Book VI Chapter 2 Securing a Linux Host Protecting Files and Directories 491 A default umask of 022 is good for system security because it translates to files that have read and write permission for the owner and read permis- sions for everyone else. The bottom line is that you don’t want a default umask that results in files that are writable by the whole wide world. Checking for set user ID permission Another permission setting can be a security hazard. This permission setting, called the set user ID (or setuid for short), applies to executable files. When the setuid permission is enabled, the file executes under the user ID of the file’s owner. In other words, if an executable program is owned by root and the setuid permission is set, no matter who executes that program, it runs as if root is executing it. This permission means that the program can do a lot more (for example, read all files, create new files, and delete files) than what a normal user program can do. Another risk is that if a setuid program file has some security hole, crackers can do a lot more damage through such programs than through other vulnerabilities. You can find all setuid programs with a simple find command: find / -type f -perm +4000 -print You see a list of files such as the following: /usr/bin/chage /usr/bin/gpasswd /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/bin/passwd /usr/bin/at /usr/bin/rcp /usr/bin/rlogin /usr/bin/rsh /usr/bin/sudo /usr/bin/crontab lines deleted Many of the programs have the setuid permission because they need it, but check the complete list and make sure that there are no strange setuid pro- grams (for example, setuid programs in a user’s home directory). If you want to see how these permissions are listed by the ls command, type ls -l /usr/bin/passwd and you see the permission settings: -r-s x x 1 root root 16128 Jun 5 23:03 /usr/bin/passwd The s in the owner’s permission setting (r-s) tells you that the setuid per- mission is set. TEAM LinG - Live, Informative, Non-cost and Genuine ! Encrypting and Signing Files with GnuPG 492 Encrypting and Signing Files with GnuPG Linux comes with the GNU Privacy Guard (GnuPG or, simply GPG) encryption and authentication utility. With GPG, you can create your public- and private- key pair, encrypt files using your key, and also digitally sign a message to authenticate that it’s really from you. If you send a digitally signed message to someone who has your public key, the recipient can verify that it was you who signed the message. Understanding public-key encryption The basic idea behind public-key encryption is to use a pair of keys — one private and the other public — that are related but can’t be used to guess one from the other. Anything encrypted with the private key can be decrypted only with the corresponding public key, and vice versa. The public key is for distribution to other people while you keep the private key in a safe place. You can use public-key encryption to communicate securely with others; Figure 2-1 illustrates the basic idea. Suppose Alice wants to send secure mes- sages to Bob. Each of them generates public key and private key pairs, after which they exchange their public keys. Then, when Alice wants to send a message to Bob, she simply encrypts the message using Bob’s public key and sends the encrypted message to him. Now the message is secure from any eavesdropping because only Bob’s private key can decrypt the message — and only Bob has that key. When Bob receives the message, he uses his pri- vate key to decrypt the message and read it. Bob's public key Alice encrypts the message using Bob's public key Bob decrypts the message using his private key Bob's private key Alice Bob hKgDpkUz Mar0u4UB BN9iYtNB yr841FDV DZAFEKzv ImUSPasZ SDJYLhno +aqjYapv Figure 2-1: Bob and Alice can commu- nicate securely with public- key encryption. TEAM LinG - Live, Informative, Non-cost and Genuine ! Book VI Chapter 2 Securing a Linux Host Encrypting and Signing Files with GnuPG 493 At this point, you need to stop and think and say, “Wait a minute! How does Bob know the message really came from Alice? What if someone else uses Bob’s public key and sends a message as if it came from Alice?” This situa- tion is where digital signatures come in. Understanding digital signatures The purpose of digital or electronic signatures is the same as pen-and-ink signatures, but how you sign digitally is completely different. Unlike pen-and- ink signatures, your digital signature depends on the message you’re signing. The first step in creating a digital signature is to apply a mathematical func- tion on the message and reduce it to a fixed-size message digest (also called a hash or a fingerprint). No matter how big your message is, the message digest is always around 128 or 160 bits, depending on the hashing function. The next step is to apply public-key encryption. Simply encrypt the message digest with your private key, and you get the digital signature for the mes- sage. Typically, the digital signature is appended to