorized SKIP hosts can connect
grommit: SKIP params:
IP mode: tunneling
Tunnel address: grommit
Kij alg: DES-CBC
Crypt alg: RC2-40
MAC alg: MD5
Receiver NSID: MD5 (DH Pub.Value)
Receiver key id: 0x8a4d51e02683c8952c1c5693d9b32596
Sender NSID: MD5 (DH Pub.Value)
Sender key id: 0x9864c2c14ed58510173da60b52739b59
To disable SKIP use:
# skiphost -o off
Using Clear Text
You might not want to always use encrypted communications with every
system; for example, DNS and mail servers. The clear text entry enables
all hosts to communicate with clear text unless otherwise specied.
# skiphost -a default
Exercise: Configuring and Using IPsec
11-32 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise: Conguring and Using IPsec
In this exercise, you complete the following tasks:
G Congure IPsec for TCP communications between two hosts
G Restrict access to authenticated hosts
Preparation
You must install the Solaris OE security enhancements for cryptography
before using IPsec. This is described in the rst task of these exercises.
Tasks
For the purposes of this exercise you will work in pairs to congure
encryption between your workstation and your partners workstation.
Next, you will congure IPsec to authenticate connections from your
partners workstation.
Ensure that you know the IP address of your workstation and your
partners workstation. For convenience, the tasks refer to hosts A and B:
make sure that you agree as to whose workstation is hostA and whose is
hostB before you start the tasks.
You are not required to nish all of the tasks in the time allocated.
Complete the nal task and ush the IPsec congurations and keys from
the system or reboot the system. Your instructor will give you time to do
this.
Caution Remove the IPsec conguration as described in the last task
when you have nished. If you do not disable IPsec it will prevent you
from completing the other tasks in this course.
Exercise: Configuring and Using IPsec
Securing Network Data 11-33
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Task Configuring IPsec
Before using IPsec, you must install some of the Sun Security
enhancements packages. These can be downloaded from the Sun Web site
shown in Additional Resources on page 11-3. For your convenience, a
copy of the security enhancements has been placed in the
/usr/local/pkg/Sol8_encryption_sparc.tar directory.
To congure IPsec, install the Sun Cryptography packages and create an
empty IPsec conguration le in the /etc/inet directory:
1. Extract the contents of this archive to the temporary directory and
then install the following packages from the /tmp/sparc/Packages
subdirectory:
G SUNWcry
G SUNWcry64
G SUNWcryr
G SUNWcryrx
2. Create an empty le called /etc/inet/ipsecinit.conf which
enables the IPsec conguration:
# touch /etc/inet/ipsecinit.conf
3. Reboot the system to enable IPsec:
# init 6
Task Configuring IPsec Encryption
In this task, you congure IPsec encryption on two workstations and use
it to communicate using the telnet command. Working with a colleague,
you share encryption keys and work together to implement the steps in
the correct order on the two systems. If you have any confusion, discuss
this with your instructor:
1. Run ipsecconf with no command line options. You should see no
output. If you see an error message you have not enabled IPsec as
described in Task Conguring IPsec. If you see any output, type
the following commands to remove any IPsec congurations on your
system.
# ipseckey flush
# ipsecconf -f
Exercise: Configuring and Using IPsec
11-34 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
2. With your partner, agree on 2 spi numbers: one for each direction of
communication between your two workstations. Your spi numbers
must not have already been used in your IPsec key conguration
and must be different from each other. Write your numbers down
here:
spi1 hostA to hostB: _______________________
spi2 hostB to hostA: _______________________
3. Choose two, 16digit numbers to use as keys for the DES encryption.
Any value can be used. Write the encryption keys down here:
DES key1 hostA: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
DES key2 hostB: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
4. Edit a new le called /etc/inet/esp.keys and add the following
lines. Both workstations use identical key les:
add esp spi spi1 src hostA dst hostB \
encralg des encrkey key1
add esp spi spi2 src hostB dst hostA \
encralg des encrkey key2
5. Add the IPsec keys on your machine with:
# ipseckey -f /etc/inet/esp.keys
6. Create a new conguration le called /etc/inet/esp.conf
containing the following lines. Each workstation needs a different
conguration le. Replace the values hostA and hostB with the
appropriate IP addresses of your workstations.
{saddr thisHost daddr otherHost ulp tcp} apply {encr_algs DES sa shared}
{saddr otherHost daddr thisHost ulp tcp} permit {encr_algs DES}
7. Add these conguration rules with:
# ipsecconf -a /etc/inet/esp.conf
8. Start the snoop utility in a separate window to monitor trafc
between your two hosts, and use the -v option so that you can see
the snoop utility detect the encrypted datagrams:
# snoop -v hostA and hostB
9. Use the telnet command to verify that you can still communicate
between your hosts with the IPsec policy installed and that the data
packets are now encrypted.
Exercise: Configuring and Using IPsec
Securing Network Data 11-35
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
10. Verify that you can use the telnet command to log in to another
workstation (such as the instructors) and that this communication is
unencrypted.
Task Configuring IPsec Authentication
In this task, you congure IPsec authentication on your system and use it
to communicate with a colleague using the telnet command:
1. With your partner, agree on 2 spi numbers: one for each direction of
communication between your two workstations. Your spi numbers
must not have already been used in your IPsec key conguration
and must be different from each other. Write your numbers down
here:
spi3 hostA to hostB: _______________________
spi4 hostB to hostA: _______________________
2. Choose two, 32digit numbers to use as keys for the MD5
authentication. Any value can be used. Write the authentication keys
down here:
MD5 key3 hostA: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
MD5 key4 hostB: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
3. Edit a new le called /etc/inet/ah.keys and add the following
lines. Both workstations use identical key les:
add ah spi spi3 src hostA dst hostB \
authalg md5 authkey key3
add ah spi spi4 src hostB dst hostA \
authalg md5 authkey key4
4. Add the IPsec keys on your machine with:
# ipseckey -f /etc/inet/ah.keys
5. Create a new conguration le called /etc/inet/ah.conf
containing the following lines. Each workstation needs a different
conguration le. Replace the values thisHost and otherHost with
the appropriate IP addresses of your workstations.
{saddr thisHost daddr otherHost} apply {auth_algs any sa shared}
{saddr otherHost daddr thisHost} permit {auth_algs any}
6. Add these conguration rules with:
Exercise: Configuring and Using IPsec
11-36 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
# ipsecconf -a /etc/inet/ah.conf
7. If the snoop utility is not running from the previous task, start the
snoop utility in a separate window to monitor trafc between your
two hosts, and use the -v option so that you can see the snoop utility
detect the encrypted datagrams:
# snoop -v net hostA and net hostB
8. Use the telnet command to verify that you can still communicate
between your hosts with the IPsec authentication policy installed.
You should see that the packets are authenticated in the snoop
output window.
9. Verify that you can use the telnet command to log in to another
workstation (such as the instructors) and that this communication is
unauthenticated.
Task Authenticating All Hosts With IPsec
Congure IPsec to allow only specic hosts to communicate with your
workstation:
1. Examine the IPsec authentication conguration you have set up.
How would you change the authentication rules to only allow
authenticated hosts to communicate with your host (for example, bar
all non-authenticated hosts).
2. Create a new conguration le and test your ideas. You must remove
the existing conguration with:
# ipsecconf -f
Task Using IPsec AH and ESP With All Hosts
If you completed the previous task, consider how you would extend your
solution to encrypt as well as authorize all host communication. You must
remove the existing conguration with:
# ipsecconf -f
Exercise: Configuring and Using IPsec
Securing Network Data 11-37
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Task Removing IPsec
Remove the IPsec conguration so that it does not interfere with the
exercises in future modules of this course, as follows:
1. When you have nished these tasks, make sure that you remove all
IPsec keys and conguration rules using:
# ipseckey flush
# ipsecconf -f
2. Optionally, you can remove the IPsec initialization le and reboot
your workstation:
# rm /etc/inet/ipsecinit.conf
# init 6
Exercise Summary
11-38 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise Summary
?
!
Discussion Take a few minutes to discuss what experiences, issues, or
discoveries you had during the lab exercise.
G Experiences
G Interpretations
G Conclusions
G Applications
Exercise Solutions
Securing Network Data 11-39
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise Solutions
The following are the solutions for the tasks dened in the preceding
section.
Because most of the task steps are actually instructions, solutions are only
given below where an explicit question has been asked. If you have
questions about any of the other steps, consult the instructor.
Configuring IPsec
Before using IPsec you must install some of the Sun Security
enhancements packages. These can be downloaded from the Sun Web site
shown in Additional Resources on page 11-3. For your convenience a
copy of the security enhancements have been placed in the
/usr/local/pkg/Sol8_encryption_sparc.tar directory.
1. Extract the contents of this archive to the temporary directory and
then install the following packages from the /tmp/sparc/Packages
subdirectory:
G SUNWcry
G SUNWcry64
G SUNWcryr
G SUNWcryrx
# cd /tmp
# tar xvf /usr/local/pkg/Sol8_encryption_sparc.tar
# cd sparc/Packages
# pkgadd -d SUNWcry
# pkgadd -d SUNWcry64
# pkgadd -d SUNWcryr
# pkgadd -d SUNWcryrx
2. Create an empty le called /etc/inet/ipsecinit.conf which
enables the IPsec conguration.
# touch /etc/inet/ipsecinit.conf
3. Reboot the system to enable IPsec:
# init 6
Exercise Solutions
11-40 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Configuring IPsec Encryption
1. Your conguration les should look something like the following
(assuming the host IP addresses are 192.168.0.1 and 192.168.0.2).
# cat /etc/inet/esp.keys
add esp spi 20 src 192.168.0.1 dst 192.168.0.2 \
encralg des encrkey 1234567890123456
add esp spi 21 src 192.168.0.2 dst 192.168.0.1 \
encralg des encrkey 6543210987654321
#
# cat /etc/inet/esp.conf
{saddr 192.168.0.1 daddr 192.168.0.2} apply {encr_algs any sa shared}
{saddr 192.168.0.2 daddr 192.168.0.1} permit {encr_algs any}
Configuring IPsec Authentication
Your conguration les should look something like the following
(assuming the host IP addresses are 192.168.0.1 and 192.168.0.2).
# cat /etc/inet/ah.keys
add ah spi 22 src 192.168.0.1 dst 192.168.0.2 \
authalg des authkey 12345678901234567892123456789312
add ah spi 23 src 192.168.0.2 dst 192.168.0.1 \
authalg des authkey 21398765432129876543210987654321
#
# cat /etc/inet/ah.conf
{saddr 192.168.0.1 daddr 192.168.0.2} apply {auth_algs any sa shared}
{saddr 192.168.0.2 daddr 192.168.0.1} permit {auth_algs any}
Authenticating All Hosts With IPsec
1. Examine the IPsec authentication conguration you have set up.
How would you change the authentication rules to only allow
authenticated hosts to communicate with your host (for example, bar
all non-authenticated hosts).
2. Create a new conguration le and test your ideas.
Exercise Solutions
Securing Network Data 11-41
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
3. Edit the AH conguration rules to remove the references to the other
workstation; remove the daddr option from the apply lne and the
saddr option from the permit line. All incoming and outgoing
communication will be authenticated. No access to unauthenticated
hosts is allowed. You can test this by trying to use the telnet
command to log in to another workstation such as the instructors
machine. The Telnet session will not connect and will eventually
time-out.
Your IPsec conguration le will look like:
# cat /etc/inet/all.conf
{saddr 192.168.0.1} apply {auth_algs any sa shared}
{daddr 192.168.0.1} permit {auth_algs any}
Using IPsec AH and ESP With All Hosts
1. If you completed the previous task consider how you would extend
your solution to encrypt as well as authorize all host communication.
2. Add an encryption rule to your conguration le so that it looks
something like:
# cat /etc/inet/all.conf
{saddr 192.168.0.1} apply {auth_algs any encr_algs any sa shared}
{daddr 192.168.0.1} permit {auth_algs any encr_algs any}
Removing IPsec
There are no solutions for this task.
12-1
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Module 12
AnalyzingNetworkServices
Objectives
Upon completion of this module, you should be able to:
G Apply Security Administrators Integrated Network Tool (SAINT) to
improve network security
G Install SAINT and launch probes using the SAINT graphical user
interface
G Congure SAINT using the conguration le
G Interpret SAINT reports
G Use the Courtney scanning tool to detect SAINT-type attacks
Relevance
12-2 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Relevance
?
!
Discussion System administration of network services is a complex
task. It is easy to inadvertently leave security holes when changing
network configurations. Network service probes such as SAINT can
identify security holes.
G Given that SAINT was originally a hacker tool, how safe is it to use
it on a production network?
G Is it better to use a prewritten tool like SAINT or to write an
analytical suite of tools tailored to your own network?
Additional Resources
Analyzing Network Services 12-3
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Additional Resources
Additional resources The following references provide additional
information on the topics described in this module:
G Solaris OE manual pages.
G Garnkel, Simson, and Spafford, Gene. Practical UNIX & Internet
Security. OReilly & Associates, Inc. 1996.
G Comparison article of the capabilities of various scanners, Network
Computing online at
[http://www.networkcomputing.com/1201/1201f1b1.html]
G SAINT online documentation, available at
[http://www.wwdsi.com/saint/saint_documentation_2.html]
Tool Downloads
G SAINT:
[http://www.wwdsi.com/saint/]
G Courtney:
[http://ciac.llnl.gov/ciac/
ToolsUnixNetMon.html#Courtney]
G openssl for Solaris OE required by tcpdump:
[http://www.sunfreeware.com]
G libpcap for Solaris OE required by tcpdump:
[http://www.sunfreeware.com]
G tcpdump for Solaris OE required by SAINT:
[http://www.sunfreeware.com]
Applying SAINT to Improve Network Security
12-4 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Applying SAINT to Improve Network Security
Tools are available to probe system network services and to determine
whether these services are congured in a secure way. You can use various
tools to analyze different aspects of the network. The most complete tool is
called the Security Administrator's Integrated Network Tool (SAINT).
SAINT is the second generation version of the System Administrators Tool
for Analyzing Networks (SATAN) network probe andhas beenwidely used
by intruders to detect weaknesses in network congurations. SAINT can
be a very effective tool for the administrator.
SAINT consists of a suite of Perl modules that provide an interface into a
Web browser. The tool has the low-level capabilities of Perl combined with
an easy-to-use, thin client interface. In fact, SAINT is so easy to use that it
can be a real menace in the hands of external parties wanting to probe a
network for weaknesses.
Applying SAINT to Improve Network Security
Analyzing Network Services 12-5
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Caution Virtually all Internet Service Providers (ISPs), and many public
networks, absolutely prohibit the use of any network probes or other
analytical utilities without prior written permission. Punishment for
infringement are stringent (usually a permanent removal of access
privileges). Before using SAINT, ensure that you have documented
permission to analyze the targeted network.
Applying SAINT to Improve Network Security
12-6 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Assessing the Capabilities of SAINT
SAINT operates by running standard Solaris OE utilities (called probes) in
certain, predened ways. The information SAINT obtains is then logged
to a datastore and displayed in the form of SAINT reports. All of this
could be done manually, but SAINTs advantage is that it is automatic
and predened. Because SAINT is a next generation tool, it offers
signicant advantages to SATANs user interface, but still shares the
primary aim, which is to detect potential security aws (usually
incorrectly set up or congured services). Because SAINT discovers
security aws in the target systems, it can also nd systems attached to
the target. These systems can also be probed and an entire network
analyzed.
Certain security problems are well-known and documented. That means
that these security problems can be specically looked for in the target
system. These reports from SAINT are especially useful.
Applying SAINT to Improve Network Security
Analyzing Network Services 12-7
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
SAINTs strength is that the information gathered can be reported in
HTML format. In addition, a number of add-in tools can obtain additional
value from SAINT output. Some of these tools are freeware, while others
are commercial products. SAINT can then use these tools to report on this
data or use a simple rule-based system to investigate any potential
security problems.
While SAINT is primarily designed for analyzing the security implications
of the results, you can also obtain lots of general network information
when using the tool including network topology, network services, and
types of hardware and software being used on the network.
Comparing SAINT and SATAN
SATAN is a earlier generation tool. Like SAINT, SATAN can examine
network services such as finger, Network File Service (NFS), Network
Information Service (NIS+), ftp, tftp, and rexecd.
SATAN was written by Dan Farmer and Wietse Venema. It gained a
reputation as a hacking tool, partly because of the offensive name. Later,
SATANbecame respectable. To mitigate some of the uproar surrounding
its name, a repent script was created that would rename the tool to
SANTA (Security Analysis Network Tool for Administrators), while
retaining the functionality.
SAINT is more advanced and has much better reporting than SATAN.
Installing and Using SAINT
12-8 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Installing and Using SAINT
SAINT requires you to install the tcpdump utility on the system using
SAINT. The tcpdump utility can be downloaded from the Sun Freeware
site at http://www.sunfreeware.com.
You can obtain SAINT by downloading the source or binaries at World
Wide Digital Security Inc.:
http://www.wwdsi.com/saint/.
Follow these steps to install SAINT:
1. Download the latest version of SAINT (normally a zipped TAR
archive).
2. Unzip the le and extract the archive (the archive contains a
subdirectory named after the version of SAINT).
Installing and Using SAINT
Analyzing Network Services 12-9
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
3. Read the instructions in the README le in the SAINT subdirectory.
With version 3.2 of SAINT, you must run the following commands
from the SAINT directory:
# ./configure
# make
# make install
This builds the SAINT executable in the current directory.
Note SAINT supports two different procedures for conguring and
compiling the software. The newer procedure uses the configure script.
The older method uses the makefile utility. However, the makefile
utility is less convenient and is not presented here.
Installing and Using SAINT
12-10 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Understanding How SAINT Works
SAINT runs standard components which probe a system to see if it is
vulnerable to certain types of attack. A conguration le can precongure
SAINT. You can change the options at run-time using the Web interface,
as presented in Installing and Using SAINT on page 12-8, but the
application settings are managed by a Perl conguration le.
Installing and Using SAINT
Analyzing Network Services 12-11
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
SAINT denes what it detects as attacks. However, these should more
properly be called analyses because they do not actually attack anything.
You can congure the way in which the analysis is made, the scope (how
wide an analysis is made), and the attack level.
Warning Certain SAINT options are dangerous and can cause major
network problems. Do not change any congurations unless you are sure
of what you are changing.
Installing and Using SAINT
12-12 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using the SAINT Graphical User Interface
SAINT has an easy-to-use graphical user interface (GUI). The SAINT
engine reads the conguration le (described in Conguring SAINT on
page 12-21) to provide default values, but these can be changed at run-
time through the SAINT Control Panel. The SAINT Control Panel leads
you through a sequence of steps to ensure that SAINT has the required
information before it begins probing. Default information is based on the
saint.cf le.
Installing and Using SAINT
Analyzing Network Services 12-13
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
On startup, SAINT presents a menu form in your default browser as
shown in Figure 12-1.
Figure 12-1 SAINT Startup Screen
Use the images on the left side of the form to congure various aspects of
SAINT. The options are:
SAINT home Selects the startup screen
Data
Management
Selects the SAINT database for storing data
Target Selection Selects the hosts which will be analyzed
Data Analysis Displays the results of running the SAINT
analysis
Configuration
Management
Selects the attack level and other parameters
Documentation Provides HTML documentation for
conguring and using SAINT
Installing and Using SAINT
12-14 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Defining SAINT Data Management
SAINT obtains considerable amounts of data from the network it is
probing. The SAINT database stores this data so that it can be analyzed.
You can dene which le is used as shown in Figure 12-2.
Figure 12-2 Dening Where the Data Obtained by SAINT Is
Stored
Trouble
shooting
Provides help with common SAINT problems
Installing and Using SAINT
Analyzing Network Services 12-15
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Setting SAINT Target Selection
Host names can be entered directly or, in the case of multiple hosts, from
a prewritten conguration le, as shown in Figure 12-3.
Figure 12-3 Entering the Names of Hosts to Probe
Installing and Using SAINT
12-16 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Defining the Level of Attack
The level of attack governs how many and what type of probes are used
against a host. Conguring SAINT on page 12-21 describes detailed
information on attack levels. You can set the attack level in the GUI as
shown in Figure 12-4.
Microsoft Windows NT machines have certain special scans associated
with them because Microsoft Windows NT makes shared ports available
as part of its networking strategy. This strategy makes such machines
especially vulnerable to attack.
Figure 12-4 Setting the Scanning Level
Installing and Using SAINT
Analyzing Network Services 12-17
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Allowing for Firewalls
SAINT must know if there is a rewall, because rewalls block certain
packets. If SAINT does not know about the rewall then any machines
hidden behind the rewall are invisible. You can indicate whether the host
you are scanning is behind a rewall, as shown in Figure 12-5.
Figure 12-5 Allowing for Firewalls
When you have reached the screen shown in Figure 12-5, you can begin a
scan.
Installing and Using SAINT
12-18 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Running a SAINT Scan
To run a scan, click Start the Scan on the Target Selection screen. See
Figure 12-5 on page 12-17 for a detailed view. This button initiates the
scan, which takes less than a minute for a light scan of a single host. A
heavy scan of a host takes several minutes, and more intensive scans
involving several hosts take much longer.
The rst time SAINT runs, a warning screen appears as shown in
Figure 12-6 on page 12-18.
Figure 12-6 SAINT Warning Message
Click on the browser Reload Page icon to start the vulnerability scan.
Installing and Using SAINT
Analyzing Network Services 12-19
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
A status screen tracks the scan as it progresses. When the scan is
complete, the screen displays options for viewing the results of the scan as
shown in Figure 12-7.
Figure 12-7 SAINT Scan Complete
Installing and Using SAINT
12-20 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The SAINT data results page summarizes the results of the scan as shown
in Figure 12-8.
Figure 12-8 SAINT Data Analysis Results
Configuring SAINT
Analyzing Network Services 12-21
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Conguring SAINT
The central conguration of SAINT is based on the saint.cf le. The le
is a Perl module which is loaded and interpreted when the SAINT system
initializes. The le is divided into a number of sections, each controlling
an aspect of the attacks to make.
The following rules help you to understand the le:
1. Lines starting with # are comments and are ignored.
2. Important lines have comments by them. Always read the comment.
Remember versions of software and meanings can change.
3. A value of 0 (zero) or null ("") usually means FALSE.
4. A value of 1 usually means TRUE.
The rest of this section discusses some of the more important features of
the conguration le.
Configuring SAINT
12-22 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Setting the Attack Level
The attack level denes the extent to which SAINT attempts to inltrate the
target system (in other words, the exact level of the analysis to be carried
out). The default is set to light (attack level 1). Light attacks are simple,
quick, and largely non-intrusive. Because they are non-intrusive, they can
be difcult to detect. They also provide less information than other
attacks. Heavy attacks (level 2) are slow but gather more information. They
are also fairly easy to detect after the attack has been made. Most
intruders using SAINT start a probe using a light attack then move to a
higher level if they believe that the initial attack was undetected.
Any attack level greater than 2 can be dangerous. Attack levels greater
than 2 can be so detailed, with such long time-outs, that the targeted
system can crash.
Configuring SAINT
Analyzing Network Services 12-23
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Level 4 is a special attack level. This is not heavier than level 3, but
instead it deliberately analyzes a system to detect vulnerabilities on the
System Administration, Networking, and Security (SANS) list of the 10
most critical internet security threats (see
http://www.sans.org/topten.htm). Level 4 is potentially the most
useful analysis because it can be run repeatedly against a system to detect
if changes have been made that render the system open to a casual attack.
The attack level is determined by the setting of the $attack_level
variable, as follows:
# Default attack level (0=light, 1=normal, 2=heavy,
# 3=heavy+, 4=top10, 5=custom)
$attack_level = 0;
Configuring Probes by Attack Level
Each attack uses certain probes. Probes are the modules which run each
attack. While the $attack_level variable determines which probes are
run against a target to build the attack, you can change the probes which
are run within that level. This means that the attacks are not xed but can
be recongured. However, you cannot congure all probes to run. If a
probe has a question mark (?) appended to its name, it runs conditionally.
This means that if the service for which the probe is designed is not
running, then the probe does not run (for example, if the target machine is
not running the NFS service, then the NFS probe does not run).
The probes are listed in the Probes by attack level section of the
conguration le, as shown in Code 12-1.
Code 12-1 Probes by Attack Level
13 # Probes by attack level.
14 #
15 # ? Means conditional, controlled by rules.todo.
16 # * Matches anything.
17 @light = (
18 'dns.saint',
19 'ostype.saint',
20 'rpc.saint',
21 'showmount.saint?',
22 );
23
24 @normal = (
25 @light,
Configuring SAINT
12-24 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
26 'finger.saint',
27 'tcpscan.saint 70,80,ftp,telnet,smtp,nntp,uucp,6000',
28 'udpscan.saint 53,177',
29 'rusers.saint?',
30 'boot.saint?',
31 'yp-chk.saint?',
32 );
33
34 @heavy= (
35 @light,
36 'finger.saint',
37 'rusers.saint?',
38 'boot.saint?',
39 'yp-chk.saint?',
40 $heavy_tcp_scan = 'tcpscan.saint 16660,27665, 65000,1-
1525,1527-9999',
41 $heavy_udp_scan = 'udpscan.saint 27444,31335, 1-1760,1763-
2050,32767-33500',
42 '*?',
43 );
In the @heavy scan section beginning on Line 34 there is an entry (on
Line 42) marked *?. That entry means that all probes not explicitly loaded
by the script are conditionally loaded.
Configuring SAINT
Analyzing Network Services 12-25
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Setting the Level of Password Guessing
SAINT can test the suitability of various passwords on the system. That is,
it can detect the following unsuitable entries:
G A null password
G A password which is the same as a login name
G The word password
G The login name spelled backwards
G The login name followed by the digit 1
The password guessing section of the conguration le is shown in
Code 12-2 on page 12-26.
Configuring SAINT
12-26 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Code 12-2 Password Guessing
1 # Number of passwords to guess for each account
2 # identified by rusers or finger. Greater than 2
3 # will lock out accounts on some systems.
4 # 0 disables password guessing.
5 $password_guesses = 2;
Caution Some systems lock out accounts if the number of password
guesses exceeds a preset number (usually 3). If this is the case with your
system, set $password_guesses lower than the lock out value or SAINT
causes user lockouts.
Configuring SAINT
Analyzing Network Services 12-27
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Setting Time-Outs
You might need to specify a time-out for certain probes. Time-outs
prevent probes from unnecessarily locking up system resources or
crashing the system when the probe fails to obtain a response from the
target system. Time-outs are managed by a section in the conguration
le. To specify time-outs:
1. Specify the general (implicit) time-out to be used this way:
# which timeout to use (0=short, 1=med, 2=long)
$timeout = 1;
2. Specify an explicit time-out by using lines designated to specic
services:
$nfs_chk_timeout = $long_timeout;
$snmp_timeout = 120;
Configuring SAINT
12-28 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Determining Values for Proximity Variables
Proximity variables refer to how close the current target is from the original
SAINT probe target.
Note Proximity variables are the most important conguration variables
in the SAINT system. Setting a state to more than 3 can cause multiple
problems in terms of limiting the extent of the attack, network trafc
generated, and log information generated.
Configuring SAINT
Analyzing Network Services 12-29
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
When you determine the required proximity level, use the value of 0 to
indicate the initial target host. Machines adjacent to the target host have a
value of 1. Machines adjacent to those hosts have a value of 2, and so on.
Therefore, if the attack level is set to 1, then the target host and any hosts
adjacent to the target host are probed. The number of hosts that SAINT
scans can grow exponentially if you increase $max_proximity_level
without carefully thinking about the attack plan. Code 12-3 shows the
proximity variable section of the conguration le.
Code 12-3 Setting the Proximity Variable
1 # Proximity variables; how far out do we attack,
2 # does severity go down, etc.
3 #
4 # how far out from the original target do we attack?
5 $max_proximity_level = 0;
Configuring SAINT
12-30 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
You should reduce the strength of the attack as the attack propagates
farther from the initial target system. This practice reduces the chance of
bringing an entire network to a standstill by inadvertent probing. To
reduce the strength of the attack, change the proximity descent variable in
this section of the conguration le as shown in Code 12-4.
Code 12-4 Reducing the Strength of the Attack
1 # Attack level drops by this much each
2 # proximity level change
3 $proximity_descent = 1;
Using a setting like that shown in Code 12-4 reduces the attack level
variable by 1 for each successive layer of hosts beyond the initial target
host. However, this does not apply when the attack level is set to 4 (SANS
top 10). When the attack level is set to 4, the level always stays the same.
Note For more detailed information on conguration le settings, see
the SAINT documentation on the saint.cf le (online at
http://www.wwdsi.com/cgi-bin/doc.pl?document=saint.cf).
Interpreting SAINT Reports
Analyzing Network Services 12-31
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Interpreting SAINT Reports
SAINT can produce many different types of reports which you can view
using a Web browser. This section shows two examples, but during the
practical exercise you should examine as many reports as you can.
Reporting Vulnerabilities by Type
Listing vulnerabilities by type is the most basic report type. In this report,
details are summarized and you are given a list of all the vulnerabilities
SAINT detected for the given attack, as shown in Figure 12-9.
Figure 12-9 Report of Vulnerabilities by Type
Interpreting SAINT Reports
12-32 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Reporting Potential Problems
The potential problems report, shown in Figure 12-10, shows the type of
vulnerability for each system detected.
Figure 12-10 Listing Potential Problems
Note The comment in Figure 12-10 about Back Orice backdoor found
is particularly noteworthy. This is a Microsoft Windows NT Trojan horse
which can seriously impair network security for all hosts. Solaris OE
administrators must be aware of the specic problems associated with
Microsoft Windows NT machines on a hybrid network.
Detecting Network Analyzer Attacks
Analyzing Network Services 12-33
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Detecting Network Analyzer Attacks
Many tools can detect SAINT and similar tools. You can obtain a good
review of these at:
http://ciac.llnl.gov/ciac/ToolsUnixNetMon.html. Some of the
tools discussed are:
G Gabriel A tool from Los Altos Technologies which is written in the
C programming language for Solaris OE version 1 and 2.
G Netman A package from Curtin University. Netman is not a probe
detector but is a full network monitoring package.
G NOCOL This is also a tool from Curtin University. It detects and
monitors all network activity (not only SAINT or SATAN).
G Courtney A tool written by Computer Incident Advisory
Capability (CIAC) specically designed to monitor and detect
SAINT or SATAN attacks.
Detecting Network Analyzer Attacks
12-34 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Detecting Attacks Using Courtney
The Courtney utility warns administrators of a SAINT or SATAN attack.
Courtney receives its input from the tcpdump utility. Courtney counts the
number of new services a machine originates within a certain time frame.
A machine is identied as a potential SAINT host if it connects to
numerous services within a specied time frame. Like SAINT, Courtney is
a Perl utility.
To run Courtney, you need Perl 5 and you must run the tcpdump utility.
Perl is part of the standard Solaris OE build, but you must download and
install the tcpdump utility from the site listed in Additional Resources
on page 12-3.
Detecting Network Analyzer Attacks
Analyzing Network Services 12-35
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Obtaining and Installing Courtney
You can obtain the Courtney utility from a number of FTP sites. This
example of Courtney, called courtney.tar.gz, was retrieved from
ftp://ciac.llnl.gov/pub/ciac/sectools/unix/courtney/. To
install Courtney:
1. Uncompress and unarchive the courtney-1.3.tar.gz le.
2. The Courtney Perl script uses a hard code search path variable.
Unfortunately, this variable does not include the /usr/local/sbin
directory where the tcpdump utility resides. The easiest solution is to
link the tcpdump utility to the /usr/local/bin directory by
entering:
# ln /usr/local/sbin/tcpdump /usr/local/bin
3. Alternatively, update the Courtney script to set the correct search
path. Edit the courtney.pl script and search for the line starting
$ENV{'PATH'}. Update the associated search path to include the
path to the tcpdump utility (/usr/local/sbin).
$ENV{'PATH'}='/bin:/usr/bin:/usr/ucb:/usr/bsd:/usr/sbin:/usr/etc:/usr/loc
al/bin:/usr/local/sbin';
Detecting Network Analyzer Attacks
12-36 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using Courtney
Start Courtney, as shown in Code 12-5, with the output directed to
standard output. It reports any SAINT attacks (or similar attacks).
Code 12-5 Using Courtney
# ./courtney.pl -s
tcpdump: listening on hme0
00:18:10: NORMAL_ATTACK from wallace- target grommit
00:18:11: HEAVY_ATTACK from wallace - target grommit
By default, attacks are logged using the Syslog utility at the alert priority
level. This logging can be disabled by using the -l option.
Use the -h option to the Courtney command for a full list of command
line options.
Exercise: Using SAINT and Courtney
Analyzing Network Services 12-37
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise: Using SAINT and Courtney
In this exercise, you will complete the following tasks:
G Install SAINT and perform different levels of attack
G Install and use Courtney to detect attacks
Preparation
Ensure that you have installed the GNU C++ compiler and the make
utility.For the purposes of this exercise you will work in pairs to congure
SAINT scanning between your workstation and your partners
workstation. You will subsequently congure Courtney to detect scanning
attacks on your workstation.
Warning Due to the nature of the TCP/IP stack implementation on
Solaris OE, Courtney can only detect scan attacks initiated by another
workstation and does not detect scans originating from the current
workstation.
Ensure you know the host names of your workstation and your partners
workstation.
Task Installing SAINT
The SAINT download site is listed in Additional Resources on
page 12-3. A copy of the download le (saint-3.2.tar) is also in the
/usr/local/pkg directory.
SAINT uses the tcpdump utility, which is not supplied with the Solaris 8
OE. This package also requires the openssl and libpcap packages. These
are available from the sites listed in Additional Resources on page 12-3,
and are included in the /usr/local/pkg directory. These software
packages might already have been installed from a previous exercise of
this course.
Exercise: Using SAINT and Courtney
12-38 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
To install SAINT:
1. Extract the SAINT archive into the /usr/local directory to create a
subdirectory called saint-3.2.
2. Follow the instructions in the README le in the saint directory to
install SAINT.
Task Running a SAINT Attack
To run a SAINT attack:
1. Start up SAINT and then run a light SAINT attack on your partners
workstation and analyze the results.
2. Use the SAINT Target Selection page to select your current hostname
scanning level and then click Start the Scan.
3. Run a heavy attack to gain even more information.
Task Running SAINT From the Command Line
To run SAINT from the command line:
1. Run a medium level attack on your partners workstation but initiate
it from the command line. You can use the -h option to obtain
command line help from SAINT.
2. You can use the -h option to obtain command line help from SAINT:
# ./saint -h
Task Installing Courtney
The Courtney download site is listed in Additional Resources on
page 12-3. A copy of the download le (courtney-1_3.tar) is also in the
/usr/local/pkg directory.
Courtney uses the tcpdump utility, which is not supplied with the Solaris
8 OE. This package also requires the openssl and libpcap packages.
These are available from the sites listed in Additional Resources on
page 12-3 and are included in the /usr/local/pkg directory. They will
have been installed in the rst exercise for this module.
Exercise: Using SAINT and Courtney
Analyzing Network Services 12-39
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
To install Courtney:
1. Extract the Courtney archive and read the README le.
2. Include the tcpdump utility in Courtneys search path by linking it to
the /usr/local/bin directory.
Task Using Courtney to Detect Attacks
You must coordinate your work with another person in the class. One of
you will be the attacker and the other the target.
To use Courtney to detect attacks:
1. Initially, the target workstation must run Courtney from a command
window displaying the output to the screen.
2. The attacker must now run SAINT attacks to verify that Courtney
detects the attack. Start with a light SAINT attack and increase the
level until Courtney recognizes the attack.
Exercise Summary
12-40 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise Summary
?
!
Discussion Take a few minutes to discuss what experiences, issues, or
discoveries you had during the lab exercise.
G Experiences
G Interpretations
G Conclusions
G Applications
Exercise Solutions
Analyzing Network Services 12-41
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise Solutions
This section provides the solutions for this modules exercises.
Installing SAINT
1. Extract the archive into the /usr/local directory to create a
subdirectory called saint-3.2.
2. Follow the instructions in the README le in the SAINT directory to
install SAINT.
# cd /usr/local
# cd pkg
# pkgadd -d libpcap-0_6_1-sol8-sparc-local
# pkgadd -d openssl-0_9_6-sol8-sparc-local
# pkgadd -d tcpdump-3_6_1-sol8-sparc-local
# cd ..
# tar xvf pkg/saint-3.2.tar
# cd saint-3.2
# more README
# ./configure
# make
# make install
Running a SAINT Attack
1. Start SAINT and then run a light SAINT attack on your partners
workstation and analyze the results.
# ./saint
2. Use the SAINT Target Selection page to select your current hostname
and scanning level and then click Start the Scan.
3. Run a heavy attack to gain even more information by returning to
the Target Selection page and selecting a heavy attack.
Exercise Solutions
12-42 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Running SAINT From the Command Line
1. With the permission of someone else in the class run a medium level
attack on their machine but initiate it from the command line.
# cd /usr/local/saint-3.2
# ./saint -i -a 1 wallace
wallace:
Critical Problems:
Exports /export/home to everyone
Areas of Concern:
Information from ruserid could help hacker
Services:
FTP
XDM (X login)
Telnet
uucp
X Windows
NFS
Installing Courtney
1. Extract the Courtney archive and read the README le.
# cd /usr/local
# tar xvf pkg/courtney-1_3.tar
# cd courtney-1.3
# more README
2. Include the tcpdump utility in Courtneys search path by linking it to
the /usr/local/bin directory.
# ln /usr/local/sbin/tcpdump /usr/local/bin
Using Courtney to Detect Attacks
1. Initially, the target workstation must run Courtney from a command
window displaying the output to the screen.
# ./courtney.pl -s
2. The attacker must now run SAINT attacks to verify that Courtney
detects the attack. Start with a light SAINT attack and increase the
level until Courtney recognizes the attack.
13-1
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Module 13
SecurityNetworkServices
Objectives
Upon completion of this module, you should be able to:
G Congure network services such as telnet and FTP
G Congure remote access using rlogin and rsh commands
G Explain the role of the chroot command for enhanced security
G Congure Anonymous FTP
G Describe the role of authentication tools
G Congure and use Pluggable Authentication Module (PAM)
G Disable the use of rhosts les
G Describe the Sun Enterprise Authentication Mechanism (SEAM) and
the Kerberos 5 protocol
Relevance
13-2 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Relevance
?
!
Discussion The following questions are relevant to understanding the
role of network services:
G Can you run your servers without providing network services?
G Can you list the network services you are running on the hosts you
administer?
G Which network services must you have and which are just
convenient?
G Which of the network services require user authentication and which
are open to all users?
Additional Resources
Security Network Services 13-3
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Additional Resources
Additional resources The following references provide additional
information on the topics described in this module:
G Online manual pages for chroot(1M), exec(3), hosts.equiv(4),
inetd(1M), inetd.conf(4), in.ftpd(1M), login(1), netgroup(4),
pam(3PAM), pam.conf(4), pam_unix(5), rlogin(1), and rsh(1)
G Solaris OE AnswerBook 2.
G Garnkel, Simson, and Spafford, Gene. Practical UNIX & Internet
Security. OReilly & Associates, Inc. 1996.
G Kerberos Home Page online
[http://web.mit.edu/kerberos/www/]
Restricting Network Services
13-4 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Restricting Network Services
The standard Solaris OE installation enables, by default, a number of
network services in the /etc/inetd.conf le. Many of these services are
there for historical reasons and are unnecessary. Some services (such as
finger and rusers) provide information about the host server and user
login names which intruders can use to inltrate those systems.
Consider disabling some or all of the standard network facilities as
described in Table 13-1 on page 13-5. Edit the /etc/inetd.conf le by
commenting out entries instead of erasing them. This method is helpful
when you try to restore a disabled network service.
Restricting Network Services
Security Network Services 13-5
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The following services are enabled by default, as shown in Table 13-1.
Table 13-1 Network Services Enabled by Default
Service Usage
ftp - /usr/sbin/in.ftpd Transfers les to and from a server. The FTP
server has had a number of security
weaknesses over time, including variations
of the buffer overow attack. FTP also uses
unencrypted passwords. Disable this entry if
FTP is not required. This service also
supports Anonymous FTP.
telnet -
/usr/sbin/in.telnetd
Allows remote login access to a server. The
telnet service uses unencrypted
passwords. Disable if the telnet service is
not required. Using the Secure Shell (SSH)
can eliminate the need for a telnet service.
shell - /usr/sbin/in.rshd Supports the rsh command for running
commands on the host. If the user
authentication mechanism is used, no
passwords are required; otherwise
unencrypted passwords are used. Use SSH
in preference to the rsh command.
login - /usr/sbin/in.rlogind Supports the rlogin command for remote
login to the host. If the user authentication
mechanism is used, no passwords are
required; otherwise unencrypted passwords
are used. Use SSH in preference to the
rlogin command.
exec - /usr/sbin/in/rexecd Supports remote execution of commands
using the socket exec(3) system call. Might
be used by networking software to support
client functionality. Uses unencrypted
passwords. Disable it to see what stops
working or if something important breaks.
comsat - /usr/sbin/in.comsat Supports remote mail notication using the
biffprogram. Not needed on most systems.
The biff mail notication program informs
you when mail arrives in your mailbox.
talk - /usr/sbin/in.talkd Supports the talk service. Not needed on
most systems.
Restricting Network Services
13-6 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Several other services are required to support Solaris OE remote
management. These are described in the inetd.conf le. Enable only
those services that are being used at your site.
uucp - /usr/sbin/in.uucp Supports UNIX to UNIX Copy (UUCP) le
copy (used by older UNIX mail programs).
Not required on modern UNIX systems.
finger -
/usr/sbin/in.fingerd
Provides summary information on the
operating system and current users logged
into the system. The finger service can also
provide more detailed information about a
named user regardless of whether they are
logged in. Disable this service because it
provides intruders with information (such
as valid user account names) that can attack
the system.
rusersd -
/usr/lib/netsvc/rusers/
rpc.userd
Provides information similar to the who
command about users logged into the
system. Disable this service because it
provides intruders with information (such as
valid user account names) that can attack
the system.
sprayd -
/usr/lib/netsvc/spray/
rpc.sprayd
Analyzes RPC network trafc. Disable this
service because there are better ways to
monitor the network. The sprayd service
can be the target of a denial of service attack.
walld -
/usr/lib/netsvc/rwall/
rcp.rwalld
Writes a message to all logged in users.
Intended as a site-wide broadcast
mechanism. The walld service is not useful
in most sites and can be used as a network
attack target. If an intruder can write a
arbitrary message to a users terminal, they
can use terminal (or terminal emulator)
features to execute programs on behalf of the
logged in user. These attacks are known as
answerback or send message attacks.
Disable this service.
Table 13-1 Network Services Enabled by Default (Continued)
Service Usage
Restricting Network Services
Security Network Services 13-7
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
FTP Users
FTP has an additional security measure that allows you to deny some user
accounts access to FTP.
The /etc/ftpusers le contains a list of all user names denied access to
FTP (the le name is misleading). By default, this le contains the system
accounts such as root, bin, adm, and so on. Add additional user names to
this le to prevent accounts from using FTP.
Defending Network Services
13-8 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Defending Network Services
It is difcult to defend the network services on your host. If you provide a
service over the network you must accept the possibility of a break-in. You
must trust that the network service itself is secure but in reality many
services have security weaknesses that can be attacked. Make sure that
you use the latest versions of all network service software and keep up-to-
date with the security alerts and operating system patches for your
software.
Two techniques can help defend your network services against basic
attacks:
G Non-standard port numbers
G Dummy services
Defending Network Services
Security Network Services 13-9
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Non-Standard Port Numbers
Consider putting services on non-standard port numbers. For example,
move the telnet service to port 4321 and tell your users to use the
command:
# telnet host 4321
This method does not make the service any more secure but it can deter a
casual intruder from attacking the system because the intruder cannot
nd a telnet server on port 23 and has to look for other weaknesses.
This will not put off an experienced intruder who can use port scanning
tools to detect the telnet service, regardless of port number.
Dummy Services
Running dummy services can improve your early warning system for
network attacks. A dummy service is a server which sits on a well known
port (such as 23 for telnet) and logs the IP address of any client which
connects to that port. Although it also catches genuine user mistakes, this
technique denitely detects intruders trying to attack your system.
A simple logging service like this can be written by a C, C++, Java
technology, or Perl programmer.
More sophisticated dummy servers require more programmer
development, but it is still relatively easy to write a server which looks and
behaves like a standard service but provides no functionality except to log
the connections.
One example is a telnet server which prompts for a user name and
password in exactly the same manner as a real telnet server. But the
dummy service always denies access to the system even if the user name
and password are correct. Such a server can sidetrack intruders
attempting to break into a system using a mechanism which cannot be
broken. Imagine putting a dummy front door on your house or apartment
which is nailed shut: Even if it could be opened, it simply opens to a solid
wall.
Berkeley rCommands
13-10 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Berkeley rCommands
A number of network security concerns involve the Berkeley r
commands, rlogin, rsh, and rcp. The r commands use privileged ports,
ranging from 512 to 1023.
All three commands in the Berkeley r command set require that the user
have an account set up on the remote system:
G The rlogin (remote login) command Allows a login session on a
remote system. To log into host wallace use:
# rlogin wallace
G The rsh (remote shell) command Also called remsh, executes a
program on a remote system. To run a ps command on host grommit
use:
# rsh grommit ps -ef
Berkeley rCommands
Security Network Services 13-11
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G The rcp (remote copy) command Allows a user to copy les
between remote systems. To copy the sulog le from host wallace
to the temporary directory on grommit use:
# rcp wallace:/var/adm/sulog grommit:/tmp/sulog.wallace
Note On some older UNIX versions the rsh command was known as
remsh because the /usr/bin/rsh command was the restricted Bourne
shell. More recent UNIX systems have moved the restricted shell to the
/usr/lib/rsh command and standardized the /usr/bin/rsh command
as the remote shell; however the /usr/bin/remsh command is linked to
the /usr/bin/rsh command to maintain backward compatibility.
The rsh and rcp commands are further restricted in that the remote host
must have congured the host running the command as a trusted host
(see Trusted Hosts on page 13-12).
You can use the rlogin command if you have an account on the remote
system, even if the remote system is not trusted. The rlogin command
prompts for a password unless the system running the command is a
trusted host.
The rlogin and rsh commands use the -l option to specify a login user
name to use on the remote host. For user bob to run the ps command as
the root user on grommit, Bob would type:
# rsh -l root grommit ps -ef
The rcp command can also specify user names, but because there might
be different users on each machine, the le name is prexed with the user
name much like an email address. For example:
# rcp alice@wallace:/var/adm/sulog bob@grommit:/tmp/sulog.wallace
This command reads the /var/adm/sulog le from wallace as user
alice and writes the le to grommit as user bob.
Berkeley rCommands
13-12 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Trusted Hosts
Trusted hosts are congured using two types of conguration les on the
host which is the target of the remote command (not the system running
the command):
G A global conguration le used for all users except root
G Individual user conguration les
Running the command from the host wallace requires grommit to
congure wallace as a trusted host:
# rsh grommit ps -ef
The trusted host conguration les all have the same format, where each
line represents a trusted host or a trusted host and a named user. The user
defaults to the current user if no user name is supplied on the trusted host
line. User names and hosts can be specied using Netgroups as dened in
the /etc/netgroups le (read the online manual pages and Solaris
AnswerBook for a description of Netgroups).
Berkeley rCommands
Security Network Services 13-13
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
A simple trusted host le is:
wallace
grommit
Both hosts wallace and grommit are trusted.
Note A host does not trust itself unless its host name is included in the
trusted hosts le.
A more complex trusted host le is:
wallace bob
grommit alice
In this example, only user bob on host wallace and user alice on host
grommit are trusted.
Note The hosts ofcial name must be used. Aliases are not recognized,
nor are IP addresses.
Berkeley rCommands
13-14 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
In a trusted host conguration le, a line containing a single plus sign (+)
means trust all known hosts, but this is extremely insecure and you should
never use it. Systems can be barred from access by preceding the host
name with a minus sign (-), but because this only makes sense when using
the plus sign it also should not be used. If a host is not listed in the
conguration le that means that it is denied access.
Note The trusted host les are one-way only. A given host species
which other hosts are trusted. This does not imply that this host is also
trusted by the ones it trusts. The other hosts have their own list of trusted
hosts.
Berkeley rCommands
Security Network Services 13-15
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Determining Trusted Access
When the target server determines if a user wanting to run a remote
command is trusted or not, the target server checks the password le to
ensure that the remote user has an entry on this system. If not, the
command is rejected.
If the user has a valid account, the target system checks the
/etc/hosts.equiv le for all users except for the root user. The
/etc/hosts.equiv le identies the trusted hosts for all the non-root
users on the system.
Note Some older versions of SunOS and the Solaris OE have a default
/etc/hosts.equivle with the single entry +. Delete this le because it
is extremely insecure.
Berkeley rCommands
13-16 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
If the user is in the passwd le and the host is a trusted host, the user can
use the rlogin or rsh commands without a password.
Note Do not use user names in the hosts.equiv trusted le. You might
expect that adding a user name to a line in the /etc/hosts.equiv le
would restrict the use of the r commands to that named user only.
However, in practice, specifying a user name usually allows the named
user to run commands as any user on this server.
If the user and host are not trusted in the /etc/host.equiv le
(remember that root does not use hosts.equiv), then the system checks
for a le called $HOME/.rhosts (where $HOME is the users home
directory). The $HOME/.rhosts le only denes trusted hosts for the user
account actually running the command, which is the same as the user
running the command unless the user name is supplied on the command
line.
Note When the user attempting a remote command is logged in as the
root user, only the /.rhosts le is checked, not the /etc/hosts.equiv
le.
Berkeley rCommands
Security Network Services 13-17
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Trusted Hosts Good or Bad?
Many administrators frown on the use of the trusted host mechanism and
the r commands. An intruder who breaksin to a login account with this
feature activated can access a large number of systems on the network.
This type of access can propagate many viruses and worms. The trusted
host mechanism effectively lowers the overall security of the network to
that of the weakest host.
The opposing argument is that by setting up trusted hosts correctly and
only where necessary, you can avoid using the telnet command to access
a host and you can avoid sending unencrypted passwords across a
potentially insecure network.
A useful technique with the root user, trustedhosts le (/.rhosts) is to
include entries for all of your administrators, which allows them to run
remote commands on this host. On wallace, for example:
# cat /.rhosts
wallace alice
wallace bob
Berkeley rCommands
13-18 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
This entry allows the user alice and the user bob to run commands on
the host wallace (the current system). This might not make sense until
you consider that this is the root user trusted hosts le. For example, this
entry allows the user bob to run the following command:
$ rsh -l root wallace passwd eve
This command allows the user bob to change the password for the user
eve. The advantage of this conguration is that the user bob does not use
the su command or enter the root user password. This conguration is
more secure than having the user bob (who might be using the telnet
command from a PC to access the server) use the su command and send
unencrypted passwords over the network where they can be sniffed.
However, if the accounts for either user alice or user bob are
compromised, then the root account is also compromised.
There is no right or wrong answer just personal preferences. If you are
using tools and techniques like SSL, IPS, or SSH, it is usually a good idea
to disable the trusted hosts mechanism. See Disabling Remote Access
Using PAM on page 13-38.
Securing Services With The chrootCommand
Security Network Services 13-19
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Securing Services With The chrootCommand
The chroot command changes the root directory for the duration of a
programs execution lifetime. The effect is to run the program in a
sandbox: the only les and directories that the program can access are
those underneath the new root directory. With the chroot command:
G All absolute pathnames are redirected to the changed root directory
(both on the command line and with any les opened) while the
program executes.
G A reference to the parent directory of the changed root directory is
redirected to the root directory itself (which prevents the user from
using the cd .. command to move up and out of the new root
directory).
The chroot command is not an easy command to use and requires
considerable work and expertise to set up. However, most of the work can
be easily scripted.
Intelligent use of chroot can dramatically tighten the security of a system.
Securing Services With The chrootCommand
13-20 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
When to Use the chroot Command
Use the chroot command to run network services in a sandbox.
Anonymous FTP and Trivial File Transfer Protocol (TFTP) are the usual
services which are run using the chroot command.
A security-conscious administrator uses the chroot command for all
possible services. Candidates are:
G FTP (in additional to Anonymous FTP)
G HTTP servers (Web servers should run in a sandbox)
G The telnet program
The telnet program can be considered for chroot security. If the
telnet program is congured to use the chroot command, remote
administration of the host must be done from the console (or a
directly attached terminal) or done using a network Common
Desktop Environment (CDE) session which uses X Display Manager
Control Protocol Description (XDMCP) for login.
G Any network service which does not require access to the full
operating system
If you use the chroot command, some of the known weaknesses in
network services can be minimized by presenting a very restricted view of
the system.
How to Use the chroot Command
To use the chroot command, you must congure a complete environment
for the executing program including:
G Executable command les
G Shared libraries
G Device les
Securing Services With The chrootCommand
Security Network Services 13-21
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
A basic example of the chroot command that extracts a tar le into the
/tmp directory is shown in Code 13-1. You can use the chroot command
to extract a tar archive which has stored absolute instead of relative path
names. Without the chroot command, extracting the tar archive would
overwrite the existing les on disk.
Code 13-1 Using the chroot Command
# cp tools.tar /tmp
# chroot /tmp /usr/lib/tar xvf /tools.tar
There are a few points to note about Code 13-1:
G The real path name for the tar archive is /tmp/tools.tar.
However, the command line must use its relocated name of
/tools.tar because all path names are relative to the /tmp directory
(the rst parameter to the chroot command).
G The /usr/sbin/static/tar command is a statically linked
program (it includes all required libraries in the one executable
binary). The usual tar command in /usr/bin is dynamically linked
and must have the required libraries copied to the changed root
directory.
G When the tar archive is extracted all les are under the /tmp
directory (all absolute path names in the archive are relocated to the
new root directory of /tmp).
Securing Services With The chrootCommand
13-22 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Anonymous FTP
A more complex example of using the chroot command is one for
running Anonymous FTP. The in.ftpd daemon uses the chroot
mechanism when a user logs in as the anonymous user. A password must
be supplied. It is conventional to use your email address as the password,
but most servers accept any password.
Anonymous FTP is insecure because anyone can access the service.
Anonymous FTP is usually congured so that les can only be downloaded
and not uploaded onto the host.
Securing Services With The chrootCommand
Security Network Services 13-23
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The in.ftpd daemon needs all of its support libraries and conguration
les to be in the changed root directory to run correctly. These include:
G /usr/bin Required executable les to support FTP. The in.ftpd
daemon needs at least the /usr/bin/ls le.
G /etc Conguration les used by FTP or other programs (like ls).
The in.ftpd daemon needs at least the following:
G /etc/passwd for ls listings
G /etc/default/ftpd for conguration
G /etc/default/init for the time zone
Note The /etc/passwd le used by FTP does not need to be the same as
/etc/passwd on the real system. You can use a series of dummy account
names which might sidetrack potential intruders who are unaware of the
chroot functionality. FTP does not need the /etc/shadow le, so it
should not be copied into the changed root directory.
G /usr/lib Required dynamic link libraries. The ldd command lists
all required libraries for a given command list. Required dynamic
link libraries for FTP can be obtained using:
# ldd /usr/bin/ftp /usr/bin/ls
G /usr/lib/security Contains the security database required by
most commands.
G /usr/share/lib/zoneinfo Contains time zone conguration
les.
G Include these device les that are required to support network
services:
G /dev/zero
G /dev/tcp
G /dev/udp
G /dev/ticotsord
G /dev/ticlts
G /dev/null (optional, but most administrators also
copy this file)
Securing Services With The chrootCommand
13-24 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Note Devices opened from the command line before the FTP is started
(such as stdin, stdout, and stderr) do not need device les.
G A directory for the public FTP les (this is usually a directory called
/pub). The public directory should be read-only to all users.
G A writable subdirectory (if you need users to upload les). To ensure
that no DoS attacks can be attempted (for example by lling the FTP
area with user-uploaded les), place the entire area on a separate
disk partition or slice.
The in.ftpd daemon also requires a user called ftp whose home
directory is the same as the root directory for Anonymous FTP access.
The online manual page for the in.ftpd daemon includes a shell script
which automates the entire process. This script could be easily adapted
for other network services.
Note If the in.ftpd daemon is congured to log FTP logins,
Anonymous FTP logins are also logged. Because the inted daemon
communicates directly with the Syslog daemon, no path names are
required. Running the in.ftpd daemon under the chroot command does
not require any special conguration.
Pluggable Authentication Module (PAM)
Security Network Services 13-25
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Pluggable Authentication Module (PAM)
The Pluggable Authentication Module (PAM) framework allows new
authentication technologies to be plugged in without changing system
services such as login, ftp, telnet, and so on. PAM can also integrate
the UNIX login service with other security mechanisms such as the
Distributed Computing Environment (DCE), Generic Security Services
(GSS), or the Kerberos authentication systemSun Enterprise
Authentication Mechanism (SEAM). You can also use this framework to
plug in mechanisms for account, session, and password management.
The PAM application program interface (API) and Kerberos complement
each other: The PAM API supports user authentication by the system
entry servers while Kerberos supports network-based clientserver
authentication. Therefore, when users on client systems are authenticated
through PAM, they can communicate securely with other Kerberos
network services.
PAM is integrated into the Solaris 8 OE. PAM is also available on other
versions of UNIX.
Pluggable Authentication Module (PAM)
13-26 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
PAM Runtime Modules
PAM uses runtime pluggable modules to provide authentication for local
and remote system entry services. These modules are organized into four
different function types:
G Authentication modules Provide authentication for users and allow
credentials to be set, refreshed, or destroyed. Authentication
modules are useful as an administration tool.
G Account modules Check for password aging, account expiration,
and access time restrictions. After the user is identied through the
authentication modules, the account modules determine if the user is
allowed access.
G Session modules Manage the opening and closing of an
authentication session. Session modules can log activity or clean up
after the session is over.
G Password modules Provide the mechanism for changing a
password.
Pluggable Authentication Module (PAM)
Security Network Services 13-27
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The module services can be stacked, which provides:
G User authentication through the use of multiple services. The PAM
framework provides a method for authenticating users with multiple
services using stacking. Depending on the conguration, the user
can be prompted for passwords for each authentication method. The
order in which the authentication services are used is determined
through the PAM conguration le.
G A password-mapping feature. The stacking method can require users
to remember several passwords. With the password-mapping feature
enabled, the primary password decrypts the other passwords, so that
the user does not have to enter multiple passwords. Another option
is to synchronize the passwords across each authentication
mechanism.
Note Synchronized passwords could increase the security risk, because
the security of each mechanism is limited by the least secure password
method used in the stack.
The pam_unixModule
The pam_unix module, /usr/lib/security/pam_unix.so.1, provides
support for all four types of runtime modules. This module uses UNIX
passwords for authentication. The /etc/nsswitch.conf le denes the
following name services which control password records:
G dial_auth You can only use the
/usr/lib/security/pam_dial_auth.so.1 module for
authentication. (See the pam_dial_auth man page.) The dial_auth
uses data stored in the /etc/dialups and /etc/d_passwd les for
authentication. The dial_auth service is mainly used by the login
command.
G rhosts_auth You can also use the
/usr/lib/security/pam_rhosts_auth.so.1 module for
authentication. (See the pam_rhosts_auth man page.) The
rhosts_auth module uses data stored in the ~/.rhosts and
/etc/host.equiv les and the rlogin and rsh commands.
Note For security reasons, these module les must be owned by the
root user and must not be writable through group or other permissions.
If the le is not owned by the root user, PAM does not load the module.
Pluggable Authentication Module (PAM)
13-28 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Figure 13-1 shows how the PAM modules relate to each other and
the network services using them:.
Figure 13-1 PAM Module Structure
The ftp, telnet, and login applications use the PAM library to access
the appropriate module. The /etc/pam.conf conguration le denes:
G Which PAM modules to use
G In what order to use modules with each application
Responses from the modules are passed back through the library to the
application.
PAMLibrary
The PAM library, /usr/lib/libpam, provides the framework to load the
appropriate modules and manage the stacking process. It also provides a
generic plug-in structure for the modules.
Pluggable Authentication Module (PAM)
Security Network Services 13-29
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
PAM Configuration File
The /etc/pam.conf le controls the PAM conguration, determines
which authentication services to use, and in which order the
authentication services are used. You can edit this le to select
authentication mechanisms for each system-entry application.
Conguration File Syntax
The /etc/pam.conf PAM conguration le consists of lines of
tab-separated entries with the following syntax:
service_name module_type control_ag module_path module_options
Pluggable Authentication Module (PAM)
13-30 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Code 13-2 shows a portion of a PAM conguration le.
Code 13-2 PAM Conguration File Syntax
1 login auth required /usr/lib/security/pam_unix.so.1
2 su auth requisite /usr/lib/security/pam_inhouse.so.1
3 su auth required /usr/lib/security/pam_unix.so.1
debug
Code 13-2 consists of:
G service_name Name of the service: ftp, login, or telnet.
G module_type Module type for the service: auth, account,
session, or password.
G control_flag Continuation or failure semantics for the module:
requisite, required, sufficient, or optional. These ags are
described in PAM Control Flags on page 13-31.
G module_path Path to the library object that controls the services
function.
G module_options Module-specic options that are passed to the
service modules. The values for this eld can be found in the manual
pages for each module. For example, the pam_unix module has the
use_first_pass and try_first_pass options which allow users to
reuse the same password for authentication without retyping it.
An entry in the PAM conguration le is incorrect if:
G The line has less than four elds
G An invalid value is given for module_type or control_flag
G The named module is not found
Pluggable Authentication Module (PAM)
Security Network Services 13-31
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
PAM Control Flags
Control ags indicate how to handle a successful or a failed attempt
through each module. The control ags also determine the continuation or
failure behavior of a module during the authentication process.
You must use one of the four control ags (requisite, required,
optional, or sufficient) for each entry. These ags apply to all module
types. The control ags, when used for authentication modules, cause the
following behaviors:
G requisite The module must return success for additional
authentication to occur. If a failure occurs for a module agged as
requisite, an error is returned to the application and no additional
authentication is done. If the stack does not include prior failed
modules labeled as required, then the error from the current
module is returned. If an earlier module labeled as required has
failed, the error message from the earlier module is returned.
Pluggable Authentication Module (PAM)
13-32 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G required The module must return success for the overall result to
be successful. If all of the modules are labeled required, then
authentication through all modules must succeed for the user to be
authenticated. If some of the modules fail, then an error value from
the rst failed module is reported. If a failure occurs for a module
agged as required, all modules in the stack are still tried but
failure is returned. If none of the modules are agged as required,
then only one of the entries for that service must succeed for the user
to be authenticated.
G optional If this module fails, the overall result can be successful if
another module in this stack returns success. Use the optional ag
when one success in the stack is enough for a user to be
authenticated. Use this ag only if it is not important for this
particular mechanism to succeed. If your users need to have
permissions associated with a specic mechanism, do not label the
module optional.
G sufficient If this module is successful, skip the remaining
modules in the stack, even if they are labeled required. The
sufficient ag indicates that one successful authentication is
enough to grant the user access.
Example PAMConguration
Code 13-3 shows an example PAM conguration le.
Code 13-3 PAM Conguration File
1 # cat /etc/pam.conf
2 #ident "@(#)pam.conf 1.15 00/02/14 SMI"
3 #
4 # Copyright (c) 1996-1999 by Sun Microsystems, Inc.
5 # All rights reserved.
6 #
7 # PAM configuration
8 #
9 # Authentication management
10 #
11 login auth required /usr/lib/security/$ISA/pam_unix.so.1
12 login auth required
/usr/lib/security/$ISA/pam_dial_auth.so.1
13 #
14 rlogin auth sufficient
/usr/lib/security/$ISA/pam_rhosts_auth.so.1
15 rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1
Pluggable Authentication Module (PAM)
Security Network Services 13-33
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
16 #
17 dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.1
18 #
19 rsh auth required
/usr/lib/security/$ISA/pam_rhosts_auth.so.1
20 other auth required /usr/lib/security/$ISA/pam_unix.so.1
21 #
22 # Account management
23 #
24 login account requisite /usr/lib/security/$ISA/pam_roles.so.1
25 login account required
/usr/lib/security/$ISA/pam_projects.so.1
26 login account required /usr/lib/security/$ISA/pam_unix.so.1
27 #
28 dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.1
29 dtlogin account required
/usr/lib/security/$ISA/pam_projects.so.1
30 dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1
31 #
32 other account requisite /usr/lib/security/$ISA/pam_roles.so.1
33 other account required
/usr/lib/security/$ISA/pam_projects.so.1
34 other account required /usr/lib/security/$ISA/pam_unix.so.1
35 #
36 # Session management
37 #
38 other session required /usr/lib/security/$ISA/pam_unix.so.1
39 #
40 # Password management
41 #
42 other password required /usr/lib/security/$ISA/pam_unix.so.1
43 dtsession auth required /usr/lib/security/$ISA/pam_unix.so.1
44 #
In Code 13-3 on page 13-32, the $ISA variable expands to the architecture
of the current system, which allows one conguration le for multiple
architectures.
Pluggable Authentication Module (PAM)
13-34 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
In Code 13-3 on page 13-32, the example le denes that:
G For login, authentication is required for both the pam_unix and the
pam_dial_auth modules (Lines 1112).
G For rlogin, if authentication through pam_rhost_auth fails,
authentication through the pam_unix module must succeed. The
sufficient control ag indicates that if authentication through
pam_rhost_auth module succeeds, the pam_unix authentication is
skipped (Lines 1415).
G Authentication for rsh must succeed through the pam_rhosts_auth
module (Line 19).
G The other service name allows you to set a default for any other
commands requiring authentication. The other option makes it
easier to administer the le, because many commands using the
same module can be covered with one other entry. In addition, the
other service name ensures that each access is covered by one
module. By convention, the other entry is included at the bottom of
the section for each module type (Line 20 is the rst example of an
other entry).
G The remaining entries in the le congure the account, session, and
password management.
The /usr/lib/security/$ISA/ path is placed in front of the le name if
an absolute path is not used. Therefore, use a full path name for modules
located in other directories.
If login species authentication through both the pam_local and
pam_unix modules, then the user must enter a password for each module.
If both passwords are the same, the use_first_pass module option
prompts the user for only one password and uses that password to
authenticate the user for both modules. If the passwords are different, the
authentication fails. Use this option with an optional control ag, as
shown in Code 13-4, to ensure that the user can log in.
Code 13-4 The use_first_pass Authentication Option
1 # Authentication management
2 login auth required /usr/lib/security/$ISA/pam_unix.so.1
3 login auth optional /usr/lib/security/$ISA/pam_local.so.1
use_first_pass
Pluggable Authentication Module (PAM)
Security Network Services 13-35
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Deploying PAM
Before you decide how to employ PAM in an environment, you should
address these issues rst:
G Determine which modules to use
G Identify the services that need special attention; use the other
service where appropriate so that every application does not have to
be included
G Decide on the order in which the modules should be run
G Select the control ag for that module
G Choose any options necessary for the module
Note Consider the security implications when using the sufficient
and optional control ags.
Pluggable Authentication Module (PAM)
13-36 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Adding a PAM Module
To add a PAM module, follow these steps:
1. Become superuser.
2. Determine which control ags and other options to use.
3. Copy the new module to the /usr/lib/security directory.
4. Change the owner of the module to the root user with permissions
555.
5. Edit the /etc/pam.conf PAM conguration le and add this
module to the appropriate services.
Caution The superuser might not be able to log in if the PAM
conguration le is miscongured or becomes corrupted. The superuser
might have to boot the machine into single-user mode to x the problem.
6. Review the /etc/pam.conf le after making any changes effective.
Pluggable Authentication Module (PAM)
Security Network Services 13-37
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
7. Test the services to ensure that the conguration le has not been
miscongured. Use the rlogin, su, and telnet services.
Note If the service being tested is a daemon that is launched when the
system is booted, you might need to reboot the system to verify that the
module has been added.
8. Reboot the system and test all affected services again.
Pluggable Authentication Module (PAM)
13-38 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Disabling Remote Access Using PAM
You can use PAM access control to disable the trusted host mechanism
(/etc/hosts.equiv and .rhosts les) on a server.
To disable trusted hosts for the rlogin command remove this entry from
the PAM conguration le (/etc/pam.conf):
rlogin auth sufficient /usr/lib/security/$ISA/pam_rhost_auth.so.1
Deleting the previous line prevents the /etc/hosts.equiv and
$HOME/.rhosts les from being accessed during an rlogin session and
prevents unauthenticated access to the local system from remote systems.
All rlogin accesses require a password, regardless of the presence or
contents of any $HOME/.rhosts or /etc/hosts.equiv les.
To disable the rsh service, delete the line:
rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
Pluggable Authentication Module (PAM)
Security Network Services 13-39
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Deleting this line stops unauthenticated access to the $HOME/.rhosts le.
In practice, you should stop the remote services from running by
commenting out the following lines in the /etc/inetd.conf le:
shell stream tcp nowait root /usr/sbin/in.rshd in.rshd
login stream tcp nowait root /usr/sbin/in.rlogind in.rlogind
Users can use the telnet command as an alternative to the rlogin
command.
Pluggable Authentication Module (PAM)
13-40 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Initiating PAM Error Reporting
You can congure the PAM error reporting mechanism to:
G Display alert messages on the console
G Mail critical messages to the root user
G Append informational and debug messages to the
/var/log/pamlog le
G Report errors using the Syslog utility
G Report the Facility label is auth
To congure PAM error reporting, follow these steps:
1. Add the following PAM error reporting entries to the
/etc/syslog.conf le:
a. auth.alert /dev/console
b. auth.crit "root"
c. auth.info;auth.debug /var/log/pamlog
Pluggable Authentication Module (PAM)
Security Network Services 13-41
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
2. Create the log le.
# touch /var/log/pamlog; chmod 600 /var/log/pamlog
3. Restart the syslog daemon or send the daemon a SIGNUP signal to
activate the PAM error reporting.
# /etc/init.d/syslog stop
Stopping the syslog service.
# /etc/init.d/syslog start
syslog service starting.
Each line in the pamlog le contains a time stamp, the name of the system
that generated the message, and the message itself.
Note The pamlog le can become very large as large amounts of
information are logged.
Sun Enterprise Authentication Mechanism(SEAM)
13-42 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Sun Enterprise Authentication Mechanism(SEAM)
SEAM is a clientserver authentication mechanism based on Kerberos 5.
SEAM is a single sign-on system which authenticates the user once and
then grants access to authorized network resources automatically. SEAM
does not transmit unencrypted passwords across the network.
Enhancing Security Using Kerberos v5
In 1983, the Massachusetts Institute of Technology (MIT), IBM, and Digital
Equipment Corporation began work on the Athena Project to develop an
integrated network environment for the university campus. The Athena
Project developed a solution called Kerberos to solve the security
problems of working with insecure computers (PCs running MS-DOS)
and an open network susceptible to snifng attacks.
Sun Enterprise Authentication Mechanism(SEAM)
Security Network Services 13-43
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Kerberos is an authentication system which uses Data Encryption
Standard (DES) cryptography to protect sensitive information such as
passwords on an open network. When a users logs onto a system running
Kerberos, the user is issued a ticket supplied by the Kerberos
Authentication server. The ticket can only be decrypted with the users
password and contains information necessary to obtain additional tickets.
From that point, whenever the user wants to access a network service, a
valid ticket must be presented. These tickets are obtained from the
Kerberos server. All of the information in a Kerberos ticket is encrypted
before it is transmitted over the network.
The Kerberos server stores the user name and password information
locally. Passwords are never transmitted over the network. Unlike UNIX,
Kerberos uses a reversible encryption algorithm (DES), so passwords can
be decrypted when they are required. Allowing the passwords to be
decrypted is a weakness in the system because the Kerberos server must
be secure and invulnerable to attack. An intruder that breaksin to the
Kerberos server has access to all of the passwords on the network.
Kerberos was developed before public key encryption such as RSA
(Rivest Shamir Adleman the professors who developed the RSA
algorithm) and Dife Hellman algorithms were publicly available.
Sun Enterprise Authentication Mechanism(SEAM)
13-44 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Logging in Using Kerberos v5
Users logging in to a Kerberos protected system enter their user names
and passwords as usual. The system contacts the Kerberos Authentication
server, sending a data packet with the user name and the current system
time encrypted with the users password. If the Kerberos server can
decrypt the time in the users data packet, it returns a ticket-granting-
ticket, encrypted with the users password. The users system can now
contact the Kerberos ticket granting server to obtain tickets for access to
network services.
Sun Enterprise Authentication Mechanism(SEAM)
Security Network Services 13-45
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Kerberos Features
Kerberos contains the following features:
G Passwords are only stored on the Kerberos server.
G The users password is never transmitted across the network.
G The Kerberos Authentication server can validate the users identity
because it stores the users password. Part of the Kerberos system
setup requires that the users password be stored on the Kerberos
server.
Sun Enterprise Authentication Mechanism(SEAM)
13-46 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G The user can validate the Kerberos servers identity because it knows
the users password.
G Network snifng can only pick up encrypted Kerberos data packets
or tickets.
Note Encrypted Kerberos packets have a wellknown data format and
are more susceptible to decrypting than a packet whose plain text is
entirely unknown. Kerberos tickets have a limited lifetime. Kerberos
tickets expire and new versions must be issued. The lifetime of a Kerberos
ticket is less than the time it currently requires to break the encryption
using brute force techniques.
Understanding Kerberos Limitations
Security Network Services 13-47
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Understanding Kerberos Limitations
Kerberos is a good solution to a difcult problem but it has the following
limitations:
G Using Kerberos is not transparent. Every network service (for
example login) requires modications to use the mechanism.
G Kerberos does not work well with multi-user systems. Kerberos was
designed for singleuser workstations and stores tickets in the /tmp
directory. These tickets can be stolen and used for fraudulent access
to the network services.
Understanding Kerberos Limitations
13-48 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G The Kerberos Authentication server is a weak point. Special care
must be taken to ensure the security and integrity of this system.
G The Kerberos Authentication server must be continuously available.
Therefore, it is a single point of failure.
G Kerberos stores all DES encrypted passwords using a single key
which is stored on the hard disk of the Authentication server. If the
Authentication server is ever compromised, all network passwords
must be changed.
Understanding Kerberos Limitations
Security Network Services 13-49
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Configuring SEAM Clients
To congure a SEAM client, you must modify the PAM conguration les.
You must enhance the standard /etc/pam.conf conguration to include
the Kerberos authentication module
/usr/lib/security/pam_krb5.so.1 for every service that requires
SEAM.
The standard PAM conguration le contains the required lines for this
conguration, therefore you only need to uncomment the appropriate
lines. The Solaris AnswerBook includes step-by-step instructions for
conguring SEAM.
Understanding Kerberos Limitations
13-50 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Uncomment the lines shown in Code 13-5 in the standard /etc/pam.conf
le to use the SEAM Kerberos authentication modules.
Code 13-5 Using SEAM Kerberos Authentication Modules
1 rloginauth optional /usr/lib/security/$ISA/pam_krb5.so.1
try_first_pass
2 login auth optional /usr/lib/security/$ISA/pam_krb5.so.1
try_first_pass
3 dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1
try_first_pass
4 other auth optional /usr/lib/security/$ISA/pam_krb5.so.1
try_first_pass
5 #
6 dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.1
7 other account optional /usr/lib/security/$ISA/pam_krb5.so.1
8 other session optional /usr/lib/security/$ISA/pam_krb5.so.1
9 other password optional /usr/lib/security/$ISA/pam_krb5.so.1 /
10 try_first_pass
11
To use SEAM across your network, you must install a SEAM (Kerberos)
server. The SEAM server is available under license from Sun
Microsystems (see http://www.sun.com/solaris/ds/ds-seam.html).
Exercise: Securing Network Services
Security Network Services 13-51
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise: Securing Network Services
In this exercise, you complete the following tasks:
G Disable some network services
G Congure trusted hosts
G Disable trusted host conguration les using PAM
G Set up Anonymous FTP
Preparation
Ensure that you know the host name of your workstation and identify a
nearby colleague who you will work with to test and secure each others
network services.
Tasks
Although these tasks are written for people working in pairs, you can
work through the questions alone by conguring and testing your own
workstation.
You are not required to nish all of the tasks in the time allocated by the
instructor.
Task Disabling Network Services
To disable Network Services:
1. Verify that you can run the finger command to nd out who is
logged in to your colleagues system. For example:
# finger @otherhost
Exercise: Securing Network Services
13-52 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
2. Run finger for one of the users to get further details about that user
on the other workstation. Use the command format below or you
will not use the network finger command but a local version which
gets details of users on your workstation.
# finger user@otherhost
You can always prime the data by using the telnet command to log
into the system as the user alice, bob, or eve.
3. Ensure that your colleague can run the same commands on your
system.
4. Both of you should now disable the finger service in
/etc/inet.conf and verify that you can no longer run the finger
command to obtain data from your colleagues workstation.
Task Understanding Trusted Hosts
1. Look at the three example trusted hosts les shown in Code 13-6.
Code 13-6 Trusted Hosts Files
1 # hostname
2 wallace
3 # more /etc/hosts.equiv
4 grommit
5 # more /.rhosts
6 penguin
7 # /export/home/alice/.rhosts
8 penguin
9 sean awonder
2. Answer the following questions:
a. Can the root user on grommit copy les to and from wallace?
b. Can user alice on grommit run commands on wallace?
c. Can user alice on penguin run commands on wallace?
d. Can the root user on wallace copy les to and from penguin?
e. Can user awonder on sean run commands on wallace?
f. Can the root user on grommit log in to wallace?
Exercise: Securing Network Services
Security Network Services 13-53
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Task Configuring Trusted Hosts
Working with your partner, set up your systems so that the root user and
the user alice (but no other user) can run remote commands and copy
les remotely.
Task Disabling Trusted Hosts
Working with your partner, congure PAM so that the rsh and rcp
commands cannot be used and congure the rlogin command so that it
always requires a password from the remote user.
Task Configuring Anonymous FTP
Read the manual page for the in.ftpd daemon and follow the
instructions to congure Anonymous FTP (the manual page includes a
shell script which automates the entire process).
Extract the shell script from the manual page by redirecting the output
from the man command to a text le and editing out the non-shell script
information.
For example:
# man in.ftpd >ftp.sh
Exercise Summary
13-54 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise Summary
?
!
Discussion Take a few minutes to discuss what experiences, issues, or
discoveries you had during the lab exercise.
G Experiences
G Interpretations
G Conclusions
G Applications
Exercise Solutions
Security Network Services 13-55
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise Solutions
The following paragraphs describe the Solaris OE commands necessary to
solve the problems posed in the exercises for this module.
Disabling Network Services
Edit the /etc/inetd.conf le and comment out the following line:
#finger stream tcp6 nowait nobody /usr/sbin/in.fingerd in.fingerd
Send the hang-up signal to the inetd process (get the process ID from the
ps listing):
# ps -ef | grep indetd
# kill -HUP pid
The finger command should now fail with a connection refused error
message.
Understanding Trusted Hosts
Answers to the questions:
a. Can the root user on grommit copy les to and from wallace?
No. hosts.equiv grants access to all users on grommit except the
root user and the le /.rhosts does not list grommit as a trusted
host.
b. Can user alice on grommit run commands on wallace?
Yes. hosts.equiv grants access to all users on grommit except
root.
c. Can user alice on penguin run commands on wallace?
Yes. While hosts.equiv does not grant access to users on penguin,
the .rhosts le of user alice does list penguin.
d. Can the root user on wallace copy les to and from penguin?
Unknown. The trusted hosts les on penguin control access to
penguin, and these have not been shown.
Exercise Solutions
13-56 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
e. Can user awonder on sean run commands on wallace?
Yes, as long as the -l option is used. The .rhosts le of user alice
does list the host sean and the user awonder, but the command must
be run as user alice. For example:
# rsh -l alice wallace ls -l
f. Can the root user on grommit log in to wallace?
Yes, but a password is required. The trusted host les do not allow the
rcp or rsh commands to run but will not stop the rlogin command.
A valid password must be supplied.
Configuring Trusted Hosts
Identify the host name of your colleagues system. For the purposes of
this solution this is otherhost. To grant root access to otherhost add a
line to your /.rhosts le:
# cat >>/.rhosts
otherhost
^D
To grant access to user alice, do the same thing to alices .rhosts le
(make sure alice owns the .rhosts le).
# su - alice
$ cat >>~/.rhosts
otherhost
^D
$ exit
Your colleague must do the same but must specify your host name
instead of otherhost.
The rsh and rcp commands now work as required.
Exercise Solutions
Security Network Services 13-57
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Disabling Trusted Hosts
Edit the /etc/pam.conf le and comment out the rlogin and rsh lines
which refer to the pam_rhosts_auth.so.1 authentication module. Make
sure that rlogin still has the pam_unix.so.1 module dened or rlogin
does not prompt for a password. For example:
# rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1
rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1
# rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1
The rsh and rcp commands no longer work and rlogin always prompts
for a password.
Note On a live system you would disable the rsh and rlogin network
service by editing /etc/inetd.conf rather than removing the
authentication modules. However, if your users want to use the rlogin
service rather than the telnet service, then disabling the trusted hosts
les for the rlogin service is a sensible precaution.
Configuring Anonymous FTP
1. Create a user called ftp whose home directory is the Anonymous
ftp area. This user should be in a separate group from all other users
and should not have a valid login shell. Use the commands:
# groupadd -g 30000 ftp
# useradd -u 30000 -g 30000 -c "Anonymous FTP" -s /usr/bin/false \
-d /export/anon ftp
2. The ftp user should not have a valid password. The default
password is *LK*, which has locked the account from login. You
might want to edit the /etc/shadow le and set the password to NP
to show that this account is never used.
3. Extract the make Anonymous FTP script from the in.ftpd
manual pages as shown in Task Conguring Anonymous FTP on
page 13-53. If you want, run the following sed command which
extracts the script automatically (be sure to enter the script exactly as
shown):
# man in.ftpd | sed -n '{
> s/^[ ]*//
> /^$/d
> /^SunOS/d
Exercise Solutions
13-58 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
> /^Maintenance/d
> /^#!/,/^#chmod 1755 ${ftphome}\/pub/p
> }' >mkftp
4. Make the script executable using:
# chmod +x mkftp
5. Execute this script:
# ./mkftp
This script obtains the Anonymous FTP directory from the ftp user in the
/etc/passwd directory and copies in all the required programs, libraries,
and device les.
6. Test your Anonymous FTP account by running FTP to connect to
your workstation and log in as anonymous (use any password):
1 # ftp localhost
2 Connected to 192.168.1.2.
3 220 wallace FTP server (SunOS 5.8) ready.
4 User (192.168.0.250:(none)): anonymous
5 331 Guest login ok, send ident as password.
6 Password:
7 230 Guest login ok, access restrictions apply.
8 ftp> ls
9 200 PORT command successful.
10 150 ASCII data connection for /bin/ls (192.168.0.1,1057) (0 bytes).
11 bin
12 dev
13 etc
14 local.cshrc
15 local.login
16 local.profile
17 pub
18 usr
19 226 ASCII Transfer complete.
20 ftp: 66 bytes received in 0.22Seconds 0.30Kbytes/sec.
21 ftp>
14-1
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Module 14
HardeningtheSystem
Objectives
Upon completion of this module, you should be able to:
G List at least two reasons for hardening a system
G Describe the role of Titan in a secure system
G Install and congure Titan
G Write a Titan module
G Congure and use the Automated Security Enhancement Tool
(ASET)
Relevance
14-2 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Relevance
?
!
Discussion The following questions are relevant to understanding the
role of system hardening:
G Do your default le system permissions provide a secure installation?
G Are all your user accounts congured in a secure manner?
G Have you secured all of your systems network services?
G Do you need to apply the same changes to multiple systems?
G Can you automate any of these standard security measures?
Additional Resources
Hardening the System 14-3
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Additional Resources
Additional resources The following references provide additional
information on the topics described in this module:
G Online Manual pages for aset(1).
G Solaris OE AnswerBook 2.
G Garnkel, Simson, and Spafford, Gene. Practical UNIX & Internet
Security. OReilly & Associates, Inc. 1996.
G Frisch, Aeleen. System Administration. 2nd Ed, OReilly &
Associates, Inc. 1995.
G Solaris OE Security Toolkit;
[http://www.sun.com/security/jass]
G Solaris Operating Environment Whitepapers on Security;
[http://www.sun.com/blueprints/1299/minimization.pdf]
[http://www.sun.com/blueprints/1299/network.pdf]
[http://www.sun.com/blueprints/0100/security.pdf]
[http://www.sun.com/blueprints/tools]
G COPS online resources;
[ftp://ftp.cerias.purdue.edu/pub/tools/unix/scanners/
cops]
G Tiger online resources;
[ftp://ftp.cerias.purdue.edu/pub/tools/unix/scanners/
tiger]
G Titan online resources;
[http://www.fish.com/titan/]
SystemHardening
14-4 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
SystemHardening
The goal of system hardening is to install the Solaris OE so that it
provides good host security from the outset without you spending hours
making security modications. You can harden the system by using shell
scripts or Perl scripts which are run immediately after installation of a
new workstation or server, or are included as part of a JumpStart
conguration.
Hardening involves one or more of the following steps:
G Checking le permissions, ownerships, and digests
G Checking for user, group, and password insecurities
G Checking network services for secure congurations
G Performing any other checks the tool provider considers useful
Some tools only report on potential problems, while others actually secure
the host system.
SystemHardening
Hardening the System 14-5
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Commonly Available Hardening Tools
Several freeware tools are available to help with system hardening.
The following sections discuss these tools.
SystemHardening
14-6 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
COPS
Computer, Oracle, and Password System (COPS) is a set of programs that
attempts to automate security checks often performed manually (or
perhaps with self-written short shell scripts or programs) by a system
administrator.
COPS does not correct problems, but instead issues a report for the
administrator. COPS runs on most major UNIX platforms and is not
specic to the Solaris OE.
COPS checks and reports on the following:
G File, directory, and device permissions and modes.
G Poor passwords.
G Content, format, and security of password and group les.
G The programs and les run in /etc/rc* and crontab les.
G The existence of root-SUID (setuserID) les, their writability, and
whether they are shell scripts.
SystemHardening
Hardening the System 14-7
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G A cyclic-redundancy-check (CRC) against important binaries or key
les to report any changes therein.
G Writability of users home directories and startup les (.profile,
.cshrc, and so on).
G Anonymous FTP setup.
G Insecure network conguration, including:
G Unrestricted TFTP
G Decode alias in the sendmail program
G SUID uudecode problems
G Hidden shells inside inetd.conf
G The rexd daemon running in inetd.conf
G Miscellaneous root checks, such as:
G Current directory in the search path
G A + in the /etc/host.equiv le
G Unrestricted NFS mounts.
G Ensuring that the root user is in the /etc/ftpusers le
G Dates of Computer Emergency Response Team (CERT) advisories in
comparison with key les. This checks the dates that various bugs
and security holes were reported by CERT against the actual date on
the le in question.
G The Kuang expert system. This takes a set of rules and tries to
determine if your system can be compromised.
SystemHardening
14-8 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Tiger
Tiger is a set of scripts that scan a UNIX system looking for security
problems in the same way as COPS. Tiger was originally developed to
check UNIX systems on the Texas A&M University campus that needed to
be accessed from off campus.
The primary purpose of many of the Tiger checks is to protect the
superuser account, and the philosophy behind Tiger is that any other
account or any group can be attacked and breached. Tigers goal is to
protect the root user from all accounts, even system accounts.
SystemHardening
Hardening the System 14-9
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Solaris Security Toolkit
Sun's Enterprise Engineering and Professional Services organizations
developed the Solaris Security Toolkit (formerly JumpStart Architecture
and Security Scripts [JASS] Toolkit) to harden, minimize, and secure
Solaris OE systems. The Toolkit simplies and automates the process of
securing Solaris OE systems. The Toolkit can be used through the
JumpStart program or in a standalone mode.
The Toolkit is a set of scripts and les that automatically harden Solaris
OE systems. The security enhancements contained in the Toolkit are
based on recommendations made in Sun BluePrint Online articles:
G Solaris Operating Environment Minimization for Security
http://www.sun.com/blueprints/1299/minimization.pdf
G Solaris Operating Environment Network Settings for Security
http://www.sun.com/blueprints/1299/network.pdf
G Solaris Operating Environment Security
http://www.sun.com/blueprints/0100/security.pdf
SystemHardening
14-10 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Use the JASS Toolkit to execute these scripts from a JumpStart server at
the time of installation. You can also use the Toolkit directly from the
command line to secure existing systems. The Toolkit can be run multiple
times on the same client and can perform the same tasks with no adverse
affects which allows you to schedule the scripts on a regular basis using
the cron utility or after applying operating system patches.
Titan
Titan is discussed in detail in Using Titan on page 14-11. It is a free,
host-based security tool that can improve or audit the security of a UNIX
system. It can x or detect potential security problems.
ASET
Automated Security Enhancement Tool (ASET) is a standard Solaris OE
utility which reports and potentially corrects a number of security
problems. ASET is discussed in detail in Enhancing System Security
Using ASET on page 14-26.
Using Titan
Hardening the System 14-11
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using Titan
Titan is a collection of programs which xes or tightens security problems
in the setup or conguration of a UNIX system. Titan was created by Brad
Powell of Sun Microsystems. Titan is written in Bourne shell and its
modular design allows anyone who can write a shell script or program to
add to it.
Titan automates the process of tightening up the operating system security
(its name is a pun on the word tighten). Titan is not a replacement for
other tools, but it helps simplify some security measures.
Titan does not duplicate much of the functionality of COPS and Tiger, so
use it in conjunction with these tools to provide a strong toolset for
hardening le systems.
Although Titan was developed primarily for the Solaris OE, it is also
available for SuSE and Redhat versions of Linux.
Using Titan
14-12 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Titan Design Goals
Titan is a system hardening and intruder detection tool. Its design goals
are:
G After running Titan, the system should be more secure than before.
G Titans actions produce a consistent and understandably secure
system.
G Titan allows the administrator to control what Titan modules to run.
Because Titan is exible and you have the full source code, you can
remove unwanted security xes.
G Titan is easily extended. You can place shell scripts or other
programs into Titan's framework, and they run alongside all the
other programs.
Titan does not attempt to x all security issues. For example it does not:
G Fix software or script bugs
G Check for poor passwords
G Install patches
G Check for COPS, Tiger, or SAINT-like problems
Titan is not meant to be run once and forgotten, but should be used as
part of a regular process of sweeping the system for traces of successful
break-ins.
System administrators concerned about security should have considered,
if not resolved or xed, many of the problems that Titan covers. Titan
helps you because it is systematic. You do not need to wonder if you
nished applying all your changes. Run Titan in verify mode and it
reports on all the things that Titan thinks need hardening.
Using Titan
Hardening the System 14-13
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using Titan Modules
Titan is built around a large number of modules (more than sixty), each of
which focuses on reporting and xing a particular security problem. Titan
modules have a dened structure to make it easy for you to write your
own modules.
You can use Titan to run some or all of the modules by editing a
conguration script. Sample conguration scripts for workstations and
servers are included in the Titan package. Not all of the Titan modules
should run on all systems.
Using Titan
14-14 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Table 14-1 describes some of the modules that can be run on a system (a
full list of the modules is included in the Titan documentation).
Table 14-1 Some Titan Modules
Module Usage
add-umask.sh Adds systemwide umask for rc?.d les
which causes the system daemon to
create more secure les.
bsm.sh Veries that the Basic Security Module
(BSM) is enabled. It congures auditing
events by modifying the
/etc/security/audit_control le.
create-issue.sh Creates the /etc/issuebanner displayed
at login time.
cronset.sh Checks or xes CRONLOG-YES in the
/etc/default/cronle, rotates the cron
log les at 2 Mbytes, and changes the
cron permissions.
decode.sh Looks for any |characters in the
/etc/aliases le and xes them.
defloginparams.sh Resets the /etc/default/login le
parameters to a stricter mode.
defpwparams.sh Resets the /etc/default/password le
parameters to a stricter mode.
disable-
accounts.sh
Disables system accounts like bin and
daemon and creates a
/usr/sbin/noshell script.
disable-ping-
echo.sh
Disables the
ip_respond_to_echo_broadcast
service so that specic pingcrashes (from
Smurf attacks) do not work. It also hides
the system from some network probe
agents that use a broadcast ping
command to discover host names.
file-own.sh Changes system les (mainly in the /usr
directory) to be owned by the root user.
Using Titan
Hardening the System 14-15
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
fix-cronpath.sh Changes the permission and ownership
of items that run out of the root users
cron utility. This prevents a new Trojan
horse or SUID root les from being
created when the cron utility is run.
fix-modes.sh Fixes all the mode 775 directories and
binaries, and changes the ownership to
the root user where needed.
ftp-2.6_secure.sh Works with the Solaris 2.6 Operating
Environment and newer version of the
in.ftpd daemon. It adds a UMASK=077
into the /etc/default/ftpd le, and
creates a short FTP login warning
message by creating the /etc/ftp-
banner le.
hosts.equiv.sh Checks for a /etc/hosts.equiv le.
inetd.sh Changes the /etc/inetd.conf le and
turns off most of the services.
loginlog.sh Fixes the syntax so that log entries are
created for failed login attempts.
lpsched.sh Disables the lpcommand. This module is
for rewalls and non-print servers.
nddconfig.sh Creates the /etc/rc2.d/S70nddconfig
le and sets all the kernel network
modules that are concerned with security.
nuke-sendmail.sh Disables the sendmail program. You
should use this module on rewalls that
are not sendmail servers, servers that are
not sendmail servers, and all desktops
that have their mail delivered to a server.
Table 14-1 Some Titan Modules (Continued)
Module Usage
Using Titan
14-16 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Caution If you do not have a root password set, then the previous
Titan module disables root logins, too.
pam-rhosts-2.6.sh Modies the /etc/pam.conf le by
removing the following line so that the
PAM system does not allow rhosts
commands:
rlogin auth sufficient
/usr/lib/security/pam_rhosts_auth
.so.1
passwd.sh Checks that all accounts have passwords
andadds a * to blank passwordelds (if
run in x mode).
psfix.sh Creates the /etc/rc3.d/S79tmpfix le
so that upon boot the /tmp directory
always has the sticky bit set mode 1777.
rootchk.sh Checks roots path and makes sure that
the root user owns the directories and
binaries in the rootusers path. Removes
the . from the path.
syslog.sh Modies the /etc/syslog.conf le so
that console messages are saved to system
log les.
telnet-banner.sh Sets BANNER="" in the
/etc/default/telnetd source so that
the Solaris OE version is not displayed
before the login prompt.
userumask.sh Adds in a umask of 022 for users in
/etc/skel and /etc les.
utmp.sh Checks the utmpand utmpxles to ensure
that they are not world writable.
Table 14-1 Some Titan Modules (Continued)
Module Usage
Using Titan
Hardening the System 14-17
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Note Rerun the fix-modes.sh script whenever you add packages or
patches. You should run this module on a regular basis using the cron
utility or at least after adding any vendor patches.
Using Titan
14-18 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Configuring Titan
After installing Titan and conguring it for your host environment (by
running the scripts Titan-Config), Titan is ready to use.
By default, Titan uses all of the installed modules. This is not appropriate
for most systems, so you should create a conguration le which includes
only the modules that you require.
Sample conguration les for a workstation (sample.Desktop), a server
(sample.Server), and a rewall (sample.Firewall) are provided in
Titans installation directory. Use these as a starting point to develop your
own conguration les.
You specify the conguration le on the Titan command line by using the
-c option. To use the desktop conguration le to verify your
workstations security level use:
# ./Titan -c sample.Desktop
Using Titan
Hardening the System 14-19
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Running Titan
When you have installed and congured Titan, you can run it in several
modes:
G Introductory Mode Runs Titan with the -i option to get an
information summary about each installed module, as follows:
# ./Titan -i
G Verify Mode Runs Titan with the -v option to get a security report
from each installed module, as follows:
# ./Titan -v
G Fix Mode Runs Titan with the -f option to x security weaknesses
for each installed module, as follows:
# ./Titan -f
Using Titan
14-20 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Creating a Titan Configuration
Running Titan in default mode using all modules is not suitable for most
systems. Create your own conguration to use the Titan modules that are
applicable to the hosts that you administer. You can create different
congurations for different types of hosts, such as:
G Database servers
G Web servers
G File servers
G User workstations
G Firewalls
G Proxy servers
Using Titan
Hardening the System 14-21
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
When you create your own Titan conguration, you must specify which
mode you want each module to use. This shows an example conguration
le which veries your hosts umask and BSM settings:
# more verify.config
add-umask.sh -v
bsm.sh -v
You can run Titan with this conguration le using:
# ./Titan -c verify.config
You need a separate conguration le to x security problems:
# more fix.config
add-umask.sh -f
bsm.sh -f
You can run Titan with this conguration le by entering:
# ./Titan -c fix.config
When running Titan conguration scripts, the module output is saved to a
log le in the log subdirectory of the Titan installation directory.
Note You can run modules with the -v option and the -f option from
the same conguration le, but this is not the standard practice.
Running a Single Module
You can run a single Titan module from the command line by specifying
the path name of the module (all modules are in the bin/modules
directory in the Titan installation directory) and the run mode. For
example, to verify the settings for the sendmail program use:
# bin/modules/nuke-sendmail.sh -v
Using Titan
14-22 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Writing Your Own Titan Modules
Titan provides a template which you can copy and edit to create your own
modules. To create your own modules, you must be familiar with writing
shell scripts.
Begin with the template for your system architecture which is in Titans
installation directory in a subdirectory of the arch directory. For the
Solaris 8 OE:
arch/sol8sun4/src/stubs/skeleton
Copy this le to a working directory to make your changes, and add your
script to the conguration les that you use.
The template le is fully described in the Frequently Asked Questions
(FAQ) provided with Titan (docs/txt/FAQ.txt in the Titan installation
directory).
Using Titan
Hardening the System 14-23
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Module Structure
The module template contains all the administration code for checking the
Titan conguration and user command line. You only complete the three
functions which are called for in each of the possible run modes. These
functions are:
G Introduction section Intro() Any text that you place between
the EOF_INTRO keywords is echoed to the screen when the user
starts the script with the -i option, as shown in Code 14-1.
Code 14-1 Titan Introduction Section
1 Intro() {
2 cat << EOF_INTRO
3 Add in the information on what the script does here
4 EOF_INTRO
5 }
Using Titan
14-24 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G Verify section Check() Use this function when a Titan script is
run in the -v verify mode. Look through the existing Titan scripts to
see some of the ways that the Check() function checks the system.
Every Check() function must write a PASSES CHECK or a FAILS
CHECK message so that users can determine if a Titan x is needed
or has already been applied to the system. Code 14-2 shows an
example.
Code 14-2 Titan Verify Section
1 Check() {
2 if [ -f /etc/init.d/init.dmi ]; then
3 echo " dmi daemon is enabled: FAILS CHECK"
4 exit 1
5 else
6 echo " dmi doesn't start at boot time: PASSES CHECK"
7 fi
8 }
G Fix section Fix() This function changes or modies system les.
The Fix() function is only invoked when the user specically runs a
Titan script with the -f ag. The Fix() function hardens the system
and can be quite complex. Code 14-3 is an example Fix() function
which moves and renames start-up les so that on system boot the
system no longer runs.
Code 14-3 Titan Fix Section
1 Fix() {
2 if [ -f /etc/init.d/init.dmi ]; then
3 echo " Saving /etc/init.d/init.dmi to /etc/init.d
/init.dmi.ORIG"
4 /bin/mv /etc/init.d/init.dmi /etc/init.d-init.dmi.ORIG.$$
5 /bin/mv /etc/rc2.d/K77dmi /etc/rc2.d-K77dmi.ORIG.$$
6 /bin/mv /etc/rc3.d/S77dmi /etc/rc3.d/S77dmi.ORIG.$$
7 chmod 0100 /etc/init.d-init.dmi.ORIG.$$
8 chmod 0100 /etc/rc2.d-K77dmi.ORIG.$$
9 chmod 0100 /etc/rc3.d/S77dmi.ORIG.$$
10 if [ $? -ne 0 ]; then
11 echo " ERROR: Could not rename /etc/rc3.d/S77dmi ;
exiting"
12 exit 1
13 else
14 echo "Done ... "
Using Titan
Hardening the System 14-25
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
15 fi
16 fi
17 }
These functions are the essential elements of a Titan script. After you
write your script, copy or move your script to the Titan modules directory
(bin/modules) and make it executable. When Titan is run with the -i,
-v, or -f options, it runs all commands in the bin/modules directory that
are:
G Plain les
G Executable
Running Titan runs your script. If you use conguration les, you must
include your script name in the conguration le.
Note Another way to congure Titan is to move all the unnecessary
modules out of the bin/module directory or to remove the executable
permissions from the modules that you do not want to use.
Enhancing SystemSecurity Using ASET
14-26 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Enhancing SystemSecurity Using ASET
The Solaris OE includes a software security guard for Sun systems called
ASET. ASET is a set of tasks that detect potential security vulnerabilities
and alter le access to improve system security.
Like the security measures of a building, ASET can provide levels of
computer system security that depend on what the system is used for and
how valuable or sensitive the data or programs that reside on the system
are.
Note ASET is an excellent tool when used as a periodic checklist of
items to be examined and implemented, but it is only part of an overall
plan to achieve system protection.
Enhancing SystemSecurity Using ASET
Hardening the System 14-27
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using ASET Security Levels
ASET has three levels of security:
G Low This level performs a number of checks and produces reports
that outline potential security weakness. This level resets ownership
and permissions of important system les to the default settings
used when the system was rst installed.
G Medium This level modies some system les to restrict system
access if security risks are found. These modications should not
affect any system services.
G High This level provides a more secure system by setting system
parameters to minimal access permissions. Most system applications
and commands should work normally, but security protections take
precedence over any other system behavior.
By default, ASET runs at the lowest level of security.
Enhancing SystemSecurity Using ASET
14-28 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The ASET utility performs seven tasks that make specic checks and,
depending on the selected level of security, adjustments to system les
and permissions to improve system security. Every ASET task includes
the creation of a report noting possible weaknesses found and changes
made. A description of each of the tasks is listed in Table 14-2.
Table 14-2 ASET Tasks
Task Report Name
Check whether the system can be safely used
as a rewall in a network
firewall.rpt
Check initialization les (.profile, .login,
.cshrc) for umask and PATH variable settings
env.rpt
Check the contents of system conguration
les such as the /etc/default/login le
sysconf.rpt
Check the consistency and integrity of
/etc/passwd and /etc/group entries
usrgrp.rpt
Verify appropriate system le permissions
based on congurations in the tune.* les
tune.rpt
Examine owner, permissions, links, and size
of important system les
cklist.rpt
Verify appropriate EEPROM security
parameters
eeprom.rpt
Enhancing SystemSecurity Using ASET
Hardening the System 14-29
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Running ASET Manually
To use the aset command, you must install the ASET (SUNWast) package,
which is a default package for the Solaris 8 OE. The necessary scripts and
directories usually reside in the /usr/aset directory, but you can install
them elsewhere. The /usr/aset directory is not in the standard search
path for the root user. The main script doing the work is
/usr/aset/aset.
By default, the aset utility does not run automatically; it must be started
by the superuser. The aset utility is usually run on a periodic basis
interactively or as a cron process.
To run the aset utility interactively at its lowest security level, type:
# /usr/aset/aset
Enhancing SystemSecurity Using ASET
14-30 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
To adjust the level of security described previously in this module, use the
-l option, and specify the level as a keyword:
G low Low-level security (the same as the no option command)
G med Medium-level security
G high High-level security
To run aset interactively with the highest level security, type:
# /usr/aset/aset -l high/
/usr/aset/aset -p -1 high
======= ASET Execution Log =======
ASET running at security level high
Machine = wallace; Current time = 0601_23:30
aset: Using /usr/aset as working directory
Executing task list ...
firewall
env
sysconf
usrgrp
...
Enhancing SystemSecurity Using ASET
Hardening the System 14-31
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
To redirect the reports somewhere other than /usr/aset, use the -d
option to specify the new directory, as follows:
# /usr/aset/aset -d ./aset_reports
The tasks that ASET performs are controlled by several scripts in the
/usr/aset/tasks directory. There is one script for each task with the
same name as the tasks shown in Table 14-2 on page 14-28. You can
modify the scripts to customize the actions of the task.
ASET behavior is controlled by the /usr/aset/asetenv script. You can
modify this script to customize which ASET tasks should be run (if they
are not all required). The rewall setup task, for example, disables the
forwarding of IP packets and hides routing information from the external
network. If you want to run ASET at high security but do not need
rewall protection, comment out that task from the /usr/aset/asetenv
le.
Enhancing SystemSecurity Using ASET
14-32 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Restoring the System
Within the aset directory there is a restore script called:
# /usr/aset/aset.restore
Running this script restores the system back to the state it was in before
the aset command was run. Each task script has a corresponding
.restore script which undoes the actions of the task script.
Monitoring Task Status
Depending on the size and speed of a system and your chosen level of
security, it might take some time for ASET to complete its tasks and issue
the reports. The aset program is usually run late at night when the host
system is idle.
When running ASET interactively, monitor the progress of the checks to
make sure that they have completed before attempting to interpret the
data from the reports. To monitor the checks, use the taskstat command.
In Code 14-4, the output from the taskstat command indicates that the
ASET checks are not complete.
Code 14-4 The taskstat Command
1 # /usr/aset/util/taskstat
2 Checking ASET tasks status ...
3 Task firewall is done.
4 Task env is done.
5 Task sysconf is done
6 Task usrgrp is done.
7 The following tasks are done:
8 firewall
9 env
10 sysconf
11 usrgrp
12 The following tasks are not done:
13 tune
14 cklist
15 eeprom
The taskstat information is stored in the taskstatus le in the
directory where the reports are stored.
Enhancing SystemSecurity Using ASET
Hardening the System 14-33
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Running ASET Periodically
Although you can run ASET interactively, it is usually more effective to
run ASET periodically from the cron utility. If you schedule ASET this
way, it can report on possible security problems introduced during a
normal work day.
To add an ASET entry to the root crontab le, use the -p option in
addition to the required security level. By default, ASET runs every night
at midnight.
Enhancing SystemSecurity Using ASET
14-34 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The command shown in Code 14-5 runs ASET on a periodic basis using
the highest level of security.
Code 14-5 Running ASET Periodically
1 # /usr/aset/aset -p -l high
2 /usr/aset/aset -p -l high
3 ======= ASET Execution Log =======
4 ASET running at security level high
5 Machine = wallace; Current time = 0601_23:30
6 aset: Using /usr/aset as working directory
7 ASET execution scheduled through cron.
Change the PERIODIC_SCHEDULE environment variable in the
/usr/aset/asetenv le to control the frequency of when ASET runs. The
format of this variable mirrors the format of the scheduling information in
crontab. The default entry in the asetenv le is:
# grep PERIODIC /usr/aset/asetenv
PERIODIC_SCHEDULE="0 0 * * *"
To change the frequency of when ASET is run, edit this line in the
asetenv le to a new value and run the aset program with the -p option
again. This updates that crontab le. Alternatively, you can edit the root
crontab le using:
# crontab -e
Enhancing SystemSecurity Using ASET
Hardening the System 14-35
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Interpreting ASET Reports
Each of the seven tasks that the aset command performs creates a report
le specic to that task. Each le ends with .rpt. When you run ASET, a
new directory is created under the /usr/aset/reports directory. The
directory named is a timestamp of when ASET was run. Each report
subdirectory name has the following format:
MMdd_hh:mm
where MM, dd, hh, and mm are all two-digit numbers representing the report
month, day, hour, and minute. For example:
1024_02:00
For convenience, a link directory called latest points to the last directory
established by ASET.
Enhancing SystemSecurity Using ASET
14-36 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
You can view each of the seven task report les individually for details.
Code 14-6 shows the contents of one of these report les.
Code 14-6 Example ASET Report
1 # more /usr/aset/report/latest/usrgrp.rpt
2 *** Begin User And Group Checking ***
3 Checking /etc/passwd ...
4 Checking /etc/shadow ...
5 Warning! Shadow file, line 1, no password:
6 alice::6445::::::
7 ... end user check.
8 Checking /etc/group ...
9 ... end group check.
10 *** End User And Group Checking ***
The security level you select and the health of the system determine the
size and content of the report les. You should review each of them and
decide whether adjustments should be made.
Confirming Security Improvements Using the aset
Command
If you decide that adjustments to the system are required, make them and
then run the aset command again to ensure that the reports change.
For example, even at the low level of security, you should not use a umask
setting of 022 in the /etc/profile le. When you install ASET, the env
task reports that this default setting in the /etc/profile should be
changed. When you change the umask from 022 to 027 in /etc/profile,
you tighten security. When the env task is run again, the env.rpt le no
longer reports the problem.
Interpreting and Configuring the tune.* Files
The tune.rpt task, which checks le ownership and permissions, is
congured from the les in the /usr/aset/masters directory. For each
level of security, there is a corresponding tune le: tune.low, tune.med,
and tune.high.
Enhancing SystemSecurity Using ASET
Hardening the System 14-37
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
If you do not like the default settings of the tune les, you can make
adjustments to the appropriate tune les and run the tune task again to
gain extra control of le permissions. Code 14-7 shows various entries
from the tune.low le.
Code 14-7 The tune.low File
1 # more /usr/aset/masters/tune.low
2 # Tune list for level low
3 # Format:
4 # pathname mode owner group type
5 / 02755 root root directory
6 /bin 00777 root bin symlink
7 /sbin 02775 root sys directory
8 /usr/sbin 02775 root bin directory
9 /etc 02755 root sys directory
10 /etc/chroot 00777 bin bin symlink
11 /etc/clri 00777 bin bin symlink
12 /etc/crash 00777 root sys symlink
13 /etc/cron 00777 root sys symlink
14 /etc/fsck 00777 bin bin symlink
15 /etc/fuser 00777 bin bin symlink
16 /etc/halt 00777 bin bin symlink
17 /etc/link 00777 root bin symlink
18 /etc/mknod 00777 bin bin symlink
19 /etc/mount 00777 bin bin symlink
20 /etc/mnttab 00644 root root file
21 /etc/vfstab 00664 root sys file
22 /etc/passwd 00644 root sys file
23 /etc/shadow 00400 root sys file
24 /etc/nsswitch.conf 00644 root sys file
25 /etc/resolve.conf 00644 root sys file
The ve elds on each line in the tune les are:
G The absolute path name of the le, directory, or symbolic link You
can use regular shell, wildcard characters in the path name for
multiple references.
G The octal representation of the le mode as 5 digits representing le
type (always 0), SUID, SGID, sticky bit execution modes, and rwx for
user, group, and others. If the current setting is already more
restrictive than the specied value, ASET does not loosen the
permission settings. For example, if mode is 00777, the permission
does not change, because it is always less restrictive than the current
setting.
Enhancing SystemSecurity Using ASET
14-38 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G The user associated with the le This must be a name rather than
the numeric UID.
G The group associated with the le This must be a name rather than
the numeric GID.
G The le type This value can be symlink for a symbolic link,
directory for a directory, and file for all other le types.
Exercise: Hardening the System
Hardening the System 14-39
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise: Hardening the System
In this module you complete the following tasks:
G Install and congure Titan
G Use Titan to report the security weaknesses on your system
G Create a custom Titan conguration
G Use ASET to run interactively in the low-security mode
G Congure ASET to run periodically
Preparation
Using a text editor such as vi, edit the /etc/shadow le and set the
password for user alice to be blank.
Tasks
In the rst of these exercises, you install and congure Titan, and then use
Titan to report on security weaknesses on your system. Next you create a
custom Titan conguration to check and update your system. Finally, you
congure and use ASET to harden your system.
You are not required to nish all of the tasks in the time allocated by the
instructor.
Task Installing and Configuring Titan
To set up Titan:
1. Obtain the latest version of Titan from the download site listed in the
Additional Resources on page 14-3. To speed up the practical
exercise, a copy of the download le (Titan,v4_0ALPHA-9.tar) is
included in the /usr/local/pkg directory.
Extract the contents of this archive into the /usr/local directory.
It creates a subdirectory called Titan,v4.0ALPHA-9.
Exercise: Hardening the System
14-40 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
2. Read the documentation for Titan but do not follow the instructions
yet. The documentation is in the docs/txt subdirectory. There are
also HTML documents for reading with a browser such as Netscape
in the docs/html subdirectory. Begin with the Tutorial-short le:
# cd /usr/local/Titan,v4.0ALPHA-9
# cd docs/txt
# more Tutorial-short
3. Congure Titan for your operating system by entering the following
commands:
# cd /usr/local/Titan,v4.0ALPHA-9
# ./Titan-Config
4. Enter y (yes) when asked to make backups of the les Titan
modies, as shown below:
Titan can backup all of the files it modifies; This is recommended
NOTE: in the process of backing up files /etc/shadow as well as other
important files will be backed up. It is IMPORTANT that you keep this
backup SAFE, or delete it after you are sure Titan didn't do something
unwanted
proceed? y/n: y
The installation is now complete. Titan installs a le called Titan in
the titan directory which is congured for the version of Solaris OE
that you are running.
Task Using Titan to Report on Security Problems
Run Titan to get a security report for your system.
Exercise: Hardening the System
Hardening the System 14-41
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Task Creating and Running a Titan Configuration
To set up Titan:
1. Study the sample conguration le sample.Desktop in the Titan
conguration directory.
2. Follow the format of the sample le and create a conguration le
which veries the following (you can refer to the notes for the Titan
modules you need to use):
a. Ensure that the root user owns all les in directories in the root
search path.
b. Stop the sendmail program from running.
c. Create a standard /etc/issue message le.
d. Stop the telnet command from displaying the workstation
information.
3. Run Titan with this conguration to verify whether the faults exist or
not.
4. Create a similar conguration to x the faults identied in step 2.
5. Run Titan to apply this conguration to your system. You must
reboot your workstation to apply the sendmail change.
6. Verify that the changes have been made.
Task Running ASET Interactively
To set up ASET:
1. Run the aset command using the low security option. The aset
command should take only a minute or two to run.
2. Wait until the tasks are complete by monitoring ASET with the
taskstat command.
3. View the ASET reports and rectify the problems identied in the
reports to make your system more secure. Verify that the changes are
correct by re-running ASET.
4. Restore the system to its original state prior to running ASET.
Exercise: Hardening the System
14-42 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Task Configuring ASET Periodically
In this exercise you congure the system to run the ASET utility
periodically. But before doing so, you must customize one of the task
scripts. This requires some basic programming skills.
Normally, the aset command should be run late at night when the system
load is light. For this exercise you congure aset to run a few minutes
after the time you begin this exercise.
1. Note the time of day by running the desktop clock tool or running
the date command on the command line.
2. Update the PERIODIC_SCHEDULE variable denition in the
/usr/aset/asetenv le to run ASET ve minutes from now.
Schedule ASET to run periodically.
3. Check the reports produced by ASET.
4. Restore the system to its original state prior to running ASET.
Exercise Summary
Hardening the System 14-43
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise Summary
?
!
Discussion Take a few minutes to discuss what experiences, issues, or
discoveries you had during the lab exercise.
G Experiences
G Interpretations
G Conclusions
G Applications
Exercise Solutions
14-44 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise Solutions
The following paragraphs describe the Solaris OE commands necessary to
solve the problems posed in the exercises for this module.
Installing and Configuring Titan
There are no solutions to this task.
Using Titan to Report on Security Problems
Run Titan to get a security report for your system.
Run Titan in verify mode and save the output to a le. For example:
# cd /usr/local/Titan,v4.0ALPHA-9
# ./Titan -v >/tmp/titan.log
# more /tmp/titan.log
Creating and Running a Titan Configuration
1. Study the sample conguration le sample.Desktop in the titan
conguration directory.
# cd /usr/local/Titan,v4.0ALPHA-9
# more sample.Desktop
2. Follow the format of the sample le and create a conguration le
which xes the following (you can refer to the notes for the Titan
modules you need to use):
a. Ensure that the root user owns all les in directories in the
root search path. Stop the sendmail program from running.
b. Create a standard /etc/issue message le.
c. Stop the telnet program from displaying the workstation
information.
# vi verify.conf
rootchk.sh -v
nuke-sendmail.sh -v
create-issue.sh -v
telnet-banner.sh -v
Exercise Solutions
Hardening the System 14-45
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
3. Run Titan with this conguration to verify whether the faults exist.
# ./Titan -c verify.conf
Run Titan with this conguration, and observe the FAILS CHECK
messages that indicate that the Titan changes have not been applied.
4. Create a similar conguration to x the faults identied in Step 2.
# vi fix.conf
rootchk.sh -f
nuke-sendmail.sh -f
create-issue.sh -f
telnet-banner.sh -f
5. Run Titan to apply this conguration to your system. You must
reboot your workstation to apply the sendmail change.
# ./Titan -c fix.conf
# init 6
6. Verify that the changes have been made.
a. Check the le permissions of directories such as /usr/bin and
/usr/sbin.
# ls -al /usr/bin /usr/sbin | more
b. Try to use the telnet command to connect to port 25, and
verify that the connection is refused.
# telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
c. Use the telnet command to connect to your system, and verify
that the output does not identify the host system and includes
the standard message in the /etc/issue le.
1 # telnet localhost
2 Trying ::1...
3 Connected to localhost.
4 Escape character is '^]'.
Exercise Solutions
14-46 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
5 ########################################################################
6 # This system is for the use of authorized users only. #
7 # Individuals using this computer system without authority, or in #
8 # excess of their authority, are subject to having all of their #
9 # activities on this system monitored and recorded by system #
10 # personnel. #
11
12 # In the course of monitoring individuals improperly using this #
13 # system, or in the course of system maintenance, the activities #
14 # of authorized users may also be monitored. #
15
16 # Anyone using this system expressly consents to such monitoring #
17 # and is advised that if such monitoring reveals possible #
18 # evidence of criminal activity, system personnel may provide the #
19 # evidence of such monitoring to law enforcement officials. #
20 #######################################################################
21 login:
d. Run Titan again with the verify conguration, and observe the
PASSES CHECK messages that indicate that the Titan changes
have been applied.
# ./Titan -c verify.conf
Running ASET Interactively
1. Run the aset command using the low security option. The aset
command should take only a minute or two to run.
# /usr/aset/aset -l low
======= ASET Execution Log =======
ASET running at security level low
Machine = wallace; Current time = 0602_15:06
aset: Using /usr/aset as working directory
Executing task list ...
firewall
env
sysconf
usrgrp
tune
cklist
eeprom
All tasks executed. Some background tasks may still be running.
Exercise Solutions
Hardening the System 14-47
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
2. Wait until the tasks are complete by monitoring ASET with the
taskstat command:
# /usr/aset/util/taskstat
Checking ASET tasks status ...
Task firewall is done.
Task env is done.
Task sysconf is done.
Task usrgrp is done.
Task tune is done.
Task cklist is done.
Task eeprom is done.
The following tasks are done:
firewall
env
sysconf
usrgrp
tune
cklist
eeprom
All tasks have completed.
3. View the ASET reports, and rectify the problems identied in the
reports to make your system more secure.
# cd /usr/aset/reports/latest
# cat env.rpt
*** Begin Environment Check ***
Warning! umask set to umask 022 in /etc/profile -not
recommended.
*** End Environment Check ***
# cat usrgrp.rpt
*** Begin User And Group Checking ***
Checking /etc/passwd ...
Checking /etc/shadow ...
Warning! Shadow file, line 12, no password:
fred::10379::::::
... end user check.
Checking /etc/group ...
... end group check.
*** End User And Group Checking ***
Exercise Solutions
14-48 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The les indicate that /etc/profile must have the umask command
changed, and that there is no password for user fred in the
/etc/shadow le. Make the changes to the les that were noted in
the previous step.
Verify that the changes are correct by running ASET again:
# /usr/aset/aset -l low
# cat env.rpt
...
# cat usrgrp.rpt
4. Restore the system to its original state prior to running ASET:
# /usr/aset/aset.restore
aset.restore: beginning restoration ...
Executing /usr/aset/tasks/firewall.restore
.....................
Resetting security level from low to null.
aset.restore: restoration completed.
Configuring ASET Periodically
1. Note the time of day by running the desktop clock tool or running
the date command on the command line:
# date
Tue May 6 10:12:32 MDT 2001
2. Update the PERIODIC_SCHEDULE variable denition in the
/usr/aset/asetenv le to run ASET ve minutes from now:
# vi /usr/aset/asetenv
PERIODIC_SCHEDULE="17 10 * * *"
Schedule ASET to run periodically:
# /usr/aset/aset -p -l low
======= ASET Execution Log =======
ASET running at security level low
Machine = wallace; Current time = 1102_10:13
aset: Using /usr/aset as working directory
ASET execution scheduled through cron.
Exercise Solutions
Hardening the System 14-49
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
3. Check the reports produced by ASET:
# /usr/aset/util/taskstat
Note If you run the taskstat command too soon, you get the report for
the last run of ASET. You must wait for the cron utility to schedule the
new ASET report.
# /usr/aset/util/taskstat
Checking ASET tasks status ...
Task firewall is done.
Task env is done.
Task sysconf is done.
Task usrgrp is done.
Task tune is done.
Task cklist is done.
Task eeprom is done.
The following tasks are done:
firewall
env
sysconf
usrgrp
tune
cklist
eeprom
All tasks have completed.
# cd /usr/aset/reports/latest
# more *.rpt
4. Restore the system to its original state prior to running ASET:
1 # /usr/aset/aset.restore
2 aset.restore: beginning restoration ...
3
4 Executing /usr/aset/tasks/firewall.restore
5
6 ..................
7 usrgrp.restore completed.
8
9 Descheduling ASET from crontab file...
10 The following is the ASET schedule entry to be
11 deleted:
12 17 10 * * * /usr/aset/aset -l med -d /usr/aset
13 Proceed to deschedule: (y/n) y
Exercise Solutions
14-50 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
14
15 Resetting security level from med to null.
16
17 aset.restore: restoration completed.
15-1
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Module 15
AuthenticatingNetworkServices
Objectives
Upon completion of this module, you should be able to:
G Explain how to authenticate network clients
G Install and congure Transmission Control Protocol (TCP) Wrappers
G Monitor the use of telnet, le transfer protocol (FTP), and other
utilities with TCP Wrappers
G Use TCP Wrappers to control network access to the system
Relevance
15-2 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Relevance
?
!
Discussion The following questions are relevant to understanding
authentication of network connections:
G Can you restrict access to your network to authorized clients only?
G Can you log all network accesses?
G Can you send immediate warnings (using pagers or other
mechanisms) when an invalid client attempts to access a network
service?
Additional Resources
Authenticating Network Services 15-3
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Additional Resources
Additional resources The following references can provide additional
details on the topics discussed in this module:
G Garnkel, Simson, and Spafford, Gene. Practical UNIX & Internet
Security. OReilly & Associates, Inc. 1996.
G Online manual pages for hosts_access(5), inetd.conf(4), and
syslog.conf(4)
G Solaris OE Answerbook 2.
G TCP Wrappers ported to Solaris OE 2.x;
[http://www.sunfreeware.com]
Understanding Network Authentication
15-4 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Understanding Network Authentication
TCP/IP is controlled on the Solaris OE by a complex system of daemons.
These daemons have developed over many years and provide a robust
and powerful way to congure network services. The services are
powerful and it is easy to make a mistake in conguration, or to forget to
congure a service.
Most network services have minimal or no authentication. The telnet
and FTP services only require a valid user name and password, whereas
Anonymous FTP and the Finger daemon allow access to any client.
Logging is practically non-existent for most network services.
Understanding Network Authentication
Authenticating Network Services 15-5
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
When considering security, these authentication and logging weaknesses
are a major problem with the default UNIX network services. You need
logging to establish a good audit trail when tracking break-ins and
attempted break-ins. You also need some form of client authentication and
access control. Many sites would like to run an Anonymous FTP service
for their own users (remote and local) but deny access to all other clients.
Consider how useful it would be to only allow Anonymous FTP for clients
in your own domain (sun.com for example).
From an administrative point of view, if auditing and host access control
could be applied in a logical and consistent manner, then network security
could be greatly improved.
The solution is to install TCP Wrappers.
Using TCP Wrappers
15-6 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using TCP Wrappers
TCP Wrappers (tcpd) are small daemon programs that wrap around the
standard network daemons. You can install them without changing
existing network software programs. The Wrappers report the name of the
client host and the requested service using the Syslog program.
TCP Wrappers do not exchange information with the client or server
applications. A small initialization overhead is required to authenticate the
host and log the connection, but Wrappers impose no overhead on the
communications between the client and server applications.
TCP Wrappers functionality includes transparent logging for TCP-based
network daemons including tftp, exec, ftp, telnet, rlogin, rsh, and
finger. TCP Wrappers provide a level of security above those of the basic
operating environment.
Note TCP Wrappers do not provide full security against unwelcome
visitors. A further level of security is provided by IP ltering and
rewalls.
Using TCP Wrappers
Authenticating Network Services 15-7
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
TCP Wrappers surround the service daemon with another program called
tcpd which logs the incoming request and optionally provides access
control, allowing or denying the connection depending on where the
request originates from.
The /etc/inetd.conf conguration le is changed so that the inetd
program starts the wrapped version of each network daemon. For
example, to service an incoming FTP connection, /usr/sbin/tcpd is
started instead of /usr/sbin/in.ftpd. If tcpd allows the incoming
request, it starts the in.ftpd program; if it denies the incoming request, it
logs the attempt, but otherwise ignores the request.
Note The TCP Wrappers package was written by Wietse Venema and
was formerly called log_tcp. Some sites still list it by that name.
Using TCP Wrappers
15-8 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Obtaining and Installing TCP Wrappers
TCP Wrapper can be obtained in two forms:
G As an SVR4 package from http://www.sunfreeware.com.
G As a standard tar package which can be compiled for most UNIX
platforms including Linux.
TCP Wrappers can be downloaded from most archive sites on the Web
including ftp://playground.sun.com/pub/casper.
The SVR4 package installs TCP Wrappers in the /usr/local directory,
putting the tcpd program in the /usr/local/sbin directory and the
manual pages in the /usr/local/man/man* directory. Additional
documentation is installed in the /usr/local/docs/tcp_wrappers
directory.
Configuring TCP Wrappers
Authenticating Network Services 15-9
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Conguring TCP Wrappers
TCP Wrappers can be congured in one of two ways:
G Hidden This involves replacing the network service daemons. This
method might sound appealing, but it places an extra load on the
administrator when you update the operating system. TCP Wrappers
must be recongured after performing an upgrade or applying
patches.
G Visible This involves changing the /etc/inetd.conf le. This
approach is less secure than the hidden method because the
/etc/inetd.conf le can be viewed by any user. However, this
method is often preferred because you only need to change one le.
Note The general recommendation is to leave the daemons where they
are and change the /etc/inetd.conf le. It is easier to maintain one le
during patch installation or software upgrades than to locate and move
several programs.
Configuring TCP Wrappers
15-10 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Installing Hidden TCP Wrappers
Congure hidden TCP Wrappers by moving the standard network
programs to a predetermined directory and replacing them with the tcpd
program.
To congure FTP to use TCP Wrappers, do the following:
# mkdir /usr/save
# mv /usr/sbin/in.ftpd /usr/save
# cp tcpd /usr/sbin/in.ftpd
The directory that stores the real network programs is compiled into the
TCP Wrappers programs and is set to the /usr/sbin directory for the
SVR4 package. However, this conguration means that the hidden
conguration cannot be used with this package because the saved
programs and the tcpd program must reside in the same directory.
To use the hidden conguration, obtain the TCP Wrappers source les
and build TCP Wrappers specifying an alternate directory (for example
/usr/save). Full instructions are included in the online tcpd(1M) manual
page and the Makefile shipped with TCP Wrappers.
Configuring TCP Wrappers
Authenticating Network Services 15-11
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Installing Visible TCP Wrappers
Congure visible TCP Wrappers by updating the service entry in
/etc/inetd.conf to use the tcpd program. The name of the real
program is specied as the rst command line parameter. The actual
network server program must be in the search path used by tcpd. The
Solaris OE default search path includes the /usr/sbin directory, where
all the network server programs are installed.
To congure FTP to use visible TCP Wrappers replace this inetd.conf
line:
ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd
with:
ftp stream tcp nowait root /usr/local/sbin/tcpd in.ftpd
Besides changing the executable program, the conguration also removes
the support TCP/IP version 6. At the present time, TCP Wrappers are not
compatible with the Solaris OE support for TCP/IP v6.
Configuring TCP Wrappers
15-12 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Checking TCP Wrappers Configuration
TCP Wrappers include a check program called tcpdchk which validates
the TCP Wrapper installation.
The tcpdchk program examines the access control les (see Conguring
Host Access Control on page 15-16, and validates the entries in these les
against entries in the network conguration les. The tcpdchk program
reports problems, such as non-existent path names, services not controlled
by tcpd that appear in access control les, services that should not be
wrapped, non-existent host names, or non-Internet address forms.
To get a comprehensive report, run the program with the following
options:
# tcpdchk -av
Configuring TCP Wrappers
Authenticating Network Services 15-13
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
To check an individual host for access to a specic service use the
tcpdmatch command (host access control is described in Conguring
Host Access Control on page 15-16).
# tcpdmatch in.ftpd grommit
warning: in.ftpd: service possibly not wrapped
client: hostname grommit
client: address 192.168.0.1
server: process in.ftpd
access: granted
Configuring Client Access Logging
15-14 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Conguring Client Access Logging
TCP Wrappers log all network services to the Syslog program. Logging
uses the mail facility and generates the following message levels:
G info Messages for successful network connections
G warning Messages for denied network access
G error Messages for incorrect conguration les
Configuring Client Access Logging
Authenticating Network Services 15-15
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Congure the syslogd.conf le to log TCP Wrapper messages, as shown
in Code 15-1.
Code 15-1 Conguring the syslogd.conf le
# grep mail /etc/syslogd.conf
*.err;kern.notice;auth.notice;mail.warning /dev/sysmsg
mail.info;mail.warning /var/adm/network.log
The following example is the log of a successful client connection:
May 25 11:10:08 wallace in.telnetd[931]: [ID 927837 mail.info] connect
from grommit
Configuring Host Access Control
15-16 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Conguring Host Access Control
Solaris OE provides a standard mechanism for host access control. It uses
the /etc/hosts.allow and /etc/hosts.deny les to set access control
rules. Host access does not read entire les; when a matching entry is
found, the rule is applied and no additional rules are taken into account.
TCP Wrappers review the les in the following order:
1. /etc/hosts.allow An entry here grants client access.
2. /etc/hosts.deny An entry here denies client access.
3. If the les are empty or do not exist, access is allowed.
The default access control allows all hosts to have access to all services.
Note Any host not explicitly mentioned, or covered by an implicit rule,
is allowed.
TCP Wrappers use the Solaris OE host access control mechanism to
authorize remote host access to network services.
Configuring Host Access Control
Authenticating Network Services 15-17
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Access File Format
Each access le consists of one or more lines with the following
colon-separated elds:
service : client : options
where:
G service The name of the service to allowed or block, or the value
ALL for all services. Specify multiple services in a comma-separated
list.
G client The host name, IP address, network address or domain
name of the clients to allow or block. Specify multiple clients in a
comma-separated list or use the keyword ALL for all clients.
G A client name beginning with a dot (.) is assumed to be a
partial domain name (for example .sun.com) and refers to all
hosts in that domain or subdomain.
Configuring Host Access Control
15-18 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G A client name ending with a dot is assumed to be a network
address (for example 192.168.0.) and refers to all hosts on that
subnet.
G As a safeguard against client address spoong, TCP Wrappers
validate host names and addresses using a DNS server and
reject clients if a discrepancy is found.
G options Allow the denition of banners (see Using Banners With
TCP Wrappers on page 15-19) and the spawning of commands (see
Using TCP Wrappers to Spawn Commands on page 15-25).
Code 15-2 sets a default to explicitly deny all hosts access to all services.
Code 15-2 Example hosts.deny File Entry
# more /etc/hosts.deny
ALL: ALL
Your hosts.deny le should always contain the entry in Code 15-2 as the
very last line.
Code 15-3 shows an allow le example.
Code 15-3 Example hosts.allow File Entry
# more /etc/hosts.allow
in.ftpd: 192.168.1., 192.168.2.
in.telnetd, in.rlogind: wallace, grommit, sean
Code 15-3 allows all hosts on subnets 192.168.1 and 192.168.2 to use FTP
and hosts wallace, grommit, and sean to use the telnet and rlogin
commands.
The following is a sample of log le entry where a client system was
denied access:
May 25 11:09:45 wallace in.telnetd[915]: [ID 947420 mail.warning] refused
connect from 192.168.99.1
Using Banners With TCP Wrappers
Authenticating Network Services 15-19
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using Banners With TCP Wrappers
Banners allow you to display notication messages to clients before they
log in to a system or when they are denied service. You can congure
banner messages as options for any entry in the hosts.allow and
hosts.deny les.
The banner option format is:
:banners message_directory
where the message_directory is a directory containing one le for each
type of service for which banner is specied. Each le name has the same
name as the service with which it is used. Code 15-4 shows an example
banner conguration.
Code 15-4 Banner Conguration
# more /etc/hosts.deny
ALL: ALL: banners /etc/tcpd.deny
Using Banners With TCP Wrappers
15-20 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
# ls /etc/tcpd.deny
in.ftpd in.telnetd
# more /etc/tcpd.deny/in.ftpd
220 Sorry but you are not authorized to use this FTP service.
An unauthorized client trying to use FTP or telnet services receives the
banner message, while authorized clients receive the FTP or telnet
service. Clients denied access to other services do not see any output and
their connection is refused.
Using Banners With TCP Wrappers
Authenticating Network Services 15-21
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Building Banner Files
Some network services such as FTP require that the banner messages be
in a special format (FTP messages must start with 220). To simplify the
creation of banner messages, the TCP Wrappers package includes a
Banners.makefile which creates suitable servicespecic banners from a
template message le called prototype.
The Banners.makefile command is included in the TCP Wrappers
installation directory. If the SVR4 package from the Sun Freeware site is
used, this le is installed in the /usr/local/doc/tcp_wrappers
directory. Copy the make le to the banners message directory, rename it
Makefile, create the prototype message le, and run the make command
as shown in Code 15-5.
Code 15-5 Building Banner Files
# mkdir /etc/tcpd.deny
# cd /etc/tcpd.deny
# cp /usr/local/doc/tcp_wrappers/Banners.Makefile makefile
# cat >prototype
Service unavailable
# make
Using Banners With TCP Wrappers
15-22 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Customizing a Banner Message
You can customize the text in the banner message les using the following
substitution codes:
G %a Clients IP address (for example 192.168.1.1)
G %c Clients canonical host name (for example wallace.sun.com)
G %d Servers daemon (for example in.ftpd)
G %h Clients host name (for example wallace)
G %n Clients name (for example wallace)
G %p Process ID (for example 2134)
G %s Server daemon and host name (for example in.ftpd@grommit)
G %u Client user (for example alice)
G %A Servers IP address (for example 192.102.1.93)
G %H Servers host name (for example grommit)
G %N Server name (for example grommit)
G %% A percent sign
Using Banners With TCP Wrappers
Authenticating Network Services 15-23
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Code 15-6 shows an example of the text le using substitution codes.
Code 15-6 Using Banner Substitution Codes
# cat /etc/tcpd.deny/in.telnetd
Warning! You have attempted to connect to a secure system
from %a, also known as %h (username %u). Your attempt has been logged.
The le in Code 15-6 expands to produce the output shown in Code 15-7.
Code 15-7 Banner File Output
# telnet wallace
Trying 192.168.1.1...
Connected to wallace.
Escape character is "^]".
Warning! You have attempted to connect to a secure system
from penguin, also known as penguin (username unknown). Your attempt has
been logged.
Using Banners Without TCP Wrappers
15-24 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using Banners Without TCP Wrappers
You do not have to use TCP Wrappers just for producing banners. Most
interactive network services allow a BANNER option in their default
conguration les, as follows:
G Banner for FTP:
# more /etc/default/ftpd
BANNER="This is a secure host!"
G Banner for telnet:
# more /etc/default/telnetd
BANNER="\nWARNING!\nUnauthorized access will be prosecuted!\n"
G Banner for telnet, rlogin, and other logins:
# more /etc/issue
This host is monitored at all times. Violations may result in
disciplinary action.
Using TCP Wrappers to Spawn Commands
Authenticating Network Services 15-25
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using TCP Wrappers to Spawn Commands
You can run commands and scripts in the same way as banners. Use
commands to send a page or email a message when a client connects or
attempts to connect.
The spawn option format is:
:spawn command
where command is any UNIX command, including pipelines and I/O
redirection. Execute the command line with the Bourne shell (/bin/sh),
and you can use the same percent letter substitution as the banner option
(see Customizing a Banner Message on page 15-22).
Note The default path for the tcpd daemon is
PATH=/usr/bin:/usr/sbin. Use absolute path names for commands not
in these directories.
Using TCP Wrappers to Spawn Commands
15-26 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
If the system has a command called pager in the /usr/local/bin
directory which reads a message from standard input and sends the
message to the pager number on the command line, you could set up a
general intruder alert, as shown in Code 15-8.
Code 15-8 Setting Up an Intruder Alert
# cat /etc/hosts.deny
ALL :ALL :spawn echo "intruder %h(%a) detected at `date`" |
/usr/local/bin/pager 123 876 5432
If you need both banner and spawn options, include them in any order on
the line in the hosts.* le. For example, if you want to track online
whether a particular client used the telnet command, add a line like the
following to the hosts.allow le:
in.telnetd: penguin: banners /etc/tcpd.allow: spawn echo "%h has
connected" | write root
Checking Host Access Configuration
Authenticating Network Services 15-27
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Checking Host Access Conguration
The tcpdmatch command performs conguration checks by checking the
access control les and demonstrating the behavior. Use this command to
perform error checking before you deploy the TCP Wrappers.
The syntax for the tcpdmatch command is:
tcpdmatch service host
where:
G service is the service name such as in.telnetd
G host is the client host name or IP address
Checking Host Access Configuration
15-28 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Code 15-9 shows an example.
Code 15-9 Using the tcpdmatch Command
# tcpdmatch in.telnetd grommit
client: address 192.168.1.2
server: process in.telnetd
access: allowed
Exercise: Authenticating Network Services
Authenticating Network Services 15-29
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise: Authenticating Network Services
In this exercise, you complete the following tasks:
G Install TCP Wrappers
G Enable logging for telnet connections
G Congure TCP Wrappers to deny telnet access to specic hosts
G Congure TCP Wrappers to warn of denied telnet access
G Congure TCP Wrappers to deny access to all hosts except those
specied
Preparation
There is no specic preparation needed for these exercises.
Tasks
You are not required to nish all of the tasks in the time allocated by the
instructor. However, ensure that you remove all host access control les as
described in Removing Host Access Control on page 15-36 to ensure
that host access control does not affect future module exercises.
Task Installing TCP Wrappers
In this task, you install the TCP Wrappers executable tcpd program:
1. Download the TCP Wrappers package from the Sun Freeware Web
site. A copy has already been downloaded and saved in the
/usr/local/pkg directory.
2. Install this SVR4 package using the pkgadd command.
Exercise: Authenticating Network Services
15-30 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Task Enabling Logging for telnet Connections
In this task, you congure TCP Wrappers to log network connections for
telnet:
1. Congure your telnet service to use visible TCP Wrappers (modify
the /etc/inetd.conf le). TCP Wrappers do not support
TCP/IPv6, so you must change the service type from tcp6 to tcp.
2. Enable logging for this service to the Syslog command.
Task Denying Access to Specific Hosts
In this task, you congure the host access control feature of Solaris OE so
that TCP Wrappers can deny telnet access to specic hosts:
1. Modify your TCP Wrappers conguration so that your workstation
is denied access to its own telnet service.
2. Send a banner to the telnet client indicating that access is denied.
3. Check your conguration using the tcpdmatch command.
Task Configuring TCP Wrappers to Warn of Denied
telnet Access
Enhance your TCP Wrappers conguration to use the write command to
send a message to the root user whenever an attempt to use the telnet
command is denied (include the client IP address and host name in the
message).
Task Configuring TCP Wrappers to Deny Access to
All Hosts Except Those Specified
In this task, you create a secure host access control conguration which
denies access to all hosts except those explicitly specied in the
conguration les:
1. Congure your system so that all systems other than your
workstation and the instructors workstation are denied access to the
telnet service.
2. Remove all access controls for network services on your system.
Exercise: Authenticating Network Services
Authenticating Network Services 15-31
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Task Removing Host Access Control
In this task, remove your host access les to prevent host access control
from interfering with future module exercises.
Exercise Summary
15-32 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise Summary
?
!
Discussion Take a few minutes to discuss what experiences, issues, or
discoveries you had during the lab exercise.
G Experiences
G Interpretations
G Conclusions
G Applications
Exercise Solutions
Authenticating Network Services 15-33
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise Solutions
The following paragraphs describe the Solaris OE commands necessary to
solve the problems posed in the exercises for this module.
Installing TCP Wrappers
1. Download the TCP Wrappers package from the Sun Freeware Web
site. A copy has already been downloaded and saved in the
/usr/local/pkg directory.
2. Install this SVR4 package using the pkgadd command.
# cd /usr/local/pkg
# pkgadd -d tcp_wrappers-7.6-sol8-sparc-local
Enabling Logging for telnet Connections
1. Congure your telnet service to use visible TCP Wrappers (modify
the /etc/inetd.conf le). TCP Wrappers do not support TCP/IPv6
so you must change the service type from tcp6 to tcp:
a. Edit the /etc/inetd.conf le and comment out the telnet
line:
#telnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetd
b. Type a new telnet entry which uses the tcpd program in the
/usr/local/sbin directory and does not include support for
TCP/IPv6:
telnet stream tcp nowait root /usr/local/sbin/tcpd in.telnetd
c. Identify the PID for the inetd command and send the hang-up
signal to get it to read the conguration le again:
# ps -ef | grep inetd
...
# kill -HUP inetd
2. Enable logging for this service to the Syslog utility:
a. Update the /etc/syslog.conf le so that it logs all mail
messages to the sc300log le.
Exercise Solutions
15-34 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
# vi /etc/syslog.conf
mail.info /var/adm/sc300log
b. Send the hang up signal to the syslogd command to get it to
read the new conguration:
# ps -ef | grep syslogd
...
# kill -HUP syslogd
c. Test your changes by running the telnet command from a
shell window to connect back to your system:
# telnet localhost
Denying Access to Specific Hosts
1. Modify your TCP Wrappers conguration so that your workstation
is denied access to its own telnet service:
a. Identify your host name using:
# hostname
b. Create the /etc/hosts.deny le and add the following line to
this le to block your own workstation:
in.telnetd: hostname
c. Check the conguration with:
# tcpdmatch in.telnetd wallace
client: hostname wallce
client: address 192.168.1.1
server: process in.telnetd
access: denied
d. Test your changes by running the telnet command from a
shell window to connect back to your system. You should
receive your banner message rather than a telnet session:
# telnet localhost
2. Send a banner to the telnet client indicating that access is denied:
a. Edit the /etc/hosts.deny le and change the entry for your
workstation to:
Exercise Solutions
Authenticating Network Services 15-35
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
in.telnetd: hostname: banners /etc/tcpd.deny
b. Create a new directory called /etc/tcpd.deny:
# mkdir /etc/tcpd.deny
c. Create a banner le for the telnet service and enter a suitable
service denied message:
# cat >/etc/tcpd.deny/in.telnetd
Go away %h you are not allowed access to this service
^D
d. Test your changes by running the telnet command from a
shell window to connect back to your system. You should
receive your banner message rather than a telnet session:
# telnet localhost
Go away wallace you are not allowed access to this service
3. Check your conguration with the tcpdmatch command:
# tcpdmatch in.telnetd localhost
client: address 192.168.0.1
server: process in.telnetd
access: denied
Configuring TCP Wrappers to Warn of Denied telnet
Access
Enhance your TCP Wrappers conguration to use the write command to
send a message to the root user whenever an attempt to use the telnet
command is denied (include the clients IP address and host name in the
message).
Update the entry for your workstation in the /etc/hosts.deny le:
in.telnetd: hostname: banners /etc/tcpd.deny: spawn echo "telnet intruder
%c(%h)" | write root
Test your changes by running telnet from a shell window to connect
back to your system. You should receive your banner message back as
before, and all your shell windows should show a write message:
# telnet localhost
...
Message from root on wallace (pts/6) [ Fri May 25 12:57:28 ] ...
Exercise Solutions
15-36 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
telnet intruder wallace(192.168.0.250)
<EOT>
Configuring TCP Wrappers to Deny Access to All
Hosts Except Those Specified
1. Congure your system so that all systems other your workstation
and the instructors workstation are denied access to the telnet
service:
a. Create a le called /etc/hosts.allow with the following
entries (assuming the instructors system is called grommit and
your system is wallace):
in.telnetd: wallace, grommit
b. Update the single line in the /etc/hosts.deny le to deny all
hosts (remove the spawn option to avoid unwanted write
commands being issued):
in.telnetd: ALL: banners /etc/tcpd.deny
2. Remove all access controls for network services on your system by
either:
Removing the /etc/hosts.deny and /etc/hosts.allow les:
# rm /etc/hosts.deny /etc/hosts.allow
Or restoring the original telnet entry in the /etc/inetd.conf le:
telnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetd
Removing Host Access Control
Remove your host access les to prevent host access control from
interfering with future module exercises:
# rm /etc/hosts.allow /etc/hosts.deny
16-1
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Module 16
SecuringRemoteAccess
Objectives
Upon completion of this module, you should be able to:
G Identify the benets of the secure shell
G Install and congure the secure shell
G Use the secure shell
Relevance
16-2 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Relevance
?
!
Discussion The following questions are relevant to securing remote
access:
G Do you regularly use the Berkeley r commands (such as rsh,
rlogin, and rcp) or telnet for remote access?
G How can you make these commands easier or more convenient to
use?
G What are the security implications of these strategies?
G What methods are available to make such tools secure?
Additional Resources
Securing Remote Access 16-3
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Additional Resources
Additional resources The following references provide additional
information on the topics described in this module:
G OpenSSH, [http://www.openssh.com/]
G Online man page for the OpenSSH utilities ssh(1), ssh-add(1),
ssh-agent(1), ssh-keygen(1), and sshd(8), scp(1)
G Solaris OE Freeware, [http://www.sunfreeware.com/]
G Gregory, Pete H., Solaris Security. Prentice Hall, 2000.
G Barrett, Daniel J. and Silverman, Richard E., SSH: The Secure Shell,
The Denitive Guide (the Snail Book), OReilly and Associates, 2000.
G Barrett, Daniel J. and Silverman, Web site for the Snail Book,
[http://www.snailbook.com]
Identifying the Benefits of the Secure Shell
16-4 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Identifying the Benets of the Secure Shell
The secure shell (OpenSSH) is one utility in a set of utilities in the
OpenSSH suite of tools. This suite of tools replaces remote access
programs such as telnet and the Berkeley r commands (rlogin, rsh,
rcp). The OpenSSH tools provide improved security and functionality
compared with the other suites of tools, and require little learning for
users familiar with the old commands. The latest version of OpenSSH also
contains a secure replacement for FTP.
The OpenSSH design philosophy is:
G Never trust the network (even a component of it, such as a DNS
server).
G Place a minimum of trust in the remote server.
To obtain a high level of security, OpenSSH uses encryption and
authentication algorithms, and in particular uses a cryptography known
as public key encryption. These functions have resulted in a very secure set
of tools.
Identifying the Benefits of the Secure Shell
Securing Remote Access 16-5
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The SSH protocol is almost Internet standard (it does not have an RFC
number allocated yet), and many SSH clients are available for a wide
range of operating systems. A user without root access can install SSH
(with reduced functionality). You can set SSH to revert to the Berkeley r
commands if SSH is not available on the remote server.
SSH is often supported as a secure transport mechanism. For example,
utilities such as CVS and rsync can use SSH for the secure transfer of les.
The original SSH program was written by Tatu Ylonen of Finland in 1995
and released as freeware, although it is now being marketed
commercially. OpenSSH is a derivative of an early version of SSH.
OpenSSH is being developed independently and is available for free on
the Web.
Identifying the Benefits of the Secure Shell
16-6 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
OpenSSH Tools
The OpenSSH suite of tools consists of the following programs:
G ssh(1) The client program used to log into another machine or to
execute commands on the other machine. (slogin is often used as an
alias for ssh.)
G scp(1) Securely copies les from one machine to another. scp(1)
can copy recursively, and it can copy les between two remote
machines.
G ssh-keygen(1) Creates authentication keys for server and client
authentication.
G ssh-agent(1) An authentication agent that holds keys on behalf
of the user. ssh-agent(1) eliminates the need to constantly enter
passphrases to unlock keys.
G ssh-add(1) Registers new keys with the authentication agent.
G ssh-keyscan(1) Obtains public keys from servers.
G sftp(1) A secure version of FTP
Identifying the Benefits of the Secure Shell
Securing Remote Access 16-7
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G sshd(8) The server program that runs on the server machine. It
listens for connections from clients (ssh or scp). When it receives a
connection, sshd(8) performs authentication and begins serving the
client.
G sftp-server(8) The server program that processes requests from
sftp.
Identifying the Benefits of the Secure Shell
16-8 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using Encryption and Compression
OpenSSH is more secure than the Berkeley r commands because the tools
are immune to network monitoring. All authentication information and
session data is encrypted. Session data can be just as valuable as the
authentication information, because it might contain passphrases, credit
card or bank details, and other sensitive information.
To encrypt the communication session, the client and server generate and
exchange a session key using the RSA (Rivest Shamir Adlemanthe
professors who created the algorithm) public key algorithm. After the
session key is exchanged, all trafc between the client and server is
encrypted and safe from anyone monitoring the network.
OpenSSH also performs compression. Compression can improve
performance, for example in situations when you are copying large les
over slow connections.
Identifying the Benefits of the Secure Shell
Securing Remote Access 16-9
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Security Benefits of Server Authentication
OpenSSH prevents spoong or man-in-the-middle attacks. This class of
attacks involves fooling a client into accessing another server instead of
the one the client wants. Spoong can be done with a compromised router
or a DNS server.
When the client connects to the untrusted server, it reveals the
authentication information, and the untrusted server uses this
information to connect to the true server as the client. The untrusted
server passes information between the client and the true server and then
obtains authentication information and session data.
To prevent this class of attack, OpenSSH uses the RSA public key
algorithm for authenticating servers. The server generates a public and
private RSA key pair (RSA keys always come in pairs). The public key is
distributed to clients and authenticates the server (because only the server
has the private key that creates the authentication certicates).
Identifying the Benefits of the Secure Shell
16-10 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The rst time an OpenSSH program connects to a server, it records the
servers public key in a le. If the client connects to the same server later
and the public key has changed, the client knows a spoong attack might
be happening. The client is warned and is asked whether it wants to
proceed (the server might have been upgraded and generated a new key).
The current server authentication scheme means there can be a spoong
attack on the very rst connection to a server. One solution to this
problem might be to use certicates in the same way as the Secure Socket
Layers (SSL) security protocol.
Certicates make the software and administration procedure more
complicated because certicates must be certied by a certication
authority and checked against revocation lists. Certicates are better used
as a digital identity, where you do not know the second party.
With remote access, however, you usually know the other party, so you
can avoid the use of certicates and check the key ngerprint on the rst
connection. Another option is to manually record the correct server key in
the known_hosts le. The ssh-keyscan program can create known_hosts
les.
Identifying the Benefits of the Secure Shell
Securing Remote Access 16-11
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Client Authentication
OpenSSH uses RSA encryption keys for authentication. Like server
authentication keys, RSA encryption keys consist of public and private
components. Authentication uses a challenge-response algorithm, where
the server generates a challenge and the client must provide the correct
response. The client uses the keys private component to generate the
correct response, and the server veries it using the keys public
component. You must register the public component of the client key with
the server for your client to be granted remote access. Because the server
never accesses the clients private key, an intruder on a compromised
server cannot obtain the clients keys.
On a standard, passphrase-based system an intruder could collect
passphrases from clients as they connected. This is why you should not
use the same passphrase for multiple servers. However, with OpenSSH
client keys, you do not have a security problem using a single key for all
accounts.
Identifying the Benefits of the Secure Shell
16-12 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The clients public and private key pair are stored in the user directory. To
prevent the theft of a users key (perhaps when a machine is left
unattended), the private key is usually encrypted with a passphrase.
When you use the OpenSSH tools with RSA authentication, the
passphrases are only used to encrypt the private key, and the passphrases
are not directly used for authentication.
Forwarding TCP/IP Ports Using OpenSSH
Port forwarding is an OpenSSH process where the ssh program:
G Connects to a remote server
G Listens on various ports on this server
G Forwards all trafc to and from ports on the client machine
For instance, X clients (such as xterm) typically communicate with the X
server using port 6000. By conguring the ssh program to listen on port
6000 when logged into the remote machine and forwarding trafc to and
from port 6000 on the local machine (where the X server is running), it
appears that there is an X server running locally on the remote machine
that X clients can use. Figure 16-1 demonstrates X11 port forwarding.
Figure 16-1 X11 Port Forwarding
Identifying the Benefits of the Secure Shell
Securing Remote Access 16-13
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Without port forwarding, the X11 session must be transmitted
unencrypted, as shown in Figure 16-2.
Figure 16-2 X11 Session Without Port Forwarding
Using the ssh port fowarding program means that X clients can use the
SSHencrypted communication channel instead of making a direct (and
potentially insecure) connection to the client.
X11 is not the only application that makes use of port forwarding, but it is
the most common one. Because X11 is so common, the ssh program
forwards the appropriate X11 ports by default, and sets the DISPLAY
environment variable for use by the X11 programs on the server.
Identifying the Benefits of the Secure Shell
16-14 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Copying Files and Executing Commands
The ssh program does not just provide a login shell on a remote machine.
You can use the ssh program to execute commands remotely (similarly to
rsh, except that with the ssh program you have the security benets
described previously in Identifying the Benets of the Secure Shell on
page 16-4). Executing commands remotely is useful when you build
scripts, especially when you use the ssh programs automatic
authentication features.
The scp program is the OpenSSH replacement for rcp. The security
benets described previously in Identifying the Benets of the Secure
Shell on page 16-4 apply. As with the ssh program, the automatic
authentication features can make scp particularly valuable when you
write scripts.
In addition to the scp program, the OpenSSH tools include a secure
version of FTP. The secure FTP allows you to transfer les in a secure and
interactive manner.
Identifying the Benefits of the Secure Shell
Securing Remote Access 16-15
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Benefits of the Password Agent
OpenSSH includes the ssh-agent program. This is the password agent
that reduces the need to constantly enter passphrases required for
authentication keys. Run the ssh-agent program once at the beginning of
a session, and the OpenSSH utilities obtain passphrases from the
passphrase agent instead of interactively prompting the user. Use the
ssh-add program to register the keys with the ssh-agent program, and
from then on the OpenSSH utilities automatically obtain the keys from the
agent.
An environment variable holds the process identier of the ssh-agent
program. The OpenSSH client uses this environment variable to
determine which ssh-agent program to communicate with. You can use
this information to create long lasting ssh-agent programs, and to use
ssh-agent programs with scripts.
Configuring the OpenSSHServer
16-16 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Conguring the OpenSSHServer
The server conguration is stored in the /etc/sshd_config le. The
default version of the sshd_config le is shown in Code 16-1.
Code 16-1 Default sshd_config File
1 # This is ssh server systemwide configuration file.
2
3 Port 22
4 #Protocol 2,1
5 #ListenAddress 0.0.0.0
6 #ListenAddress ::
7 HostKey /etc/ssh_host_key
8 ServerKeyBits 768
9 LoginGraceTime 600
10 KeyRegenerationInterval 3600
11 PermitRootLogin yes
12 #
13 # Don't read ~/.rhosts and ~/.shosts files
14 IgnoreRhosts yes
Configuring the OpenSSHServer
Securing Remote Access 16-17
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
15 # Uncomment if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication
16 #IgnoreUserKnownHosts yes
17 StrictModes yes
18 X11Forwarding no
19 X11DisplayOffset 10
20 PrintMotd yes
21 KeepAlive yes
22
23 # Logging
24 SyslogFacility AUTH
25 LogLevel INFO
26 #obsoletes QuietMode and FascistLogging
27
28 RhostsAuthentication no
29 #
30 # This requires host keys in /etc/ssh_known_hosts
31 RhostsRSAAuthentication no
32 #
33 RSAAuthentication yes
34
35 # To disable tunneled clear text passphrases, change to no here!
36 PasswordAuthentication yes
37 PermitEmptyPasswords no
38 # Uncomment to disable s/key passwords
39 #SkeyAuthentication no
40
41 # To change Kerberos options
42 #KerberosAuthentication no
43 #KerberosOrLocalPasswd yes
44 #AFSTokenPassing no
45 #KerberosTicketCleanup no
46
47 # Kerberos TGT Passing does only work with the AFS kaserver
48 #KerberosTgtPassing yes
49
50 #CheckMail yes
51 #UseLogin no
52
53 #Subsystemsftp /usr/local/sbin/sftpd
54 #MaxStartups 10:30:60
Configuring the OpenSSHServer
16-18 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
You might want to modify the le to:
G Disable or enable certain forms of authentication (for example, you
might enable .rhosts authentication by modifying lines 14 and 28).
G Use a non-standard port (sshd listens on port 22, shown on Line 3).
G Disable or enable X11 port forwarding (Line 18).
G Setting the Syslog parameters (Line 2425).
G Change the le location where the authentication keys are stored
(Line 7).
G Accept or deny root logins (Line 11). It is a good idea to deny root
logins and use the su command for administration instead.
The server conguration applies to this particular host. You cannot dene
different settings based upon which users connect or where they connect
from. You can run two separate servers, each with its own conguration
le, on different ports.
Configuring the OpenSSHServer
Securing Remote Access 16-19
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Creating the Host Key
Before you can start the sshd server daemon, you must have the
/etc/sshd_config le and a host key for the server. To create the key,
use the ssh-keygen command.
Creating the host key is slightly different from creating the key for an
individual user. When you create the key required to start the sshd
daemon, you do not use a password. The key is placed in the
/etc/ssh_host_key le (using the -f argument), as shown in Code 16-2.
Code 16-2 Creating the Host Key
# ssh-keygen -f /etc/ssh_host_key
Generating RSA keys: Key generation complete.
Enter passphrase (empty for no passphrase): <enter>
Enter same passphrase again: <enter>
Your identification has been saved in /etc/ssh_host_key.
Your public key has been saved in /etc/ssh_host_key.pub.
The key fingerprint is:
bf:b3:a6:8e:2d:b1:86:63:64:44:b4:6f:52:cc:7e:42 root@grommit
Configuring the OpenSSHServer
16-20 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Note If you install OpenSSH from a source distribution instead of a
binary distribution, the make install script generates and installs the
server keys automatically. Code 16-2 on page 16-19 is the manual method
of generating keys using the ssh-keygen command from a binary
installation.
Configuring the OpenSSHServer
Securing Remote Access 16-21
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Starting the Secure Shell Daemon
Start the sshd server daemon by executing the sshd command:
# /usr/local/bin/sshd
The sshd command is usually placed in the /etc/rc2.d startup scripts
and the server executes as a daemon in the background. You can execute
the sshd server from inetd, but this has performance implications
because the server needs to create session keys using the RSA algorithm.
Creating session keys can be time consuming and might cause server
delays. When the server runs as a daemon, the server calculates the
session keys beforehand, so incoming connections are processed instantly.
You can run the server in debug mode by using the -d ag, which is useful
for testing and debugging. When you run the server in debug mode:
G The server does not run in the background as a daemon
G All debugging and log information is displayed on the standard
output, not in the log les
G The server exits after processing one connection
Configuring the OpenSSHServer
16-22 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Installing the Secure FTP Server
The secure FTP server (sftp-server) requires no special installation or
conguration. The sshd program starts sftp-server automatically
whenever secure FTP requests are made to the server.
Using OpenSSHClients
Securing Remote Access 16-23
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using OpenSSHClients
You can use the ssh program to obtain a shell on a remote machine, as
with the rsh program, where the argument you provide is the remote
machine name, as shown in Code 16-3.
Code 16-3 Running the ssh Program to Obtain a Remote Shell
$ ssh grommit
alice@grommit's password: <enter password>
In Code 16-3, the user is prompted for a passphrase on the remote
machine. This is because the program uses standard passphrase-based
authentication. When you add other types of authentication, this method
changes.
Using OpenSSHClients
16-24 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
In addition to starting a remote shell, you can run a command by
providing a command as the second argument, as shown in Code 16-4 on
page 16-24.
Code 16-4 Running a Command Using the ssh Program
$ ssh grommit w
alice@grommit's password: <enter password>
8:51PM up 38 days, 5:25, 4 users, load averages: 0.10, 0.17, 0.15
USER TTY FROM LOGIN@ IDLE WHAT
gary p0 pm00 6:16PM 2:00 -su (zsh)
gary p1 node1005b.a2000. 05May01 20:07 -su (zsh)
gary p2 pm00 6:51PM - sshd:
gary p3 pm00 8:06PM - ./ssh/ssh 195.6
Use the scp program to copy les between machines, as shown in
Code 16-5.
Code 16-5 Using the scp Program to Copy Files
$ scp grommit:/etc/motd /tmp/motd
alice@grommit's password: <enter password>
/etc/motd 100%
|********************************************************************|
344 00:00
Note Some later versions of the OpenSSH utilities display the remote
environment variables on the error output. This does not usually cause
problems, but if you want to keep the remote environment variables from
being displayed, add 2>/dev/null to the example commands.
Using OpenSSHClients
Securing Remote Access 16-25
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Determining Known Hosts
The rst time you access a host with any of the OpenSSH clients, you see
a message like that shown in Code 16-6.
Code 16-6 Determining Known Hosts
The authenticity of host '192.168.0.1' can't be established.
RSA key fingerprint is bf:b3:a6:8e:2d:b1:86:63:64:44:b4:6f:52:cc:7e:42.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.1' (RSA) to the list of known
hosts.
This warning informs you that the host is unknown to you (although
other users may have accessed this host), and asks whether the session
should continue. If you decide to continue, the host key of the server is
added to your le of known hosts ($HOME/.ssh/known_hosts), and
subsequent access to that host continues without prompting. If, however,
the host key changes, you get another warning because a
man-in-the-middle attack might be occurring.
Using OpenSSHClients
16-26 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
You can create a system-wide le of known hosts
(/etc/ssh_known_hosts) containing the public keys of remote servers,
so that the warning in Code 16-6 on page 16-25 is not displayed. The
OpenSSH client checks for a known host in both the system-wide
/etc/ssh_known_hosts le and the users known_hosts les.
Using OpenSSHClients
Securing Remote Access 16-27
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Generating Client Keys
To create a client key, use the ssh-keygen command. This is the same
command you use to generate a server key, except that now you should
enter a passphrase when prompted (with the server key you used a null
passphrase), as shown in Code 16-7.
Code 16-7 Generating Client Keys
$ ssh-keygen
Generating RSA keys: Key generation complete.
Enter file in which to save the key (/home/alice/.ssh/identity): <enter>
Enter passphrase (empty for no passphrase): <enter passphrase>
Enter same passphrase again: <enter passphrase>
Your identification has been saved in /home/alice/.ssh/identity.
Your public key has been saved in /home/alice/.ssh/identity.pub.
The key fingerprint is:
21:35:ae:ce:7e:26:cc:b8:4d:20:b6:d7:75:c1:ea:e5 alice@wallace
Using OpenSSHClients
16-28 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
It is more important to protect user keys with a passphrase, and not the
server key, because the user keys allow access to other systems. Use the
server key only for host authentication, and a warning is generated by
clients if it ever changes.
The generated keys reside in two les called identity and
identity.pub, in the subdirectory.ssh in the users home directory. The
private key is stored in the identity le, and is in a binary format, while
identity.pub is text and looks like Code 16-8 (but all on one line).
Code 16-8 The identity.pub File
1024 35
1513654262912171898155246102814427367532890757465755146449159850815574939
2701684041728291715059541620863674232803606759935811785418186646278483739
5878212144805532410422736696434143284988351805292331858166145450914307704
5790282230525398782773290512186471891253206830274830645405338071526091544
70367552938409123 alice@wallace
Anything following the large number is only a comment and is ignored.
Using OpenSSHClients
Securing Remote Access 16-29
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Granting Access to Other Users
With the Berkeley r commands, access to an account is usually granted
using the .rhosts les. While you can enable this method (it is disabled
by default), it is not recommended. Instead, grant access to an account
using the authorized_keys le. This le resides in the same directory as
the users identity.pub le (usually $HOME/.ssh/).
Grant a user access to your account by copying the contents of their
identity.pub le to your authorized_keys le. A typical
authorized_keys le has several lines similar to the line in Code 16-8 on
page 16-28, with one line for every authentication key that is granted
access to the account. The name at the end of every line is only a
comment, and is ignored.
Ideally, you should transfer the key in a secure manner, perhaps on a
oppy disk or through some other secure channel such as encrypted
email. One alternative is to email or copy the le in an insecure manner,
and to verify the key ngerprint over the telephone.
Using OpenSSHClients
16-30 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using OpenSSH With RSA Authentication
When a user grants another user access by adding their public key (the
identity.pub le) to their authorized_keys le, you can access their
account without using (or even knowing) their passphrase. For example,
to use the ssh program to access user bobs account on machine grommit,
enter the following:
$ ssh -l bob grommit
Enter passphrase for RSA key 'alice@wallace': <enter passphrase>
You are not asked for the passphrase for user bob, but you are asked for
the passphrase to unlock your OpenSSH key. This also applies to the scp
command.
Using OpenSSHClients
Securing Remote Access 16-31
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using the ssh-agent Program
When you perform remote commands (ssh) or remote le copies (scp), or
when you run these programs from a script, you might want to avoid
entering the passphrase for your key. To do this without removing the
passphrase, use the ssh-agent program.
Using OpenSSHClients
16-32 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Execute the ssh-agent program with a parameter that is an executable
command itself, and give it an environment with access to the client keys.
Typically this parameter (program) is a shell or an X session. There are no
client keys in the environment until you add them using the ssh-add
program. You can also use the ssh-add program to view the keys in the
ssh-agent environment. When keys have been added, you can use the
ssh and scp commands without prompting for the passphrase.
Code 16-9 uses the ssh-agent program to start a subshell in which the
OpenSSH clients are executed.
Code 16-9 Using the ssh-agent Program to Start a Subshell
$ ssh-agent ksh
$ ssh-add -l
The agent has no identities.
$ ssh-add
Need passphrase for /export/home/alice/.ssh/identity
Enter passphrase for alice@wallace: <enter passphrase>
Identity added: /export/home/alice/.ssh/identity (alice@wallace)
$ ssh-add -l
1024 49:4b:13:bb:6f:8e:46:d1:cd:f2:33:5b:04:99:bb:bd alice@wallace
Using OpenSSHClients
Securing Remote Access 16-33
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
You do not need to enter the passphrase for the ssh command, because it
is now supplied by ssh-agent program.
You can use the ssh-agent program without an argument. In this case,
the ssh-agent program runs in the background, answering requests from
OpenSSH clients. You must set the SSH_AGENT_PID environment variable
for the OpenSSH clients to locate the agent and communicate with it. The
easiest way to use OpenSSH in this mode is to evaluate the ssh-agent
command as shown in Code 16-10.
Code 16-10 Running the ssh-agent Program in the Background
$ eval `ssh-agent`
$ ssh-add -l
The agent has no identities.
$ ssh-add
Need passphrase for /export/home/alice/.ssh/identity
Enter passphrase for alice@wallace: <enter passphrase>
Identity added: /export/home/alice/.ssh/identity (alice@wallace)
$ ssh-add -l
1024 49:4b:13:bb:6f:8e:46:d1:cd:f2:33:5b:04:99:bb:bd alice@wallace
You can also use the ssh-agent program by providing a command as an
argument, in which case the environment variable is automatically set.
The ssh-agent exits when the command exits.
Using the Secure FTP Client
The sftp program is an interactive le transfer program, similar to the
ftp(1)command. The sftp program performs all operations over an
encryption connection the same way as other OpenSSH clients. The sftp
program uses many of the OpenSSH clients features, such as public key
authentication and compression. The sftp program connects and logs
into the specied host, and then usually enters an interface command
mode. Use the sftp program instead of the scp program to allow
interactive browsing of les and directories.
To start the sftp program, use the remote server name as an argument:
% sftp grommit
Using OpenSSHClients
16-34 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
You can also use the sftp program by providing the name of a le to be
retrieved as an argument (like scp):
% sftp grommit:/etc/motd
When you specify the le name, the le retrieval happens automatically,
when the interactive user authentication has taken place. If the
authentication method requires a passphrase, the user is prompted, and
the transfer automatically happens.
Using OpenSSHClients
Securing Remote Access 16-35
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Configuring the Client
The client conguration is stored in the /etc/ssh_config le. The
standard le contains only comments (as shown in Code 16-11), because
the defaults are usually adequate.
Code 16-11 The /etc/ssh_config File
1 # This is ssh client systemwide configuration file. This file
provides
2 # defaults for users, and the values can be changed in per-user
configuration
3 # files or on the command line.
4
5 # Configuration data is parsed as follows:
6 # 1. command line options
7 # 2. user-specific file
8 # 3. system-wide file
9 # Any configuration value is only changed the first time it is set.
10 # Thus, host-specific definitions should be at the beginning of the
11 # configuration file, and defaults at the end.
12
Using OpenSSHClients
16-36 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
13 # Site-wide defaults for various options
14
15 # Host *
16 # ForwardAgent yes
17 # ForwardX11 yes
18 # RhostsAuthentication yes
19 # RhostsRSAAuthentication yes
20 # RSAAuthentication yes
21 # PasswordAuthentication yes
22 # FallBackToRsh no
23 # UseRsh no
24 # BatchMode no
25 # CheckHostIP yes
26 # StrictHostKeyChecking no
27 # IdentityFile ~/.ssh/identity
28 # Port 22
29 # Protocol 2,1
30 # Cipher blowfish
31 # EscapeChar ~
You can modify the le to:
G Specify the type of authentication used.
G Use a non-standard port.
G Specify the encryption algorithm used (the client determines the
algorithm used, as long as the server supports it).
G Change the location of the les where the client keys are stored.
G Prevent access to servers whose authentication key is not known to
the client (as opposed to warning the user that the key is unknown
or changed). When this option is set, you must add new hosts to the
known_hosts le manually or by using the ssh-keyscan program.
G Use the Host directive to manage settings. You can make settings
globally or make server-specic entries. The Host directive takes a
machine name as an argument and restricts all settings (up until the
next Host directive, or the end of le) to apply to that server only.
You can use the * and ? wildcards in the machine name, and you can
specify the default setting using Host *. For example, if the server at
pluto.sun.com runs on a non-standard port (the default is 22), you
can specify this value by adding the following to the ssh_config
le:
Host pluto.sun.com
Port 8022
Using OpenSSHClients
Securing Remote Access 16-37
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Users can override these settings with command line options or their own
conguration le.
Note Ensure that specic Host directives are placed later in the le than
the less specic ones. For example, always place the default directives
rst, otherwise the default directives override the previous ones.
Exercise: Using Secure Shell
16-38 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise: Using Secure Shell
In this exercise, you complete the following tasks:
G Install, congure, and use the secure shell
G Verify that transmissions sent by a user using the ssh program are
encrypted
G Congure client keys
G Use the ssh-agent program to manage passphrases
Preparation
Ensure that any host access control set up in the les /etc/hosts.allow
and /etc/hosts.deny is disabled (in other words, remove these two
les).
Task Using Secure Shell
Work in pairs to install a minimal conguration of the secure shell on a
server and a client.
Task Installing OpenSSH
You can download OpenSSH from the Sun Freeware Web site; see
Additional Resources on page 16-3. A copy has already been
downloaded and saved in the /usr/local/pkg directory. Install this
SVR4 package using the pkgadd command. You also must install the
OpenSSL library which is available from the same Web site in the
/usr/local/pkg directory.
Task Using OpenSSH
In the next steps, you create the host key for the secure shell server.
Similar steps are taken for creating keys for individual users, except that
the le locations are different, and the server does not use a passphrase
with a key.
Exercise: Using Secure Shell
Securing Remote Access 16-39
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
To create the host key:
1. As the root user on the server, use the ssh-keygen command to
generate the keys for the server. Use the default directory for the key
location for this exercise. Press the Enter key when prompted for a
passphrase.
2. When the host key has been generated, start the secure shell server
daemon. Start it in debug mode with the sshd -d command. Ignore
any error messages regarding DSA host keys.
3. On the server and client machines, identify two user accounts to use
with the secure shell. The account name and shell type do not matter,
although the following examples use the names alice and bob.
4. On the client machine, use the su command to change to user alice.
5. From the client machine, use the ssh command to connect to the
server as user bob.
6. If the command succeeded, the OpenSSH server is running correctly.
Restart the sshd program (on the server machine), this time without
the debug ag. Use the ps program to ensure that the server is
running.
Task Checking Secure Shell Encryption
To check encryption:
1. On the client machine, log in as user alice. To test the encryption of
the secure shell, verify that you can view clear text on the network
by using the snoop command as the root user in another window.
Log user alice out of the rlogin session but leave the snoop
command running in the other window.
2. From the client machine, use the ssh command to connect to the
server. Watch the window running the snoop command to see if the
connection is encrypted. When you are prompted for an answer to a
yes or no question, type the full word. You must also enter the
correct passphrase for the new user on the remote system.
Exercise: Using Secure Shell
16-40 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Task Configuring Client Keys
To congure client keys:
1. From the client, use the ssh program to run a command on the
server. Run the command who to see the logged on users on the
server. Add 2>/dev/null to the command to remove the
environment variables from the output.
2. From the client, use the scp program to copy user alices
identity.pub le to the /tmp directory on the server. Use
2>/dev/null to remove the environment variables from the output.
3. From the server, add the identity.pub le you just copied to the
/tmp directory to user bobs authorized_keys le.
4. From user alice on the client machine, log in to the server as user
bob. Do this without using bobs passphrase. Use the access granted
from bobs authorized_keys le.
Task Using the ssh-agent Program
To use the ssh-agent program:
1. Run the ssh-agent program to congure your shell so that it has
access to the keys:
# eval `ssh-agent`
2. List the identities now available to the ssh-agent program.
3. Add a new identity to the agent.
4. List the identities now available.
5. Connect to another machine as user bob. You do not need to enter
the passphrase for the required key, because it is supplied by the
ssh-agent program.
6. If you have time, congure the client as a server and repeat the
exercises in reverse order.
Exercise Summary
Securing Remote Access 16-41
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise Summary
?
!
Discussion Take a few minutes to discuss what experiences, issues, or
discoveries you had during the lab exercise.
G Experiences
G Interpretations
G Conclusions
G Applications
Exercise Solutions
16-42 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise Solutions
This section provides the solutions for the exercises in this module.
Installing OpenSSH
Install OpenSSH using pkgadd. You also must install the OpenSSL library.
# cd /usr/local/pkg
# pkgadd -d openssl-0_9_6-sol8-sparc-local
# pkgadd -d openssh-2_5_1p1-sol8-sparc-local
Using OpenSSH
1. As the root user on the server, use the ssh-keygen command to
generate the keys for the server. Use the default directory for the key
location for this exercise. Press the Enter key when prompted for a
passphrase.
# ssh-keygen -f /etc/ssh_host_key
Generating RSA keys: Key generation complete.
Enter passphrase (empty for no passphrase): <enter>
Enter same passphrase again: <enter>
Your identification has been saved in /etc/ssh_host_key.
Your public key has been saved in /etc/ssh_host_key.pub.
The key fingerprint is:
bf:b3:a6:8e:2d:b1:86:63:64:44:b4:6f:52:cc:7e:42 root@jeeves
Exercise Solutions
Securing Remote Access 16-43
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
2. When the host key has been generated, start the secure shell server
daemon. Start it in debug mode with the sshd -d command. Ignore
any error messages regarding DSA host keys.
# /usr/local/bin/sshd -d
debug: sshd version OpenSSH_2.2.0
error: Could not load DSA host key: /etc/ssh_host_dsa_key
Disabling protocol version 2
debug: Bind to port 22 on ::.
Server listening on :: port 22.
debug: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
...
3. On the server and client machines, identify two user accounts to use
with the secure shell. The account name and shell type do not matter,
although the following examples use the names alice and bob.
4. On the client machine, use the su command to change to user alice:
# su - alice
Password: password
%
5. From the client machine, use the ssh command to connect to the
server as user bob:
% ssh -l bob grommit
bob@grommit's password: password
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
6. If the command succeeds, the OpenSSH server is running correctly.
Restart the sshd program (on the server machine), this time without
the debug ag. Use the ps program to ensure that it is running:
# /usr/local/bin/sshd
# ps -ef | grep sshd
root 1630 1 29 12:01:50 ? 0:08 /usr/local/bin/sshd
Exercise Solutions
16-44 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Checking Secure Shell Encryption
1. On the client machine, log in as user alice.
login: alice
Password:
Sun Microsystems Inc. SunOS 5.7 Generic August 1998
To test the encryption of the secure shell, verify that you can view
clear text on the network by using the snoop command as the root
user in another window. Log user alice out of the rlogin session
but leave the snoop command running in the other window:
# snoop
Using device /dev/hme
wallace -> grommit RLOGIN C port=1023
.............
Open another window, and use the rlogin command to log in to the
server:
login: alice
Password:
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
$ rlogin grommit
Password:
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
$ ls
local.cshrc local.login local.profile
$ exit
Connection closed.
$
You should see the clear text in the window running the snoop
command.
Exercise Solutions
Securing Remote Access 16-45
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
2. From the client machine, use the ssh command to connect to the
server. Watch the window running the snoop command to see if the
connection is encrypted. When you are prompted for an answer to a
yes or no question, type the full word. You must also enter the
correct passphrase for the new user on the remote system.
$ ssh grommit
The authenticity of host 'jeeves' can't be established.
RSA key fingerprint is bf:b3:a6:8e:2d:b1:86:63:64:44:b4:6f:52:cc:7e:42.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'jeeves' (RSA) to the list of known hosts.
alice@jeeve's password: <enter password>
Last login: Sat May 12 20:49:42 2001 from wallace
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
$ ls
local.cshrc local.login local.profile
The window running the snoop command should not be displaying
cleartext any longer, proving that the connection is encrypted
between the client and server.
Exercise Solutions
16-46 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Configuring Client Keys
1. From the client, use the ssh program to run a command on the
server. Run the who command to see the logged on users on the
server. Add 2>/dev/null to the command to remove the
environment variables from the output.
$ ssh grommit who 2>/dev/null
alice@grommit's password: <enter password>
bob ttyp0 May 11 14:00 (195.64.77.11)
2. From the client. use the scp program to copy user alices
identity.pub le to the /tmp directory on the server. Use
2>/dev/null to remove the environment variables from the output.
$ scp .ssh/identity.pub grommit:/tmp/ 2>/dev/null
alice@grommit's password: <enter password>
identity.pub 100%
|************************************************| 344 00:00
3. From the server, add the identity.pub le you just copied to the
/tmp directory to user bobs authorized_keys le.
% cp /tmp/identity.pub /home/bob/.ssh/authorized_keys
4. From user alice on the client machine, log in to the server as user
bob. Do this without using bobs password. Use the access granted
from bobs authorized_keys le.
$ ssh -l bob grommit
Enter passphrase for RSA key 'alice@wallace': <enter passphrase>
Last login: Sat May 12 21:05:46 2001 from wooster
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
% id
uid=1067(bob) gid=1067 groups=1067
Exercise Solutions
Securing Remote Access 16-47
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using the ssh-agent Program
1. Run the ssh-agent program with sh as the command to execute
(so that this shell has access to the keys):
% ssh-agent sh
2. List the identities now available to ssh-agent:
% ssh-add -l
The agent has no identities.
3. Add a new identity to the agent:
% ssh-add
Need passphrase for /export/home/alice/.ssh/identity
Enter passphrase for alice@wooster: <enter passphrase>
Identity added: /export/home/alice/.ssh/identity (alice@wallace)
4. List the identities now available to ssh-agent:
% ssh-add -l
1024 49:4b:13:bb:6f:8e:46:d1:cd:f2:33:5b:04:99:bb:bd alice@wallace
5. Connect to another machine as user bob. You do not need to enter
the passphrase for the required key, because it is supplied by the
ssh-agent program.
% ssh -l bob grommit
Last login: Tue May 15 16:18:22 2001 from wallace
% id
uid=1067(bob) gid=1067 groups=1067
%
17-1
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Module 17
SecuringPhysical Access
Objectives
Upon completion of this module, you should be able to explain and use
measures to physically secure a system. Specically, you should be able to:
G Justify the need for physical system security and dene measures
that enhance the physical system security
G Explain the potential weak points in a physical network
G Disable the STOP-A key
G Explain the role of the EEPROM password and security modes
Relevance
17-2 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Relevance
?
!
Discussion All IT equipment is a potential target for a physical attack,
both intentional and unintentional; fire, floods, and other emergencies
have no respect for controlled access to data centers.
G What harm can be done to a system or its data if an intruder can
physically access the machine?
G Is it only the computer that needs to be physically protected?
Additional Resources
Securing Physical Access 17-3
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Additional Resources
Additional resources The following references provide additional
information on the topics described in this module:
G Schneier, Bruce. Secrets & Lies. John Wiley & Sons, 2000.
G Scambray, McClure, Kurtz. Hacking Exposed. Osborne McGraw-Hill,
2001.
G Garnkel, Simson and Gene Spafford. Practical UNIX & Internet
Security. OReilly & Associates, Inc. 1996.
G Online manual pages for boot(1M), eeprom(8), kernel(1M),
monitor(1M), and system(4).
G Solaris OE Answerbook 2.
Assessing the Risk FromPhysical Intrusion
17-4 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Assessing the Risk FromPhysical Intrusion
Modern computer networks are complex environments that have a
number of vulnerabilities. Not all attacks are launched by distant
intruders. People with physical access to the systems and networks might
also attempt to access data or impair functionality, for a variety of reasons.
Although it might seem more of a problem for military systems, physical
security is also important for commercial systems because:
G The potential rewards from successful commercial espionage can run
into millions of dollars.
G Commercially sensitive data is held on machines both in the data
center and in any ofce connected to the network.
G Commercially sensitive data is carried along the wires of the network.
Assessing the Risk FromPhysical Intrusion
Securing Physical Access 17-5
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Physical Intrusion Solutions
Solutions to physical intrusion onto a network are similar to those applied
to the computers themselves:
G Be aware of the potential for physical intrusion into the network.
G Control physical access to all IT equipment.
G Encrypt data sent over the network, especially if it is at all sensitive.
Assessing the Risk FromPhysical Intrusion
17-6 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Types of Physical Intrusion
The types of physical intrusion can be classied as follows:
G Console access An intruder gains direct access to the system by
sitting at the console. This problem arises:
G When sessions are left logged-in
G When post-its with passwords written on them are left around
the workstation
G On systems (such as Microsoft Windows 98) that do not require
passwords for access
G Damage to systems An intruder with physical access can damage a
system and leave it inoperable.
G Data theft Backup tapes or other removable media are stolen. An
intruder could even remove parts of a system containing data, such
as hard drives.
Assessing the Risk FromPhysical Intrusion
Securing Physical Access 17-7
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G Power outage An intruder interferes with the supply of power to
systems and networks, causing a DoS attack. A sudden switching-off
of servers, or routers, or other components is potentially as damaging
as physically destroying the network.
G Network tapping An intruder with physical access to the network
monitors internal network trafc without having to defeat a rewall.
As with any risk, you must strike a balance between the likelihood of
attack and the cost of preventative measures.
Assessing the Risk FromPhysical Intrusion
17-8 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Securing IT Equipment
Physical access to all IT equipment should be restricted to as few people as
possible and only to authorized personnel. While this should be possible
for servers, it is difcult, if not impossible, to enforce for workstations
(including PCs and laptop PCs).
Place all servers in restricted-access machine rooms or rooms that can be
locked, and control who has access to those locations.
Where practical, put the workstation systems into locked cupboards and
only give users access to the screen, keyboard, and mouse. Use extension
cables for the peripheral equipment to facilitate this conguration.
Consider removing or disabling removable media devices, such as
diskettes, CD-ROMs, tape backup, DVDs, and even the parallel port on
PCs which can be used with portable disks and tape devices such as
Iomega Zip drives.
Note It has been known for a site to use superglue to prevent diskette
devices from being used.
Assessing the Risk FromPhysical Intrusion
Securing Physical Access 17-9
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Use low-level EEPROM or BIOS security to enable administrator
passwords for all unsecured equipment, to ensure that only password
holders can reboot systems into a maintenance or administration mode.
Using passwords with SPARC equipment prevents an unauthorized user
from booting the Solaris OE into single-user mode, which gives the user
root access.
Remember that users might have access to installation media and
hardware diagnostic media which they can use to bypass some (or all) of
the security measures in place, unless you prevent physical access to the
system devices.
Assessing the Risk FromPhysical Intrusion
17-10 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Implementing Physical Network Security
Network security is a vast and complex area due to the sheer scale of
modern networks. Some of the network areas that must be secured are:
G Local Area Network (LAN)
G Routers
G Firewalls
G Wide Area Network (WAN)
G Physical cabling inside your organizations buildings
G Physical cabling used by telecommunications companies
G Microwave transmissions as an alternative to physical cabling
G Satellite communications
Assessing the Risk FromPhysical Intrusion
Securing Physical Access 17-11
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Securing Network Infrastructure
This subject is too broad and specialized to be presented in this course.
However, there are some techniques that you can use within your
organization to remove some of the more obvious threats:
G Only allow authorized systems to connect to your network.
Do not allow consultants or contractors to use their own equipment
to access the network. Always provide them with a system to use
which you have properly secured.
G Always use star network topologies connecting all systems
individually back to a hub.
Do not use thick or thin ethernet cabling because it is easy to tap
into.
G Only connect required ports when using structured wiring systems.
Do not leave unused live ports in user-accessible areas, because these
ports can be plugged into by unknown equipment.
Assessing the Risk FromPhysical Intrusion
17-12 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G Audit the physical cables into hubs, switches, and routers on a
regular basis.
All networks should have an approved network diagram, so that you
can check what is present against what should be present.
G Use a monitored hub.
G Use hubs that reportusually by means of a separate serial linkon
the status of their ports. While primarily intended as a means of
network troubleshooting, they also provide a valuable tool for
security monitoring.
G Ask users to leave all computers switched on at all times and poll the
computers on a regular basis to verify their identity. Use the low-
level MAC address on the network card and maintain a database of
ports to MAC address mappings to detect inconsistencies.
G Laptops are a problem area because you would not expect them to
be left in the ofce overnight, but it is still possible to verify whether
a MAC address is that of a known machine. Laptop users can also
change network PC cards that have different MAC addresses. It is
better to have a few false alarms than an intruder attacking your
network.
G Always lock communications rooms containing hubs, routers, patch
panels, and other network infrastructure.
G Do not allow users to plug into hubs or change patch panel settings.
G Try to use ber optic cables if possible.
It is a lot harder to tap into a ber cable than an electrical cable.
Assessing the Risk FromPhysical Intrusion
Securing Physical Access 17-13
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Appraising the Risk of Eavesdropping
One nal consideration is the electrical equipment itself. All electrical
cables leak a certain amount of electromagnetic radiation which can be
detected by specialized monitoring equipment (essentially a sophisticated
radio receiver). This eavesdropping equipment is expensive but can work
at a range of a few hundred yards (meters).
Some products can pick up monitor screen radiation and reconstruct the
screen image in real time. Some movement detectors can track key presses
and mouse movements remotely.
The central processing unit (CPU) in a server or workstation is also
vulnerable. The type of electromagnetic signal generated by the processor,
when performing what is known as big number arithmetic, is highly
characteristic and can be scanned. It is possible to analyze the signal and
reconstruct the content of the registers at the time of the scan, thereby
providing the exact numbers used in the encryption engine.
Assessing the Risk FromPhysical Intrusion
17-14 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
This might sound like science ction but these products exist and they are
used. They might not be 100 percent accurate, cheap, or easy to use but,
given time and development, they will become foolproof. The lm
Entrapment (Twentieth Century Fox, 1999) showed how physical
monitoring can gather sensitive information as part of a plot to break into
a multi-national banking system. This might be a ctional plot line, but do
not assume that it cannot happen in the real world. Attacks of this nature
have been made.
The solution to these forms of attack is to audit the location of the
sensitive device (monitor, CPU, and so on). Establish the level of risk and,
if necessary, screen off electromagnetic radiation with a Farraday cage,
that is, an earthed box of a conductive material to absorb the emitted
electromagnetic radiation.
Note In the nineteen eighties, the U.S. government developed a
certication system called TEMPEST which rates a computer equipments
susceptibility to radio eavesdropping. It is now possible for rooms and
even whole buildings to be TEMPEST certied.
HowSecure Is Your Network?
With regard to your own ofces, consider the following:
G How many of the computer screens and keyboards can be seen
through windows from nearby buildings?
G Do any of your network cables run within 100 yards of a road,
parking lot, park, shop, or anywhere else where the public can
legitimately walk by or stop?
Assessing the Risk FromPhysical Intrusion
Securing Physical Access 17-15
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using Encryption
The pessimistic way of looking at data security is to assume that all
physical security is compromised and that data can be read by anyone.
Encryption provides a fallback for ensuring that sensitive data is only
accessible to authorized personnel.
It must be understood that there is no such thing as unbreakable
encryption. Any current crypto-systemcan be analyzed given enough time.
It is the aim of the cryptographer to lengthen that timespan. Nevertheless,
some commercial crypto-systems are so effective that it would take
decades or even centuries to crack them.
The case for and against encryption can be summarized as follows:
G Benets of encryption:
G Data is secured from unauthorized access, even when made
public.
G Data is easily restricted by key management on a need-to-know
basis.
Assessing the Risk FromPhysical Intrusion
17-16 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G Problems associated with encryption:
G The additional encryption layer slows data access.
G Keys must be managed and kept secure. A key that becomes
known is no longer secure.
G If the decryption key is lost, the related data is also lost.
Assessing the Risk FromPhysical Intrusion
Securing Physical Access 17-17
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Strengthening Help Desk Processes
The most common form of a security break-in is when an intruder phones
the help desk or an administrator and asks for the password on an
account to be reset. As long as the intruder knows a valid account name,
this attack succeeds more times than it fails.
As a result, many help desks implement safeguards to ensure that the user
requesting the password change is the owner of the account. That is, they
authenticate the user who is requesting the change.
Assessing the Risk FromPhysical Intrusion
17-18 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
User Authentication Techniques
The following is a list of some common user-authentication techniques,
along with their disadvantages:
G Ask users to physically go to a help desk to be veried:
G Help desk staff might not know every person by sight.
G Even when this approach is backed up with the use of user ID
badges, ID badges can be falsied or stolen.
G Users and the help desk might not be located within close
proximity of each other.
G Ask users to supply additional identication information such as a
personnel number or a passphrase created when the users account
was created:
G This form of additional data can easily be discovered by
listening to a valid user talking to the help desk, or by browsing
company documentation.
Assessing the Risk FromPhysical Intrusion
Securing Physical Access 17-19
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G Passphrases must be memorable to users (and therefore
guessable by intruders), and they must be stored somewhere
where they can be accessed by help desk staff, thereby
compounding the security risk.
G Ask users to email requests from another system:
G Not all users have accounts on more than one system and
networks based on NIS+, Microsoft Windows NT, Netware, or
Kerberos effectively use single network login mechanisms to
access all systems.
G SMTP email can be easily spoofed.
G Ask users to submit a written request signed by their supervisor or
manager. Intruders can forge the written request so then help desk
staff must contact the supervisor concerned and verify authorization
of the password change. This is a slow process (supervisors might be
in meetings) which penalizes legitimate users who cannot continue
working while the password is being reset.
G Conrm user identity by phoning the user back on their known
extension (or mobile phone):
G Intruders might be at the users desk or have borrowed the
users phone.
G Genuine users might not be able to get to their usual phone.
G Not all users have individual phones, and often a supervisor
must be contacted instead of the user.
G Phones can use redirection and call-forwarding to transparently
route the call to any other phone.
G Use a trusted third party, such as a supervisor or manager, to make
the request and receive the password:
G The trusted third party still has to be authenticated.
G This solution reduces the number of users who can ask for
password changes, which can slow operations in a large
organizations.
Regrettably, there is no effective solution to the problem of authenticating
user identity. Nevertheless, any of the above precautions are better than
having none in place at all.
Applying Physical Security Measures
17-20 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Applying Physical Security Measures
Any software security system that can be started on a machine can also be
stopped. This is the major weakness of software security. Securing
physical access to a workstation or server is, therefore, every bit as
important as taking software measures.
Applying Physical Security Measures
Securing Physical Access 17-21
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The Stop-A Key
On hardware based on SPARC technology, the OpenBoot utility interacts
with the hardware to control access to the system. From the point of view
of security, the most serious risk of intrusion is the Stop-A key
combination. If the Stop key and the A key are held down on the
keyboard of the physical machine (not from a terminal) at the same time,
the effect suspends all Solaris OE activity and returns the system to the
command monitor (OpenBoot).
From the OpenBoot monitor a user can:
G Reboot the system in single user mode, gaining access to the system
as the root user.
G Examine memory contents, potentially picking up key information.
Many les are cached in memory and it is quite likely that the
/etc/shadow information can be found.
G Load data from physical devices, allowing the user access to any le
on the disk, bypassing all security checks.
Applying Physical Security Measures
17-22 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Disabling the Stop-A Key
Disable the Stop-A key by adding the following line to the /etc/system
le:
set abort_enable = 0
Remove this line or set it as follows to enable the Stop-A key:
set abort_enable = 1
Alternatively, uncomment the following entry to the /etc/default/kbd
le:
KEYBOARD_ABORT=disable
Reboot the system after changing the /etc/system or
/etc/default/kbd files because these files are only read when the
system boots up.
Applying Physical Security Measures
Securing Physical Access 17-23
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Enabling EEPROM Security
Workstations are generally contained in reasonably secure areas, even if
only in an ofce. However, there are circumstances in which it is advisable
to further protect against physical access to a system. You could use some
form of physical keyboard lock. You could also consider the option of
EEPROM password control.
If an intruder has access to low-level rmware software (the EEPROM
monitor), they can alter low-level system functionality. They could bring
the system to a low-run level, then make alterations to the kernel or
programmable read-only memory (PROM) level functions. To do this, the
intruder must be physically at the computer that they are attempting to
breakin to. In addition to physical presence, this type of attack also
requires signicant knowledge of the system concerned. Nevertheless, this
type of attack could be a security concern.
Applying Physical Security Measures
17-24 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Note Most manufacturers provide a means of changing EEPROM data.
This can differ from one type of hardware to another, and great care must
be taken not to corrupt a system accidentally. The following technique
discusses the OpenBoot utility and is applicable only to hardware based
on SPARC technology. Check with your hardware vendor before using
this technique.
Hardware based on SPARC technology provides a security lock at the
EEPROM level. Set the security level from the OpenBoot prompt
(EEPROM level) or by using the eeprom(1m) command.
By using the eeprom command with the proper options, you can assign a
password and security level to the machine. After issuing the command,
reset the system. From then on, a password is required each time to
perform specic commands when the system has been brought to the
OpenBoot (EEPROM) prompt.
OpenBoot runs in two modes:
G Full access, where all commands are available
G Restricted access, where only the c (continue), b (boot), and
n (none) commands are available for returning to full access
Applying Physical Security Measures
Securing Physical Access 17-25
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
There are three levels of EEPROM security:
G none Full access to the OpenBoot where any command can be
typed and no password is required.
G command Restricted access, where the user can use the c or b
commands without a password. A password is required if the user
wants to use the n command to return to full access, or if a parameter
is used with the b command (for example, to boot single-user mode).
G full Restricted access where all commands except c require a
password.
Warning Do not attempt to change the EEPROM during this course. If
for any reason the password is forgotten or unavailable, the computer is
rendered useless. To remedy the situation, the EEPROM device should be
physically removed from the system and reprogrammed.
Applying Physical Security Measures
17-26 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
EEPROM Passwords
To set the EEPROM security mode to command, use the following
command:
# eeprom security-mode=command
When the EEPROM security mode is set to a value other than none, set
the security password with:
1 # eeprom security-password=
2 Changing PROM password:
3 New password: ******
4 Retype new password: ******
If you enter an incorrect password, the system delays for approximately
10 seconds before displaying the boot prompt again.
The number of times that an incorrect password is entered is stored in the
security-#badlogins variable of the non-volatile random access
memory (NVRAM). Check the value of this parameter to see if someone
has attempted to use the EEPROM monitor without knowing the
password.
Applying Physical Security Measures
Securing Physical Access 17-27
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Use the command below to check the number of login attempts:
# eeprom security-#bad-logins
security-#bad-logins=0
Exercise: Working With Physical Security
17-28 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise: Working With Physical Security
In this exercise, you complete the following tasks:
G Disable the Stop-A key
G Consider the physical security of your own systems
Preparation
No preparation is required for this exercise.
Task Disabling the Stop-A Key
Use the Stop-A key to access the OpenBoot rmware and browse the help
information. Resume your system operation and disable the Stop-A key.
Verify that you can no longer use the Stop-A key.
Re-enable the Stop-A key.
Task Considering the Physical Security of Your
Systems
This is a pen and paper exercise. List your thoughts under the following
headings:
G How is physical access to your data centers controlled?
G How is physical access to your networking equipment controlled,
especially hubs, switches, and routers not located in the data centers?
G Do your users have access to physical workstations (including PCs)
rather than having access only to screens, keyboards, and mice?
G Do you allow contractors or consultants to plug their own
equipment into your network?
Exercise Summary
Securing Physical Access 17-29
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise Summary
?
!
Discussion Take a few minutes to discuss what experiences, issues, or
discoveries you had during the lab exercise.
G Experiences
G Interpretations
G Conclusions
G Applications
Exercise Solutions
17-30 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Exercise Solutions
This section provides the solutions for the exercises in this module.
Disabling the Stop-A Key
Use the Stop-A key to access the OpenBoot rmware and browse the help
information.
Resume your system operation and disable the Stop-A key by adding the
following line to the /etc/system le:
set abort_enable = 0
Reboot the system for this change to take effect.
Verify that you can no longer use the Stop-A key.
Re-enable the Stop-A key by removing from the /etc/system le the line
that you added earlier.
Reboot the system for this change to take effect.
Considering the Physical Security of Your Systems
Only you or someone in your organization can answer these questions.
18-1
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Module 18
ConnectingtheEnterpriseNetworktothe
OutsideWorld
Objectives
Upon completion of this module, you should be able to:
G Explain the importance and role of rewalls, proxy servers, and other
enterprise network security components
G Describe ongoing security tasks
G Explain the role of security audits
G List common sources of security information
Relevance
18-2 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Relevance
?
!
Discussion By now, you are aware of the potential dangers to
networked hosts. However, it is not ideal to rely solely on host security to
ensure enterprise security when connecting to external networks, such as
the Internet.
G What types of technologies might be used to protect an enterprise
network when connected to the Internet?
Additional Resources
Connecting the Enterprise Network to the Outside World 18-3
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Additional Resources
Additional resources The following references provide additional
information on the topics described in this module:
G Zwicky, Elizabeth D., Simon Cooper and D. Brent Chapman. Building
Internet Firewalls. 2nd Edition. OReilly & Associates, 2000.
G Cheswick, Bill and Steve Bellovin. Firewalls and Internet Security:
Repelling the Wily Hacker. Addison Wesley, 1994.
G Comer, Douglas and David Stevens. Internetworking with TCP/IP.
Vols. I (1997), II (1998), and III (2000). Prentice Hall.
Designing the Network to Improve Security
18-4 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Designing the Network to Improve Security
The primary reason to network computers together is communication.
Unfortunately, given the widespread status of virus and Trojan code, and
with increasing numbers of potential intruders present on the Internet, a
defensive strategy is vital. The corporate network, the data it holds, and
the hosts that form part of it are all valuable assets that need protection
from improper use.
You can use various tools and products to secure the boundary between
the enterprise network and the outside world. This section looks at the
common components and the ways in which they are applied.
Designing the Network to Improve Security
Connecting the Enterprise Network to the Outside World 18-5
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Improving Security With a Firewall
The term rewall is used in different ways by different people. However,
the primary objective of a rewall is to monitor all network trafc
between two networks (usually a corporate network and the Internet),
and to block and log inappropriate trafc. A rewall can be made up of
multiple components, including (but not limited to):
G Packet lters that control access to the network based on the source
or destination IP address of a packet
G Proxies, which hide the real address of a host on the corporate
network when the host connects to the outside world
G Protocol-based software that uses knowledge of higherlevel
protocols, such as TCP or SMTP, to identify dubious network activity
The rewall functionality can be spread across multiple hosts and routers,
or it can be encapsulated within a single host. When people talk about
installing a rewall, they are frequently referring to the installation of a
piece of software that includes some or all of these components.
Designing the Network to Improve Security
18-6 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Firewall software is based on rules. Some rules act to specically allow
particular types of network trafc between certain network addresses.
Other rules explicitly block network trafc, by dropping the network
packets. For each type of packet (or datagram), a separate rule can be
established, either permitting or blocking the passage of the data. Implicit
rules cover those packets not accounted for by the explicit rules.
Ideally, the two networks that a rewall manages should be separated on
different network adapters and on different subnets. As always with
security, it is prudent to assume that no rewall is subversion-proof.
Therefore, if the two networks (the outside network and the inside
network) are physically separated, and exist with differing subnet
settings, it follows that if the rewall fails, the connection between the two
networks must also fail. (The converse is that, the rewall fails, the
network is left exposed.) In other words, the rewall should fail closed
rather than fail open.
Firewalls do not prevent attacks by virus or Trojan writers, but they are
highly effective at preventing intrusion. Firewalls have another, perhaps
more important function. Companies frequently have extremely valuable
data stored on their networks. It is quite easy for someone to inadvertently
(or intentionally) publish such data on the company intranet. A rewall
can prevent that data from being visible to the outside world unless it is
loaded onto an audited portal.
One of the most important features of rewalls is logging. There are two
logging features:
G log on success Events resulting in passage through the rewall are
logged.
G log on deny Events resulting in refusal of passage through the
rewall are logged (this is the more usual option).
Examination of the rewall log can be most informative. For example,
attempts by a user to connect to one of the Internet virtual hard drives
might indicate an attempt to pass company-condential data outside the
company; port scans from the outside are an early indication that
someone is preparing an attack on your system.
Designing the Network to Improve Security
Connecting the Enterprise Network to the Outside World 18-7
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using Solaris SunScreen Firewall
SunScreen software is a rewall designed to operate with the Solaris OE.
As with other rewalls, there is a server, called the screen, and an
administration tool, designed to allow insertion and implementation of
rules.
SunScreen comes in two versions:
G SunScreen Secure Net 3.1 is a full-featured rewall product designed
to be deployed throughout an organization to implement a secure
business network including extranets, secure intranets, and remote
access.
G SunScreen 3.1 Lite is a rewall product designed to protect
individual servers or very small workgroups.
Designing the Network to Improve Security
18-8 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
SunScreen software can support up to 15 separate network interfaces,
meaning that up to 15 potential net-cards can be supported. This makes
SunScreen one of the more powerful rewalls. Another advantage in
using SunScreen software is that it incorporates a useful proxy-server
capability.
High availability conguration enables SunScreen software to quickly
recover to a second screen without losing rewall or encryption sessions.
If a rewall is successfully attacked and goes ofine, the highavailability
features enable a second rewall to take over the compromised rewall or
encryption sessions.
SunScreen consists of a rules-based, dynamic packet-ltering engine for
network access control, and an encryption and authentication engine that
enables the creation of secure virtual private network (VPN) gateways by
integrating public-key encryption technology.
SunScreens stealth capabilities refer to the ability to congure the
screen such that it cannot be accessed using an IP address. This provides
two benets for securing a network:
G Potential intruders cannot access the machine running SunScreen
Secure Net, making it extremely difcult to compromise this system.
G Installation of SunScreen Secure Net is easier because it can be
installed without changing the routing tables.
SunScreen uses open-standard SKIP (Simple Key-management for
Internet Protocols) technology for encryption, authentication, access
control, and secure VPNs. SunScreen SKIP includes support for many
strong, standards-based authentication, encryption, and integrity
technologies, including 4096-bit Dife-Hellman modulus and the new
Dife-Hellman primes.
Evaluating IPsec as a Firewall Replacement
You might think that IPsec does away with the need for a rewall. Some
people would argue that adopting IPsec removes the problem of
unknown hosts inltrating the system. It is possible to congure IPsec in
such a way that only fully authenticated, encrypted data passes onto a
given network. The problem is that when you congure IPsec in this way,
it is almost certain that you will lose all Internet connectivity, and a lot of
other inter-networking as well.
Designing the Network to Improve Security
Connecting the Enterprise Network to the Outside World 18-9
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
It is therefore better to regard the two technologiesa rewall and
IPsecas complementary. IPsec controls the basic ow of IP trafc onto
the network, and the rewall provides a suitable bottleneck for restricting
the types of packets transferred between networks.
Designing the Network to Improve Security
18-10 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using Routing Security Features
Routers are devices (usually, but not always, hardware) that redirect
packets from one network (or subnetwork) to another network. It is not
accidental that this description of a router resembles the description of a
rewall. In many respects, rewall software performs the same tasks as a
router. Many rewalls use one or more routers as part of the overall
security solution, largely due to the ability of routers to lter packets as
they pass them from one network to the other. The rules that govern this
ltering are usually held in EEPROM.
There are many different types of routers available, and each is
programmed in a slightly different manner. Some of the more common
types are shown in Table 18-1.
Table 18-1 Common Types of Router
Type Normal Usage
Simple Connection between LANs
Gigabit High bandwidth, ultra high-speed routing
Designing the Network to Improve Security
Connecting the Enterprise Network to the Outside World 18-11
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Routers operate by means of routing tables. Typically, these include the
following information:
G The name of the route (for convenience only).
G The active status of the route (active or inactive).
G Destination IP address Routers work between IP addresses. The
destination address can be (and might well be) a gateway to another
network.
G IP subnet mask Routers typically redirect packets between
networks. This means that redirection between subnets is also
possible, and advisable.
G Gateway IP address If packets are destined for a local network,
they are passed directly to the host. If they are destined for any other
network, they are passed to the next gateway (router), as dened by
this address.
G Private (true or false) Routes can be public or private. While the
terminology might differ, this usually implies that special ltering or
encryption is applied.
G Filters Filters comprise a separate set of tables, each containing a
recognized fragment of an IP packet type. As with rewall software,
the packets identied by the lters can be allowed or disallowed.
You can control and restrict packets attempting to leave the system by
applying the correct lters and suitable encryption.
DSL Managed asynchronous connection
ISDN Combination of an ISDN 2e terminal adapter
with a limited function router (usually
limited to 10 static routes)
PSTN Combination of an PSTN modem with a
limited function router (usually limited to 10
static routes)
Table 18-1 Common Types of Router (Continued)
Type Normal Usage
Designing the Network to Improve Security
18-12 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Masking Hosts Using a Proxy Server
In its simplest form, a proxy server stands in for an IP client connecting to
the outside world. The proxy has an IP address of its own (usually
0.0.0.0). When a client makes a request for a connection, the proxy
forwards the connection to the original target, but the request registers as
having originated from the proxy, not the requester. At the same time,
requests can be ltered through the proxy (for example, for restricted or
unsuitable sites), and outgoing data can be blocked or allowed according
to type and origin. Returned data can likewise be checked for type
suitability. Unsuitable content (Java technology code or ActiveX controls)
can be blocked, or even removed. Because the request comes from a single
daemon, it is safe to block non-essential ports (to prevent port scan
attacks) and impossible for the outside world to establish the IP address
of the original requester, or indeed to perform any analysis of the
connection.
Designing the Network to Improve Security
Connecting the Enterprise Network to the Outside World 18-13
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Proxy software has advanced well beyond its original concept, and in
many cases has become conjoined with rewall technology to construct
what might be called a defensive perimeter, that is, a combination rewall
and proxy server. Most modern proxy offerings now include proxy DNS
support, SSL encryption, and FTP ltering. There is often a further
advantage. Because proxy servers must cache data returns so that the data
can be forwarded to the requester, it follows that the cache provides a
major speed increase for much-used network connections because the
data is held in RAM, not accessed from the Internet. Documents, and even
entire sites, can be preloaded into the cache, or scheduled to load.
A fairly good, Open Source implementation of a fully cached proxy server
is available at the following URL: http://www.squid-cache.org/.
Designing the Network to Improve Security
18-14 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Securing Routers, Proxy Servers, and Firewalls
Routers, rewalls, and proxy servers protect administrative functions by
using passwords. These passwords must be kept private, because anyone
with the appropriate password can change routing tables, and recongure
rewalls or proxy servers.
Designing the Network to Improve Security
Connecting the Enterprise Network to the Outside World 18-15
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Certain rewall components, such as routers, tend to have precongured
passwords, to make it easy for the administrator to install and congure
them. However, some of these passwords are now common knowledge.
Therefore, you must change such passwords before the device or software
is deployed as part of a rewall system. Some example preset
administrative accounts and passwords for common routers are shown in
Table 18-2.
You must also remember that routers are usually accessed through a
remote terminal. For this reason, you should change passwords regularly
and limit knowledge of them to a very few individuals. If possible, you
should disable remote connection to rewall components, and enforce
administrative changes through the physical console.
Table 18-2 List of Preset Router Administrative Accounts
Manufacturer Username Password
Bay Networks Manager <null>
3com admin synnet
debug synnet
manager manager
Cisco enable cisco
(telnet) cisco
Shiva root <null>
Motorola cablecom router
Designing the Network to Improve Security
18-16 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Creating Demilitarized Zones (DMZ)
The term demilitarized zone (or DMZ) refers to a part of the LAN that is
between two rewalls. One rewall separates the DMZ from the internal
LAN, while the other separates the DMZ from the outside world. The
DMZ is an area that permits limited, free communication, but maintains a
secure prole for the bulk of the private LAN. It is common to site
publicly visible hosts, such as Web servers and FTP servers, on the DMZ.
The DMZ provides an expendable area. If the area becomes contaminated,
or security is compromised, then the entire zone can be rebuilt without
damaging the internal network or its data.
Designing the Network to Improve Security
Connecting the Enterprise Network to the Outside World 18-17
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Providing Secure Access Using a Virtual Private
Network
A Virtual Private Network (VPN) uses encryption to create a secure
channel between two hosts (or networks) as they communicate over an
insecure networkusually the Internet. Each host communicating over a
VPN is typically connected to a local network, but with access to the
Internet. Communication between the two networks is achieved by
tunneling, that is, encrypting all data that passes back and forth
between the hosts. VPNs can exist between an individual machine and a
private network (client-to-server), or a remote LAN and a private network
(server-to-server). A typical VPN architecture is shown in Figure 18-1.
Designing the Network to Improve Security
18-18 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Figure 18-1 Architecture of a Virtual Private Network
There are two basic types of VPN:
G Hardware VPNs are essentially encrypting routers. They have a very
high bandwidth and are easy to install. They do not, however, offer
the exibility of a software solution.
G Software VPNs range from rewalls which support encryption, to
VPN clients, which run on individual workstations.
VPNs are available from a variety of vendors, but can also be constructed
using IPsec and rewalls. There is no denitive rule as to the type of
security that they offer, but strong encryption and authentication are
usually regarded as mandatory.
Constructing a VPN
The rst stage in building a VPN is to decide on the level and type of
encryption. You would usually apply encryption by conguring IPsec
system-wide. A crucial factor is the packet ltering, that is, ltering
whether packets have the IPsec authentication header, rather than only
trusting the IP address. By this method, the interconnected machines
know which other machines they are talking to, just as they would if the
network were completely closed.
The VPN is now almost complete. For the simplest VPN, the only
remaining task is to apply the appropriate lter sets to the rewall, so that
packets between the IP addresses known to be on the VPN are allowed,
but others (on the same circuit) are dropped.
Designing the Network to Improve Security
Connecting the Enterprise Network to the Outside World 18-19
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Sample Architectures
This section describes two network architectures. The rst shows an
architecture that is considered secure for most environments. It is
sufcient for organizations that do not allow uncontrolled access to the
network. In practice, this usually means that there is no Internet service.
The second example is required for all sites that provide an Internet
service or where security threats are particularly high.
Example 1: Normally Secure Network
The conguration shown in Figure 18-2 is the minimum security that
should be employed on any network connected to the outside world.
Figure 18-2 Filtered Router and Firewall Network
In this example, the outside world never sees the network because it is
connected through a ltered router and a rewall. Packets from the
outside world are subjected to a set of rules. Only certain packets are
allowed through the router to Netcard A, which is part of the rewall
machine. The router discards all other packets. Thus, the router does not
allow any direct access from the outside world to any Web servers, even
though the trafc is destined for TCP port 80, usually thought of as a safe
destination. All trafc must pass through the rewall, which makes
decisions about the types of connections allowed (FTP, HTTP, and so on).
Because Netcard A and Netcard B are not physically connected, packets
only pass if the rewall explicitly allows passage. Firewalls of this type
default to disallow packets, which means that nothing passes through
the rewall unless it is explicitly allowed to do so.
A minimally secure network would have this type of conguration.
Designing the Network to Improve Security
18-20 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Example 2: Highly Secured Network With Subnet
In this example, shown in Figure 18-3, there is a higher level of security,
provided by a switch or router between the internal network and the
rewall.
Figure 18-3 Network Incorporating DMZ
This is the minimum level of protection that should be used when
external connections are allowed to internal Web servers. Commonly,
this serves to form a DMZ between the internal router and the
rewall on which company Web servers reside. This means that the
company Web servers are afforded the protection of the rewall but,
if one of those Web servers is subverted, the intruder must still
defeat the internal router to access the internal network. Because all
failed attacks are (by default) logged, it is possible that the
administrator would notice an attack pattern on the router, and take
preventive action.
Running Enterprise Security Audits
Connecting the Enterprise Network to the Outside World 18-21
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Running Enterprise Security Audits
The security audit is an ongoing task for any organization. This type of
audit usually includes the following points, although the list is not
complete:
G Has the le system been hardened?
Use of Titan, ASET, or both.
G Are the le systems audited on a regular basis?
Use of Solaris OE Fingerprint DB or TripWire.
G Are all non-shared data areas hidden?
G Have all unnecessary network services been disabled?
G Is the appropriate level of encryption applied to network trafc?
Use of OpenSSH, SSL, or IPsec
G Is authentication applied to network trafc? If not, is this
appropriate?
Use of TCP Wrappers and host access
G Are defenses for network scanning in place?
Use of Courtney, Gabriel, or PortSentry
G Are the routers congured so that anything that is not explicitly a
dened route is forbidden?
G Are the rules for the rewall documented?
Conrm that the documented rules for the rewall are actually
implemented by the rewall.
G Conrm that the rules for the proxy server (if any) are those actually
in place.
Challenge the proxy server from outside the network.
G Run SAINT (or a similar tool) to establish if any new, or existing,
security holes are present.
G Document the results of the audit in a report.
Running Enterprise Security Audits
18-22 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Running Trial Attacks
This course covered the effectiveness of tools such as SAINT in the
analysis of network security (see Module 12, Analyzing Network
Services). These tools are valuable in that they can perform regular
attacks on internal networks to ensure the continued security of the hosts
on those networks. Such challenges to security represent a vital part of the
continuing process of security and you should perform them on a regular,
scheduled basis.
Using Third Parties to Run Trial Attacks
Many companies offer the services of both security professionals and
ethical hackers to challenge networks. This kind of service, when well
done, is a useful addition to the internal audit, but does not replace it.
Running Enterprise Security Audits
Connecting the Enterprise Network to the Outside World 18-23
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Obviously, there are certain dangers. The greatest of these dangers is that
the auditing company is not what it seems to be. You should therefore
carry out certain checks, such as:
1. Are the security consultants each individually accredited to a
professional (chartered) organization (for example the IEEE, or
British Computer Society)?
2. In Europe, individuals must be chartered as experts before they can
legally represent themselves as experts. Are the security experts
chartered?
3. Has the company produced a full, and commented, plan for the
audit?
4. Do the consultants carry sufcient liability insurance?
In some countries, governmental organizations hire out their own staff to
perform security audits. Using such staff is highly recommended because
they have a high degree of competence, and have been tested by a
security service. Similarly, the consultancy arms of the vendors of security
hardware and software, for example, Sun Professional Services, have large
amounts of experience in performing security audits and are aware of the
latest threats and patches.
Applying Ongoing Network Security Measures
18-24 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Applying Ongoing Network Security Measures
Implementing security must not be considered as a one-off task. Security
is an integrated, ongoing task that must take a high priority in the
scheduled tasks every day. An administrator must frequently monitor and
analyze all logs, otherwise attacks could go unnoticed. Also, new security
holes are being exposed by intruders on a weekly basis, so you must
ensure that the level of protection currently applied is adequate.
Similarly, the network administrator cannot enforce security measures
alone. Consider a scenario where the network administrator on a given
network has designated repositories for certain classes of document
within a company (for example, Secret, Condential, Personal, and
Public). The network le system has been suitably congured to manage
security for these repositories, and access permissions have been
established. That system will fail if the network administrator has not
previously consulted with the general administrator to establish rules as
to which document falls within each class. Without such cooperation,
virtually all documents are likely to be held as Public, even when this
designation is inappropriate.
Applying Ongoing Network Security Measures
Connecting the Enterprise Network to the Outside World 18-25
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Identifying Ongoing Tasks
When deciding how to continue the monitoring of a network, there is no
correct answer, but rather a correct way of thinking. This section examines
some of the tasks that should be performed, and the frequency with
which they should be performed.
If setting up a new network or adding a new host, perform a security
audit on the affected host and network.
G Example annual tasks:
G Run the internal security audit procedure.
G Optionally, have the network challenged by external auditors.
G Correct any problems found.
Applying Ongoing Network Security Measures
18-26 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G Example monthly tasks:
G Challenge the system using SAINT (or a similar tool) using the
www.SANS.org top 10 Internet threats as a starting point.
Correct any problems found.
G Examine the routers. Audit for any unauthorized changes.
G Examine the proxy server logs. Submit any anomalies to triage
to establish if a new rule should be applied.
Applying Ongoing Network Security Measures
Connecting the Enterprise Network to the Outside World 18-27
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G Example daily tasks, and throughout the day:
G Check that the backups are executed.
G Examine the logs for the rewall and the proxy server for the
last 24 hours. Is there anything to give cause for concern?
G Examine system logs generated by tools such as Courtney.
G Examine network activity at various times through the day.
Is there anything unexpected?
G Check the current connections for the proxy server. Gain an
impression of the type of site being connected. Is there anything
to give cause for concern?
Note The precise list of tasks depends on the type of software deployed
at your site.
Keeping Current With Security Issues
18-28 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Keeping Current With Security Issues
New challenges occur all the time. Intruders are continually attempting to
disrupt and by-pass security, and as soon as one hole is plugged, another
is found. However, the greatest danger is complacency. To avoid
becoming complacent about security, consider consulting with the world-
wide security community regarding new challenges.
Keeping Current With Security Issues
Connecting the Enterprise Network to the Outside World 18-29
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Identifying Information Sources
Many sites have been published with world-wide security consultation in
mind. Good sources of information can be obtained at the sites shown in
Table 18-3.
Table 18-3 Sites Offering Security Information
Site Information Offered
http://www.sun.com/
security/
A Sun site, and a good starting point
for Solaris OE systems.
http://www.sun.com/
trustedsolaris/
ts_tech_faq/
Trusted Solaris OE information from
Sun.
http://www.SANS.org Up-to-date information on current
identied intruder techniques and
attacks.
Keeping Current With Security Issues
18-30 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
More information sources are supplied in Appendix A.
http://www.cert.org A central clearing house for known
security holes and xes. Particularly
notable are the CERT advisories that
alert administrators to the latest
security breaches.
http://www.w3.org/
Security/Faq/www-
security-faq.html
A general security FAQ site.
http://csrc.nist.
gov/
A security portal, and a good general
starting point.
http://www.gocsi.
com/
A computer crime and security portal.
http://www.security
portal.com/
An up-to-date list of current virus
attacks and UNIX-centric challenges.
http://www.bigadmin
.com
Solaris OE administration site with vast
amounts of information and tools.
ftp://ftp.cerias.pu
rdue.edu/pub/tools/
unix
Comprehensive repository of Solaris
OE tools, formerly known as COAST.
Table 18-3 Sites Offering Security Information (Continued)
Site Information Offered
Keeping Current With Security Issues
Connecting the Enterprise Network to the Outside World 18-31
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
A-1
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Appendix A
On-LineSecurityResources
Advisory and Certication Bodies
CERT
http://www.cert.org
The CERT Coordination Center (CERT/CC) is a center of Internet security
expertise. It is located at the Software Engineering Institute
(http://www.sei.cmu.edu/), a federally funded research and
development center operated by Carnegie Mellon University.
At the CERT/CC, they study Internet security vulnerabilities, handle
computer security incidents, publish a variety of security alerts, perform
research for long-term changes in networked systems, and develop
information and training to help improve security at your site.
INFOSEC - Information Systems Security
Organization
http://www.nsa.gov/isso/index.html
Part of the U.S. National Security Agency (NSA). INFOSEC provides the
solutions, products, and services, and conducts defensive information
operations, to achieve information assurance for information
infrastructures critical to U.S. National Security interests.
Advisory and Certification Bodies
A-2 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Computer Security Technology Center
http://ciac.llnl.gov/cstc/CSTCHome.html
The Computer Security Technology Center, located at the Lawrence
Livermore National Laboratory, provides solutions to U.S. government
agencies facing today's security challenges in information technology.
They maintain information protection and core-competencies through
high-tech, integrated INFOSEC incident response, product development,
and consulting services.
Security Standards
On-Line Security Resources A-3
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Security Standards
The following groups work with security standards.
Common Criteria
http://www.commoncriteria.org
This is currently the only globally accepted security standard. Orange
book and ITSEC standards are obsolete because of this.
National Security Agency (NSA)
http://www.nsa.gov
The NSA National Computer Security Center (NCSC) is responsible for
the security of the Department of Defense (DoD) and intelligence
community. The NSA is also the source of the NSA Rainbow Series of
Publications for Computer Software Security. The Rainbow Series deals with
evaluating trusted computer systems, each publication is a different color;
for example, the Orange book deals with physical security levels, which
control access to the system.
CSRC Computer Security Division
http://csrc.nist.gov/
This site contains information about a variety of computer security issues,
products, and research of concern to federal agencies, industries, and
users. This site is operated and maintained by National Institute of
Standards and Technologys (NIST) Computer Security Division as a
service to the computer security and IT community.
Security Standards
A-4 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
ITSEC (Europe)
http://www.itsec.gov.uk/
ITSEC is all about IT security, making sure that you can trust the
information technology infrastructure on which your organization relies.
Under the UK ITSEC scheme, the security features of IT systems and
products are tested independently of suppliers to identify logical
vulnerabilities. This type of testing is known as security evaluation and it
is carried out against standardized criteria to a formalized methodology.
Certicates are issued by the Scheme for products meeting the
requirements for a claimed level of assurance. United Kingdom
certicates are recognized in many countries of the world.
IEEE Computer Society
http://www.computer.org/
With over 100,000 members, the Institute of Electrical and Electronics
Engineers (IEEE) Computer Society is the world's leading organization of
computer professionals. Founded in 1946, it is the largest of the 36
societies of the IEEE.
The Computer Society's vision is to be the leading provider of technical
information and services to the world's computing professionals. It
develops electrical and communications standards. This includes Portable
Operating Systems Interface (POSIX) P1003.6, a security standard.
IETF
http://www.ietf.org/
The Internet Engineering Task Force (IETF) is a large open international
community of network designers, operators, vendors, and researchers
concerned with the evolution of the Internet architecture and the smooth
operation of the Internet.
Security Standards
On-Line Security Resources A-5
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The IETF working groups are grouped into areas, and managed by Area
Directors (ADs). The ADs are members of the Internet Engineering
Steering Group (http://www.ietf.org/iesg.html). Providing
architectural oversight is the Internet Architecture Board (IAB),
(http://www.isi.edu/iab/). The IAB also adjudicates appeals when
someone complains that the IESG has failed. The IAB and IESG are
chartered by the Internet Society (http://www.isoc.org/) for these
purposes. The General Area Director also serves as the chair of the IESG
and of the IETF, and is an ex-ofcio member of the IAB.
The Internet Assigned Numbers Authority (ANA)
(http://www.iana.org/) is the central coordinator for the assignment of
unique parameter values for Internet protocols. The IANA is chartered by
the Internet Society (ISOC) to act as the clearinghouse to assign and
coordinate the use of numerous Internet protocol parameters.
The Open Group
http://www.opengroup.org/
The Open Group is a vendor-neutral, international consortium of
members and is the result of the 1996 merge of the X/Open Company
Ltd. and the Open Software Foundation (OSF).
The Open Group is committed to delivering greater business efciency by
bringing together buyers and suppliers of information technology to
lower the time, cost, and risks associated with integrating new technology
across the enterprise. The Open Group's mission is:
To offer all organizations concerned with open information infrastructures a
forum where we can share knowledge, integrate open initiatives, and certify
approved products and processes in a manner in which they continue to trust our
impartiality.
The key benet to product suppliers is:
G Accelerated market up-take of products based on Open Systems
Standards
The key benets to their customers are:
G Reduced cost of integration, leading to increased budget available
for procurement of products that deliver real value to end users
G Increased exibility in the infrastructure and interoperability with
customers, business partners, and suppliers
Useful Web Sites
A-6 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Useful Web Sites
The following sites provide more general information on security risks.
Sun Security Coordination Team
http://sunsolve.sun.com/pub-cgi/show.pl?target=security/sec
The Sun Security Coordination Team investigates reports of security
vulnerabilities, responds to customer inquiries about security problems
with Sun software, and publishes Sun Security Bulletins.
To receive security bulletins directly from the Sun Security Coordination
Team, send an email to security-alert@sun.com and include subscribe cws
[your email address] in the subject. For example: subscribe cws
alex.smith@sun.com
The Computer Incident Advisory Center
http://www.ciac.org/ciac/
The Computer Incident Advisory Center (CIAC) is a department of the
United States Department of Energy (US DOE) whose motto is: Keeping
DOE secure. The CIAC publishes security related bulletins on this Web
site.
Computer and Internet Security Resources
http://www.virtuallibrarian.com/legal/ccstatistics.html
This site provides links to security sites as well as other security resources.
Useful Web Sites
On-Line Security Resources A-7
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Computer Security Institute
http://www.gocsi.com/
The Computer Security Institute (CSI) is a membership organization
specically dedicated to serving and training the information, computer,
and network security professional. There is a fee to join. CSI membership
benets include the ALERT newsletter, quarterly Journal, and Buyers
Guide. CSI also publishes surveys and reports on topics such as computer
crime and information security program assessment (IPAK).
For more information about CSI, email csi@cmp.com or telephone
+1 415-947-6320.
InfoWar.com
http://www.infowar.com
Provides articles and free Infowar.Com List that brings you up to the
minute news on info-security, hacking, infowar, attacks, related news,
reviews, and opinion.
InfoWorld.com
http://www.infoworld.com/researchtools/subject_index/
security.html
This site lists articles relating to security in date order.
Risks Digest
http://catless.ncl.ac.uk/Risks/
This site provides a forum on risks to the public in computers and related
systems. Information is provided in the form of online digests, published
at irregular intervals (but often more than once a week).
Useful Web Sites
A-8 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
SecurityFocus.com
http://www.securityfocus.com/
Provides security articles and other services as a well as useful list of
security tools.
Security Portal
http://securityportal.com/
Another site providing security articles and weekly digests. Also provides
a free security news service sent by email.
SecuritySearch.net
http://www.securitysearch.net/
Another site useful for nding security resources. Lists articles,
whitepapers, books, and the latest security bulletins.
SecurityStats.com
http://www.securitystats.com/
This site provides the latest security news and security statistics.
USENIX
www.usenix.org
USENIX is the Advanced Computing Systems Association. It provides
information on developments of all aspects of computing systems not just
security.
B-1
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Appendix B
SolarisOESecurityToolsSummary
The Trusted Solaris8 OE
When separation of information and individuals is of prime importance,
the consider using the Trusted Solaris 8 Operating Environment (OE),
an extension of the Solaris 8 OE. Trusted Solaris 8 software is
compatible with the Solaris 8 OE. That means administrators who have
used Solaris OE software will also be familiar with most Trusted Solaris
administration tools.
Security Extensions
Over the past few decades, computer systems have become corporate-
wide resources, essential for day-to-day operations. A wider range of
information on new products, employee compensation, health records,
marketing and sales plans, and other sensitive data is often stored on
these systems. Considerable cost, damage, and loss can be caused by
hostile or unauthorized access and use of this information. To control
external access, rewalls and other access control methods are often used
as gatekeepers. With the Trusted Solaris 8 OE, the software provides
extensive internal protection against intruders and misuse by enabling
administrators to:
G Limit access to system data and resources You can set controls on
all potential interactions with programs, le access, and utilities on a
user-by-user basis.
G Eliminate superuser You can divide superuser functions into
multiple roles to make penetration far more difcult.
G Independent evaluation authority An independent third party
evaluates the operating system to validate that its security functions
are working correctly.
The Trusted Solaris8 OE
B-2 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G Prevent eavesdropping in the window environment In
conventional UNIX environments, an intruding program can capture
keystrokes typed in other windows. Trusted Solaris OE software
provides a trusted path that protects entered data. This is
particularly important for passwords, which can also be protected by
requiring password changes or generating random passwords.
G Augment security auditing Actions that might affect security or
sensitive les can be monitored. To detect suspicious actions,
administrators can generate reports of usage by user, le, data, and
time.
G Prevent spoong programs Trojan horses, such as programs to
intercept passwords or other sensitive data, are prevented by a
graphical user interface and protocol. A trusted graphic displayed in
a reserved area provides continuous, visible feedback of session
integrity.
G Protect local devices against unauthorized users Authorized users
can control access to local devices. In many cases, misuse by
authorized users is the main source of security violations. Trusted
Solaris software helps stop these violations by enabling
administrators to implement a security policy that controls the access
and handling of information, including system administration,
operation, and monitoring tools.
To nd out more about Trusted Solaris 8 OE software, visit Suns Web site
at www.sun.com/trusted-solaris.
The SunScreen Firewall Product
Firewalls control the data ow between two networks, according to
security policy rules. The Solaris 8 OE offers built-in rewall functionality,
with both the lite- and full-product versions.
SunScreen Secure Net 3.1 is a full-featured rewall product that can be
deployed throughout an organization to implement a secure business
network including extranets, secure intranets, and remote access. It offers
affordability, strong cryptography, centralized management, and high
availability for screening and encryption.
The Trusted Solaris8 OE
Solaris OE Security Tools Summary B-3
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
SunScreen 3.1 Lite is a rewall product that protects individual servers
or very small workgroups. It is built from the same code as the full
SunScreen Secure Net 3.1 product, provides high-speed, dynamic stateful
packet-ltering, and includes a subset of the features offered with the full
version.
See:
http://www.sun.com/software/securenet/
http://www.sun.com/software/securenet/lite/
SKIP
SKIP secures the network at the IP packet level any networked
application gains the benets of encryption, without requiring
modication. SKIP is unique in that it offers on-the-y encryption. An
Internet host can send an encrypted packet to another host without
requiring a prior message exchange to set up a secure channel.
Some of the advantages of SKIP include:
G No connection setup overhead.
G High-availability; encryption gateways that fail can reboot and
resume decrypting packets instantly, without having to renegotiate
existing connections.
G Allows unidirectional IP (for example, IP broadcast using satellite or
cable).
G Scalable multicast key distribution.
G Gateways can be congured in parallel to perform instant failover.
See:
http://www.sun.com/software/skip/skip15/ds-skip/
IPsec
IPsec is a very strong, network-level protocol. It can protect against a
variety of threats, such as snifng, spoong, ooding, and hijacking.
However, it blocks hosts that do not support it or otherwise have a
security association with the initiating host. For Web trafc, where the
majority of trafc does not require security of any kind, IPsec might need
too much overhead. IPsec is well suited for VPNs and extranets.
The Trusted Solaris8 OE
B-4 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
A key feature of the Solaris 8 OE security is the IPsec architecture. IPsec is
an initiative to add security services to the IP protocol. It secures
communication channels and ensures that only authorized parties can
communicate on them.
Sun's implementation of IPsec in the Solaris 8 OE supports shared-secret
encryption. The 128-bit MD5 and SHA-1 algorithms are available for
datagram authentication and integrity; 56-bit DES and 168-bit Triple DES
algorithms are available for payload encryption. In addition, the Solaris
OE also supports manual keying.
See:
http://www.sun.com
Sun Enterprise Authentication Mechanism (SEAM)
Sun Enterprise Authentication Mechanism (SEAM) software provides a
distributed, enterprise-wide authentication mechanism for single sign-on
that reduces the number of times each user must go through a login
sequence.
SEAM software delivers an extra layer of security inside your rewall to
protect your enterprise from unauthorized access. Powerful
authentication and single sign-on capabilities enable SEAM to provide a
more secure login process, enabling you to protect your data privacy and
integrity.
See:
http://www.sun.com/software/solaris/ds/ds-seam/
Pluggable Authentication Modules (PAM)
Pluggable Authentication Modules (PAM) allows integration of various
authentication technologies such as UNIX, Kerberos, RSA, smart cards,
and DCE into system entry services such as login, passwd, rlogin,
telnet, ftp, and su without changing any of these services. PAM is
integrated into the Solaris 2.6 release.
See:
http://www.sun.com/software/solaris/pam/
The Trusted Solaris8 OE
Solaris OE Security Tools Summary B-5
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Sun Enterprise Network Security Service (SENSS)
Sun Enterprise Network Security Service (SENSS) is a exible Java
technology-based security solution that permits organizations to audit
and secure their systems and networks in a modern, heterogeneous,
corporate intranet. The software provides a network service daemon that
should be installed on each host in your network; these daemons can then
be linked together in a hierarchy of trust. This hierarchy can be used for
the distribution and execution of digitally-signed packets containing Java
technology code, script, or binary code, which can proactively check and
x host security issues in a bulk, batch-oriented manner. Execution
requests are also digitally signed, replay attacks are prevented, and
network communications are secured by ACLs, PAMs, and security
modules.
See:
http://www.sun.com/communitysource/senss/
Solaris OE Fingerprint Database
This SunSolve
SM
service enables you to verify the integrity of les
distributed with the Solaris OE, such as the /bin/su executable le,
Solaris software patches, and unbundled products such as SPARC
compilers.
The Solaris OE Fingerprint Database ensures that you are using a true le
in an ofcial binary distribution, and not an altered version that can
compromise system security. If you suspect someone has changed your
system without your authorization, you can use the Solaris OE
Fingerprint Database to check les for alteration or damage.
See:
http://sunsolve.sun.com/pubcgi/
show.pl?target=content/content7
PATCHDIAG
PATCHDIAG and patchdiag.xref are intended to check and verify the
current patch level of Solaris OE systems.
See:
http://sunsolve.sun.com
The Trusted Solaris8 OE
B-6 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
ASET
The Solaris OE includes a software security guard for Sun systems
called Automated Security Enhancement Tool (ASET). Like the security
measures of a building, ASET has three levels of computer system
security (Low, Medium, High) that depend on what the system is used for
and how valuable or sensitive the data or programs that reside on the
system are.
C-1
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Appendix C
Third-PartySecurityTools
SAINT (SATAN/SARA)
SAINT is the Security Administrator's Integrated Network Tool. In its
simplest mode, it gathers as much information about remote hosts and
networks as possible by examining such network services as finger, NFS,
NIS, ftp, tftp, rexd, statd, and other services.
The information gathered includes the presence of various network
information services as well as potential security awsusually in the
form of incorrectly setup or congured network services, well-known
bugs in system or network utilities, or poor or ignorant policy decisions. It
can then either report on this data or use a simple rule-based system to
investigate any potential security problems.
Users can examine, query, and analyze the output with an HTML browser.
While the program is primarily geared towards analyzing the security
implications of the results, a great deal of general network information can
be gained when using the toolnetwork topology, network services
running, types of hardware and software being used on the network, and
so on.
However, the real power of SAINT comes into play when used in
exploratory mode. Based on the initial data collection and a user
congurable ruleset, SAINT examines the avenues of trust and
dependencies and iterates further data collection runs over secondary
hosts. This not only allows you to analyze your own network or hosts, but
also to examine the real implications inherent in network trust and
services and helps you make reasonably educated decisions about the
security level of the systems involved.
Third-Party Security Tools
C-2 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
SAINT has a target acquisition program that normally uses the fping
command to determine whether a host or set of hosts in a subnet are alive.
When a host is behind a rewall, however, the tcp_scan program is used
to probe common ports to test for an alive host. It then passes this target
list to an engine that drives the data collection and the main feedback
loop. Each host is examined to see if it has been seen before, and, if not, a
list of tests/probes is run against it (the set of tests depends on the
distance the host is from the initial target and what probe level has been
set.) The tests emit a data record that has the hostname, the test run, and
any results found from the probe; this data is saved in les for analysis.
The user interface uses HTML to link the often vast amounts of data to
more coherent and palatable results that the user can digest and
understand.
See:
http://athena.fit.qut.edu.au/usr/src/saint-
1.2.1/html/saint.html
ftp://ftp.cerias.purdue.edu/pub/tools/unix/scanners/
http://www-arc.com/sara/
Courtney
Courtney detects and reports the presence of scanners, programs like
SATAN, that probe a number of ports on a system in a short time period.
The information gathered can identify security vulnerabilities.
Courtney, a Perl script, uses a utility called tcpdump to determine whether
a scanner has probed a system. Essentially, the tcpdump utility sets the
host's Ethernet interface so that the utility can analyze all the TCP/IP
packets transmitted on the wire. The tcpdump utility then lters the
information to highlight suspicious activity and hands this information to
Courtney for further analysis. Courtney searches for a specic ngerprint
in the data, but unfortunately this is not always successful, because the
tcpdump utility might sometimes relay inaccurate information.
Particularly on slow hosts or networks with very high trafc, the tcpdump
utility might miss some packets and, therefore, miss the distinctive
signature of a scanner. However, Courtney does provide a rst line of
defense.
See:
ftp://ftp.csc.ncsu.edu/pub/security/anti-satan/
Third-Party Security Tools
Third-Party Security Tools C-3
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Gabriel
Gabriel is a SATAN detector, similar to Courtney. While it is only available
for Sun platforms, it is written entirely in the C programming language,
and comes prebuilt.
See:
ftp://ftp.csc.ncsu.edu/pub/security/
TripWire
TripWire for Servers software monitors le changes, veries integrity, and
noties you of any violations of data at rest on network servers. Tripwire
for Servers monitors all le changes regardless of whether they originated
inside or outside of your organization. TripWire for Servers also identies
changes to system attributes including le size, access ags, write time,
and more. You can quickly assess the impact of changes using TripWire
for Servers' easy-to-read reports.
See:
http://www.tripwire.com/
ftp://ftp.cerias.purdue.edu/pub/tools/unix/ids/tripwire/
Top
Monitors the top CPU memory and disk usage.
See:
http://www.sunfreeware.com
TCP Wrappers
With this package you can monitor and lter incoming requests for the
systat, finger, ftp, telnet, rlogin, rsh, exec, tftp, talk, and other
network services.
Third-Party Security Tools
C-4 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
This package provides tiny daemon wrapper programs that can be
installed without any changes to existing software or to existing
conguration les. The wrappers report the name of the client host and of
the requested service; the wrappers do not exchange information with the
client or server applications, and impose no overhead on the actual
conversation between the client and server applications.
See:
ftp://playground.sun.com/pub/casper
http://www.sunfreeware.com
Crack
Crack is a password guessing program that quickly locates insecurities in
UNIX (or other) password les by scanning the contents of a password
le, looking for users who have chosen a weak login password.
See:
ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/
John the Ripper
John the Ripper is a password cracker, currently available for UNIX, DOS,
Windows NT/95. It detects weak UNIX passwords. It has been tested
with Linux x86/Alpha/SPARC, FreeBSD x86, OpenBSD x86, Solaris 2.x
SPARC and x86, Digital UNIX, AIX, HP-UX, and IRIX.
See:
http://www.openwall.com/john/
AntiCrack
AntiCrack is a password checking program. It checks a raw (not-
encrypted) UNIX password, so it is much faster than Crack.
AntiCrack uses rules and dictionaries in the same manner as Crack does.
If you already use Crack, the rules and the dictionaries for Crack can be
used for AntiCrack as they are.
See:
http://www.teu.ac.jp/nsit/~tominaga/anticrack/
Third-Party Security Tools
Third-Party Security Tools C-5
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The npasswd Command
The npasswd command replaces the system passwd command to ensure
that users use passwords undetectable by crack.
See:
ftp://ftp.cc.utexas.edu/pub/npasswd
Secure Shell (SSH)
Secure Shell (SSH) is a telnet and ftp replacement. Features of the SSH
Secure Shell include:
G Protects all passwords and data.
G Full replacement for telnet, rlogin, rsh, rcp, and ftp commands.
G Fully integrated secure le transfer and le copying.
G Graphical user interface on Microsoft Windows.
G Automatic authentication of users, no passwords sent in clear text to
prevent the stealing of passwords.
G Multiple strong authentication methods that prevent such security
threats as spoong identity.
G Authentication of both ends of connection, the server and the client
are authenticated to prevent identity spoong, Trojan horses, and so
on.
G Automatic authentication using agents enable strong authentication
for multiple systems with a single sign-on.
G Transparent and automatic tunneling of X11 sessions.
G Tunneling of arbitrary TCP/IP-based applications, such as email.
Encryption and compression of data for security and speed.
G Multiple built-in authentication methods, including passwords,
public key, and host-based authentication.
G Multiple ciphers for encryption, including 3DES, Blowsh, and the
AES candidate TWOFISH.
See:
http://www.ssh.com/products/ssh/index.html
Third-Party Security Tools
C-6 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The nmap Utility
The nmap utility scans the ports of large networks, although it also works
for single hosts. The philosophy behind the nmap utility is TMTOWTDI
(There's More Than One Way To Do It). This is the Perl slogan, but it is
equally applicable to scanners. Sometimes you need speed, other times
you need stealth. In some cases, bypassing rewalls might be required.
You might want to scan different protocols (UDP, TCP, ICMP, and so on.).
You just can not do all this with one scanning mode. And you do not want
to have ten different scanners around, all with different interfaces and
capabilities. Therefore, almost every scanning technique is incorporated
into the nmap utility. Specically, the nmap utility supports:
G Vanilla TCP connect() scanning
G TCP SYN (half open) scanning
G TCP FIN, Xmas, or NULL (stealth) scanning
G TCP FTP proxy (bounce attack) scanning
G SYN/FIN scanning using IP fragments (bypasses some packet lters)
G TCP ACK and Microsoft Window scanning
G UDP raw ICMP port unreachable scanning
G ICMP scanning (ping-sweep)
G TCP Ping scanning
G Direct (nonportmapper) RPC scanning
G Remote OS Identication by TCP/IP ngerprinting
G Reverse-identity scanning
See:
http://www.insecure.org/nmap/
Third-Party Security Tools
Third-Party Security Tools C-7
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Titan
Titan is a collection of programs, each of which either xes or tightens one
or more potential security problems with a particular aspect in the setup
or conguration of a UNIX system. Created by Brad Powell, it was
written in the Bourne shell, and its modular design makes it easy for
anyone who can write a UNIX shell script or program to add to it, as well
completely understand the internal workings of the system.
Titan does not replace other security tools, but when used in combination
with them, it can help make the transformation of a new, out of the box
system into a rewall or security conscious system a signicantly easier
task. In a nutshell, it attempts to improve the security of the system it runs
on.
See:
http://www.fish.com/titan/
COPS
COPS (Computer Oracle and Password System) is a set of programs that
attempt to automate security checks that are often performed manually
(or perhaps with self-written short shell scripts or programs) by a systems
administrator.
See:
ftp://ftp.cerias.purdue.edu/pub/tools/unix/scanners/
Tiger
Tiger supplements COPS by providing additional information on whether
the system les have been tampered with. Tiger is one of the tools used
regularly on Texas A&M's UNIX computers to detect intrusions.
See:
ftp://ftp.vanderbilt.edu/pub/unix/
Third-Party Security Tools
C-8 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The dsniff Sniffer
The dsniff package contains tools that examine trafc on a network
including the dsniff sniffer, webspy, a URL sniffer and other tools.
Putting this program on your network might constitute a security
problem; it nd weaknesses in local area network communications.
See:
http://www.sunfreeware.com
The sudo Utility
The sudo utility permits superuser-like access controls without the need
to give users the superuser password.
See:
http://www.sunfreeware.com
Cerberus Internet Scanner (CIS)
The CIS is a free security scanner written and maintained by Cerberus
Information Security, Ltd. and is designed to help administrators locate
and x security holes in their computer systems.
See:
http://www.cerberus-infosec.co.uk/cis.shtml
Nessus
The Nessus Project provides to the Internet community a free, powerful,
up-to-date, and easytouse remote security scanner.
A security scanner is a software tool which remotely audits a given
network and determines whether hackers can break into it, or misuse it in
some way.
See:
http://www.nessus.org
Third-Party Security Tools
Third-Party Security Tools C-9
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Whisker
Whisker is a CGI scanner with these features:
G The CGI directory can be predened from the default /cgi-bin, to a
different directory, or a set of well-known CGI paths.
G Before checking for vulnerabilities, Whisker veries that the CGI
directory exists, and that the CGI itself exists, reducing the number
of false positives.
G The server type and version is checked prior to any testing, reducing
checks for unsupported CGIs (for example, Whisker tests the
details.idc le for vulnerability).
G Virtual hosting is fully supported, allowing Whisker to test
vulnerabilities against subdomains within the same server (a feature
not supported by all CGI scanners).
G Whisker can be taught to see through custom made success pages,
which are usually a result of not found errors (this minimizes false
positives).
G Whisker was written in Perl for easy portability and manipulation.
G Interoperability between products and les such as command
separated les, nmap result le, IP subnets and so on.
G URL encoding that hides scans from IDS programs, something like
'/cgi-bin/phf?' is requested by its mime encoding equivalent:
'/%63%67%69%2d%62%69%6e/%66%69%6e%67%65%72' which
causes most IDS programs to not detect the scan.
G Support for a script language that enables people to easily add new
scanning scripts.
See:
http://ww.wiretrip.net/rfp/
SWATCH
C-10 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
The tcpdump Tool
The tcpdump tool is a powerful tool for network monitoring and data
acquisition This program allows you to dump the trafc on a network. It
can be used to print the headers of packets on a network interface that
matches a given expression. You can use this tool to track down network
problems, to detect ping attacks, or to monitor the network activities.
See:
http://www.tcpdump.org
SWATCH
Simple WATCHdog (SWATCH) is a tool that actively monitors UNIX log
les.
See:
ftp://ftp.stanford.edu/general/security-tools/swatch/
Pretty Good Privacy (PGP)
PGP or Pretty Good Privacy is a powerful cryptographic product family
that enables people to securely exchange messages, and to secure les,
disk volumes, and network connections with both privacy and strong
authentication.
See:
http://web.mit.edu/network/pgp.html
Kerberos
Kerberos is a network authentication protocol. It provides strong
authentication for client/server applications by using secret-key
cryptography. A free implementation of this protocol is available from the
Massachusetts Institute of Technology. Kerberos is available in many
commercial products as well.
See:
http://web.mit.edu/kerberos/www/
Virtual Private Networks
Third-Party Security Tools C-11
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Virtual Private Networks
Virtual private networks (VPNs) provide an encrypted connection
between a user's distributed sites over a public network (for example, the
Internet). By contrast, a private network uses dedicated circuits and
possibly encryption.
See:
http://www.epm.ornl.gov/~dunigan/vpn.html
Anti-Snifng Tools
Use these tools to detect if someone is snifng packets on your network.
AntiSniff - Runs on Microsoft Windows only
See:
http://www.l0pht.com
Sentinel - Runs on UNIX
See:
http://www.packetfactory.net/Projects/Sentinel
D-1
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Appendix D
SecurityRecommendations
This provides a summary of the security recommendations taken from the
text of the SC-300 Administering Security on the Solaris 8 Operating
Environment course. It is intended only as a guide, not a prescriptive to
do list, because there are always alternative methods to achieve the same
outcome. The important thing is that you are aware of the risks and take
actions appropriate for the sensitivity of the data or importance of the
application environment.
G Educate your user community to respect and accept the level of
security required.
G Have a security policy. Ensure that the pertinent aspects are
communicated to everyone.
G Turn on logging and monitor logs on a daily basis. Use Syslog and
swatch programs to simplify this task.
G Avoid giving out the root password. Disseminate superuser
privileges with RBAC or the sudo command.
G Check the patch releases and update software on a regular basis. Use
the patchdiag and patchdiag.xref le to check and verify the
current patch level of Solaris OE systems.
G Use the Solaris OE Fingerprint Database to verify the integrity of
les distributed with the Solaris OE.
G Use TripWire to ngerprint your congured system and compare it
with currently stored ngerprints on a regular basis.
G Do not allow users to have weak, easily guessed, or reused
passwords. Consider the use of the npasswd command as a
replacement for the passwd command, or check passwords with the
AntiCrack tool. Use password aging.
G Run the crack program on your password le.
Security Recommendations
D-2 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G Do not allow plain text passwords across the network. Avoid use of
rlogin, Telnet and FTP and use Open Secure Shell (Open SSH)
instead.
G Disable all unnecessary network services such as sendmail (SMTP),
rpc, ftp, dns, and snmp and others.
G Remove programs such as finger, rusers, and rpcinfo that
provide attackers with operating system information, application
versions, user names, and other information.
G Remove all unnecessary SUID and SGID programs.
G Use restricted shell (rsh) for guest accounts.
G Use expiration dates for temporary user accounts such as those
provided to contractors.
G Expire and then delete dormant accounts.
G Set disk quotas and limits to reduce the chance of denial of service
attacks.
G Use le digests to increase the chance of nding Trojan horses and
back doors.
G Run Titan to harden the network.
G Secure backups and removable media devices.
G Make a backup of the system in a known clean state. Destroy any
compromised backups after a suspected break-in.
G Restore data with care.
G Correctly congure Internet servers, particularly be aware of security
risks with FTP servers and CGI scripts behind Web servers.
G Use correctly congured rewalls. Use SunScreen Secure Net 3.1 or
SunScreen 3.1 Lite which provide strong cryptography, centralized
management, and packet ltering.
G Secure your VPNs and extranets with IPsec to protect against a
variety of threats, such as snifng, spoong, ooding, and hijacking.
G Use SAINT to check security over the network and to probe for
potential security weak spots.
G Run Courtney to monitor for SAINT or SATANlike attacks.
G Run an intrusion detection system (IDS).
G Mount dummy attacks to check procedures.
Security Recommendations
Security Recommendations D-3
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
G Use TCP Wrappers to lter incoming requests for network services
and block untrusted hosts.
G Use the chroot command to restrict access with Anonymous FTP.
G Congure routers to prevent information leakage and unauthorized
access.
G Secure remote access points (such as modems). Use Virtual Private
Networks (VPN) where possible.
G Avoid excessive use of trust relationships, such as .rhosts.
G Avoid excessive use of NFS exports.
G Check for sniffer programs capturing network data. Use the
AnitSniff or Sentinel programs.
Index-1
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
A
access control 1-19
Access Control Lists 8-1, 8-29
Access File Format 15-17
account
expiration 5-11, 5-12, 5-16,
5-18
inactivity 5-11, 5-18
reactivation 5-16
account modules 13-26
accountability 6-10
Accounting Package 2-30, 2-37
ACK 10-36
ACL 8-1
action 2-11
ActiveX 18-12
Aliases 5-28
aliases 7-27
anlpasswd 6-29
Anonymous FTP 13-20, 13-22,
15-5
AntiCrack 6-29
ASET 4-23, 14-1, 14-10, 14-26,
18-21
Reports 14-35
Running Periodically 14-33
Security Levels 14-27
Athena Project 13-42
Attack Level 12-22
Attacker 1-30
Audit
Classes 3-9
Data 3-26
Events 3-8
Flags 3-14
flags 3-17
Records 3-10
Trail 3-14, 3-22
audit 18-23
audit.log 3-24
audit_warn 3-20
Auditing 3-4
Techniques 9-6
Authentication 1-17
authentication 13-34
Authentication modules 13-26
authorization 1-19, 7-6
authorized_keys 16-30
Automated Security
Enhancement Tool 4-23, 14-1,
14-10
Availability 1-12
B
Back Doors 4-12, 4-13, 4-15, 4-17
backup 1-42
Banner
Files 15-21
Message 15-22
Without TCP Wrappers 15-24
Basic Security Module 3-4, 7-5
Berkeley 13-10
r Commands 13-10
BIOS 17-9
Index-2 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Break-ins 1-8
BSM 3-1, 3-4, 3-11, 3-40, 7-5
Audit Trail 4-19
Components 3-6
Device Management 3-30, 3-31
bsmconv 3-12
bsmconv script 3-12
bsmunconv 3-13
Buffer Overflow Attack 10-30
C
C++ compiler 1-45
CA 11-7
Centralized Logging 2-13
CERT 14-7
certificate authority 11-7
certificates 16-10
CGI 1-35, 10-32
challenge-response 16-11
Checklists 4-19
Checksums 4-19, 9-9
Algorithms 9-10
chroot 13-19
Client Access Logging 15-14
Client Authentication 16-11
Client Keys 16-27
client-to-server 18-17
commands
ckpacct 2-30
dodisk 2-30
lastlogin 2-32
monacct 2-31
prdaily 2-32
runacct 2-30
Common Gateway Interface 1-35, 10-32
Compression 16-8
Computer Emergency Response
Team 14-7
Computer Vulnerability Emergency
Response Team 1-10
comsat 13-5
Confidential 18-24
confidentiality 1-12, 1-19
Configuration Templates 9-20
Console access 17-6
CONSOLE variable 5-21
control flags 13-31
COPS 14-6
Course Preface-i
Courtney 12-35, 18-27
COVERT 1-10
CPU 17-13
crack 1-47
crack Tool 6-28
crackers 6-6
Cracking Passwords 6-25
CRC 4-19, 14-7
Criminals 1-33
cron Entries 5-25
crypt 8-1, 8-39
cryptographer 17-15
Cryptographic One-Way Hash
Functions 9-11
Cuckoos Egg 5-17
CVS 16-5
cyclic-redundancy-check 4-19, 14-7
D
Data Encryption Standard 11-7, 13-43
Data Harvesting 1-23
Data theft 17-6
databases 9-7
datagram 18-6
Datagrams 11-13
day-zero backups 8-45
DCE 13-25
Debugging Logging 2-14
Default Profiles 5-8
defensive perimeter 18-13
Demilitarized Zone 18-16
demilitarized zone 10-25
Denial of Service 1-11, 1-24, 8-8, 10-33
Denial of Service Attack 4-30
DES 11-7, 13-43
Desk Process 17-17
Device files 13-20
device files 4-15
Device-Clean Scripts 3-36
dial_auth module 13-27
Diffie Hellman algorithm 13-43
Index Index-3
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Digital Equipment Corporation 13-42
digital identity 16-10
Directory Permissions 8-12
disabling accounts 5-16
disk partition 13-24
disktacct file 2-33
Distributed Computing
Environment 13-25
DMZ 10-25, 18-16
DNS 1-35, 18-13
Domain Name Services 1-35
Dormant Accounts 5-17
DoS 1-11, 1-24, 4-1, 4-30, 10-31, 10-33, 17-7
dsniff 10-20
dsniff Utility 10-48
Dummy Services 13-9
duplicate account 5-5
Duplicate User ID 5-5
dynamic content 10-32
E
Eavesdropping 17-13
EEPROM 14-28, 17-1, 17-9, 18-10
Passwords 17-26
Security 17-23
eeprom 1-8
electrically erasable programmable
read-only memory 1-8
elm 1-8
encapsulating security payload 11-13
encrypted password 6-6, 6-7
Encrypting Data 8-38
Encryption 16-8
Enterprise Security Audits 18-21
Enterprise-Wide Attacks 1-34
ESMTP 10-45
ESP 11-13, 11-23
etherfind 10-12
exec 13-5
Executable command files 13-20
Extended Simple Mail Transfer
Protocol 10-45
F
fee file 2-33
file digest 4-19, 9-9
algorithms 9-9
file mode 9-6
File System Attacks 8-1
File Transfer Protocol 1-10, 1-35
Files Permissions 8-11
find Commands 4-21
finger 1-35, 13-6
fingerd daemon 4-31, 10-30
firewall 18-5
Firewalls 1-35, 10-25, 12-17, 17-10, 18-14
forgetting passwords 6-21
Fork Bombs 4-31, 4-32
Fraud 1-21
FTP 1-10, 1-35, 18-13
ftp 13-5, 13-28
Users 13-7
G
Generic Security Services 13-25
getfacl 8-31
GID 2-29, 5-7
GNU zip 1-44
grommit 13-11
group ID 5-7, 5-11, 6-5
group identifier 2-29
GSS 13-25
guest account 5-15, 5-16
GUI 12-12
gzip 1-44
H
Hidden 15-9
hidden files 4-17, 5-16
High-level security 14-30
Honey Pots 1-37
Host 1-8
Host Access Control 15-16
Host Key 16-19
hosts.equiv 13-15
Index-4 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
how accounting works
location of files 2-32
programs that are run 2-30
types of files 2-33
HTTP 10-2, 10-32
Hubs 17-12
Hyper Text Transfer Protocol 10-32
I
ICMP 1-34, 10-38
identification 1-17
IDS 1-36, 1-37
IETF 11-12
Inadequate Logging 1-35
inbound traffic 11-13
Inconsistencies 9-24
Inode number 9-7
Integrity 1-12
Internet Control Message Protocol 1-34,
10-38
Internet Engineering Task Force 11-12
Internet Protocol 1-34
Security 10-10
Internet Relay Chat 10-40
Internet Worm 4-31
Intrusion Detection System 1-36
IP 1-34
Security Architecture 11-12
IPsec 10-10, 11-12, 18-8, 18-21
Configuration File 11-20
Configurations 11-24
ipseckey 11-14
Keys 11-14
Policies 11-17
Security Considerations 11-26
ipsecconf 11-18
IRC 10-40
J
JASS 14-9
Java
Java Server Pages 10-32
JSP 10-32
JumpStart 14-4
Architecture and Security Scripts 14-9
K
Kerberos 13-1, 13-25
Authentication server 13-43
Features 13-45
Limitations 13-47
v5 13-42
Kernel events 3-8
kill 2-24
Kuang expert system 14-7
L
LAN 17-10
Lax Permissions 8-17
LDAP 3-34, 11-8
Level of Attack 12-16
Lightweight Directory Access
Protocol 6-6, 11-8
Linux 14-11
LKMs 4-28
loadable kernel modules 4-28
Local Area Network 17-10
log on
deny 18-6
success 18-6
logger Utility 2-15
loghost 2-14
login 5-5, 6-19, 13-5, 13-28, 13-34
Low-level security 14-30
M
MAC 17-12
major device number 4-15
mask bits 8-35
Massachusetts Institute of
Technology 13-42
Maximum Transfer Unit 10-38
MD5 Digests 1-46
Medium-level security 14-30
Message Digest 1-46, 9-11, 11-7
Index Index-5
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Algorithms 9-11
minfree 3-20
minor device number 4-15
Misconfigured access control 1-34
MIT 13-42
mknod 4-15
mnemoic 6-13
mode bits 8-10
MTU 10-38
N
NetBIOS 1-34
Netgroups 13-12
Network Analyzer Attack 12-33
Network Attacks 4-32
Network Authentication 15-4
Network File Service 12-7
Network Information Service 6-6
network interface card 10-7
Network Service Attack 10-25
Network Sniffing 10-4
Network tapping 17-7
NFS 12-7
NIC 10-7
NIS 3-34, 6-6
NIS+ 3-34, 6-6
nmap Utility 10-43
no password 6-19
Non-Login Accounts 5-22
Non-Login Shell 5-24
Non-Standard Port Numbers 13-9
notification messages 2-9
npasswd 6-29
numeric password 6-24
O
OpenBoot 17-21
OpenSSH 16-4, 18-21
Clients 16-23
Server
Configuration 16-16
Tools 16-6
OpenSSL 11-5, 11-9
optional 13-32
Orange Book 1-14
outbound traffic 11-13
P
pacct file 2-33
Packet Replay Attack 10-26
PAM 13-1, 13-25, 13-28
API 13-25
Configuration File 13-29
Error Reporting 13-40
Library 13-28
Runtime Modules 13-26
pam_dial_auth 13-34
pam_rhost_auth 13-34
pam_unix 13-34
pam_unix Module 13-27
passwd 6-15, 13-16
passwd+ 6-29
password 1-34, 1-42
Agent 16-15
aging 1-42, 6-7
cracking 6-11, 6-12, 6-21
expiration 6-8
Guessing 12-25
length 6-12
mapping 13-27
modification 6-7
modules 13-26
restrictions 6-15, 6-19
secrecy 6-11, 6-14
Security 6-1
password modules 13-26
PATH variable 5-16, 5-21
Perl 12-4
Permission
bits 8-10
Categories 8-13
Personal 18-24
Physical
Access 17-1
Intrusion 17-4
Types 17-6
PIN number 6-24
Ping of death 4-32, 10-35, 10-38
Index-6 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Pluggable Authentication Module 13-25
POP3 10-2
Port forwarding 16-12
Port Scanning 10-43
PortSentry 10-46
Post Office Protocol 3 10-2
Power outage 17-7
praudit 3-27
Privacy Violation 1-22
Probes 12-23
probes 12-6
Process Accounting 2-29
Profiles 7-6
prototype 15-21
Proximity Variables 12-28
Proxy Server 18-12
proxy server 10-25, 18-1
Proxy Servers 18-14
ps 2-24, 5-16
Public 18-24
public key encryption 16-4
Public Keys 1-46
Publicity Attacks 1-23
R
RBAC 6-10, 7-1, 7-4
Commands 7-7
Evaluation 7-18
Profiles 7-8
Roles 7-11, 7-15
RC4 11-7
rcp 13-11, 16-4
reboot 10-34
Redhat 14-11
Reference Monitor 1-13
remembering passwords 6-12
Remote Access 1-34, 16-1
Remote Procedure Call 1-35
required 13-32
requisite 13-31
reset 10-37
Restoring 14-32
Restoring Data 8-47
restricted files 4-16
Restricted Shells 5-16, 5-27
rhosts_auth module 13-27
Rivest Shamir Adleman 13-43
rlogin 13-10, 13-16, 13-34, 13-38, 16-4
Role Based Access Control 6-10, 7-1, 7-4
Roles 7-6
root 1-8, 2-7
Partition 8-4
Root Access 7-1, 7-4
Root Login 5-14
Rootkits 4-24
Kernel 4-28
Routers 1-34, 17-10, 18-14
RPC 1-35, 13-6
rpcinfo 1-35
RSA 13-43
Authentication 16-30
public key 16-9
rsh 13-10, 13-16, 13-38, 16-4
RST 10-37
rusers 1-35
rusersd 13-6
S
SA 11-13
Sabotage 1-22
SAINT 1-38, 10-46, 12-1, 12-4, 18-21, 18-26
Configuration 12-21
Data Management 12-14
graphical user interface 12-1, 12-12
Installation 12-8
Reports 12-31
Scan 12-18
Target Selection 12-15
sandbox 13-20
SANTA 1-38
sar 2-24
SATAN 1-38, 12-4
Script 1-31
Script Kiddie 1-33
SEAM 13-25, 13-42
Clients 13-49
Secret 18-24
Secure Hash Algorithm 11-7
Secure Kernel 1-13
secure passwords 6-12, 6-13, 6-21
Index Index-7
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Secure Shell 10-10, 13-5, 16-4
Secure Socket Layer 16-10
Secure Sockets Layer 10-10, 11-1
Security 1-4
security associations 11-13
Security Attacks
Detection 9-8
security policy 1-39, 1-41, 5-16
selector 2-11
sendmail 10-28
Server Authentication 16-9
server-to-server 18-17
session modules 13-26
Set User ID 14-6
setfacl 8-33, 8-34
SETGID 7-18
SetUID 14-7
Shadow Files 6-4
Shared libraries 13-20
shell 13-5
Shell Daemon 16-21
shoulder surfing 6-13
shutdown 7-20
signatures 9-7
Simple Alias Definitions 7-27
Simple Mail Transfer Protocol 1-35
simple mail transfer protocol 10-28
Simple Network Management
Protocol 1-35, 10-2
Site Policy 1-47
SKIP 11-27, 11-28, 11-30
skiphost 11-30
skipif 11-29
skiplocal 11-28, 11-30
SMTP 1-35, 10-28, 17-19
Smurf 4-32, 10-35, 10-39
Attack 10-39
Countermeasures 10-41
sniffing tools 1-47
SNMP 1-35, 10-2
snoop 5-16, 10-12, 10-14
Software 1-35
Solaris
Security Toolkit 14-9
Solaris OE 14-9
Accounting Package 2-27
Basic Security Module 3-1
Basic Security Module Auditing 3-4
Fingerprint Database 9-1, 9-13
Logging Files 2-4
Monitoring Tools 2-23
password files 6-4
Role Based Access Control 7-5
security packages 7-5
system administrator 2-4
utilities 12-6
SPARC 9-13
special character 6-13
sprayd 13-6
SSH 10-10, 13-5, 16-4
ssh-agent 16-31
sshd 16-19
ssh-keygen 16-19, 16-27
ssh-keyscan 16-10
SSL 10-10, 11-1, 11-6, 16-10, 18-13, 18-21
Handshake Protocol 11-6
Record Protocol 11-6
SSLeay library 11-5
starting and stopping accounting 2-37
stdtprocess 8-8
Sticky Bits 8-24
Sticky Directories 8-25
STOP-A key 17-1
Stop-A Key 17-21
stunnel Program 11-8
su command 3-5
subterfuge 1-9
sudo 6-10, 7-20
privileges 7-24
Utility 7-24
sudoers 7-25, 7-31
sufficient 13-32, 13-34
SUID 4-14, 5-16, 14-6
programs 5-16
sulog 2-7
SULOG variable 5-21
Sun Enterprise Authentication
Mechanism 13-25, 13-42
SunScreen 18-7
SunSHIELD 3-4
SunSolve 9-13
SUNWast 14-29
Index-8 Administering Security on the Solaris8 Operating Environment
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
SUPATH variable 5-21
Superuser Account 5-13
superuser password 6-4, 6-10, 6-16, 6-19
SuSE 14-11
swap 8-6
swatch Tool 2-16
symmetric key 8-39
SYN 4-32, 10-36
synchronize message 10-36
Syslog 2-8, 2-9
SYSLOG flag 5-21
syslogd 7-20
System Hardening 14-4
System Logging Facility 2-8
System Permissions 8-10
system-wide access 6-4
T
TAR 12-8
tar 13-21
Task Status 14-32
TCB 1-13
TCP 4-32
Wrappers 15-1, 15-8, 18-21
Banners 15-19
Configuration 15-12
Configuring 15-9
Hidden 15-10
Spawn Commands 15-25
Visible 15-11
TCP SYN Flood 10-35
TCP/IP
Ports
Forwarding 16-12
tcpdchk 15-12
telnet 1-35, 13-1, 13-5, 13-17, 13-28
temporary file system 8-6
Terminal Answerback 4-9
Terrorism 1-22
Terrorists 1-33
TFTP 13-20
Theft 1-21
Third-Party Security Tools 1-43
Tiger 14-8
Time stamps 9-7
Time-Out 12-27
Titan 14-1, 14-10, 18-21
Configuration 14-18, 14-20
Design Goals 14-12
Module Structure 14-23
Modules 14-13
Running a Single Module 14-21
TLS 11-5
tmpfs 8-6
Toll-Free Number Attack 4-32
top Tool 2-25
Transport Layer Security 11-5
Trial Attacks 18-22
TripWire 4-19, 9-1, 9-15, 9-23
Configuration File 9-17
Database 9-23, 9-27
Trivial File Transfer Protocol 13-20
Trojan Horses 4-1, 4-4
Troubleshooting 2-28
Trusted Access 13-15
trusted computing base 1-13
trusted hosts 13-15
Trusted Solaris Operating
Environment B-1
trusted third party 11-7
tune.* Files 14-36
types of accounting
process accounting 2-29
U
UFS 8-5
UID 2-29, 5-4, 8-20
unauthorized access 1-4
Unauthorized Device Files 8-42
UNIX
Copy 13-6
UNIX file system 8-5
UNIX 1-5
User access 1-5
User Account 1-34
user ID 5-11, 5-21, 6-5
User identifier 2-29
User Security 5-21
User-level events 3-8
usermod 5-11, 5-12
Index Index-9
Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C
Using Aliases 7-27
UUCP 13-6
V
vi 7-33
Virtual Private Network 1-34, 11-8
virtual private network 18-8
Visible 15-9
vmstat 2-24
VPN 1-34, 11-8, 18-8, 18-17
Vulnerability Scanners 1-38
W
wallace 13-12
walld 13-6
WAN 17-10
what is accounting used for 2-28
who 2-24
whodo 2-24
Wide Area Network 17-10
Windows
NT 12-16
World Wide Web 1-27
worms 4-31
wtmp file 2-33
WWW 1-27