the end of the message, and voilà — you get an electronically signed message. What good does the digital signature do? Well, anyone who wants to verify that the message is indeed signed by you takes your public key and decrypts the digital signature. What that person gets is the message digest (the encrypted hash) of the message. Then he or she applies the same hash function to the message and compares the computed hash with the decrypted value. If the two match, then no one has tampered with the message. Because your public key was used to verify the signature, the message must have been signed with the private key known only to you. So the message must be from you! In the theoretical scenario of Alice sending private messages to Bob, Alice can digitally sign her message to make sure that Bob can tell that the mes- sage is really from her. Figure 2-2 illustrates the use of digital signatures along with normal public-key encryption. Here’s how Alice sends her private message to Bob with the assurance that Bob can really tell it’s from her: 1. Alice uses software to compute the message digest of the message and then encrypts the digest by using her private key. This is her digital sig- nature for the message. 2. Alice encrypts the message (again, using some convenient software and Bob’s public key). 3. She sends both the encrypted message and the digital signature to Bob. 4. Bob decrypts the message using his private key. 5. Bob decrypts the digital signature using Alice’s public key. This gives him the message digest. TEAM LinG - Live, Informative, Non-cost and Genuine ! Encrypting and Signing Files with GnuPG 494 6. Bob computes the message digest of the message and compares it with what he got by decrypting the digital signature. 7. If the two message digests match, Bob can be sure that the message really came from Alice. Using GPG GPG includes the tools you need to use public key encryption and digital sig- natures. What you use is the gpg command. You can figure out how to use GPG gradually as you begin using encryption. I show you some of the typical tasks you may perform with GPG. Generating the key pair The steps for generating the key pairs go like this: 1. Type gpg gen-key command. If you’re using gpg for the first time, it creates a .gnupg directory in your home directory and a file named gpg.conf in that directory. Then GPG asks what kind of keys you want: Please select what kind of key you want: (1) DSA and ElGamal (default) (2) DSA (sign only) (4) RSA (sign only) Your selection? Bob's public key Alice's private key Alice's public key Bob's private key Alice encrypts the message using Bob's public key and appends digital signature encrypted with her private key Bob decrypts the message using his private key and decrypts the signature using Alice's public key; then verifies the message digest Verify message digest Compute message digest Alice Bob hKgDpkuz Mar0u4UB BN9iYtNB ImUSPasZ SIWYLhno TPamMLam JM2Y8uq4 hKgDpK uzMarDu4 UBBN9i hKgDpK uzMarDu4 UBBN9i Figure 2-2: Alice can digitally sign her message so that Bob can tell it’s really from her. TEAM LinG - Live, Informative, Non-cost and Genuine ! Book VI Chapter 2 Securing a Linux Host Encrypting and Signing Files with GnuPG 495 2. Press Enter for the default choice because it’s good enough. GPG then prompts you for the key size (the number of bits). 3. Press Enter again to accept the default value of 1,024 bits. GPG asks you when the keys expire. The default is to never expire. 4. If the default is what you want (and why not?), press Enter. 5. When GPG asks if you really want the keys to never expire, press the Y key to confirm. GPG prompts you for your name, your e-mail address, and finally a com- ment so that the key pair is associated with your name. 6. Type each piece of requested information and press Enter. 7. When GPG gives you a chance to change the information or confirm it as is, confirm by typing o and pressing Enter. GPG next prompts you for a passphrase that protects your private key. 8. Type a long phrase that includes lower- and uppercase letters, num- bers, and punctuation marks — the longer the better — and then press Enter. Be careful to pick a passphrase that you can easily remember. GPG generates the keys. It may ask you to perform some work on the PC so that the random number generator can generate enough random numbers for the key-generation process. Exchanging keys To communicate with others, you have to give them your public key. You also have to get public keys from those who may send you a message (or someone who might sign a file and you want to verify the signature). GPG keeps the public keys in your key ring. (The key ring is simply the public keys stored in a file, but it sounds nice to call it a key ring because every- body has a key ring out in the real world and these are keys of a sort, right?) To list the keys in your key ring, type gpg list-keys To send your public key to someone or place it on a Web site, you have to export the key to a file. The best way is to put the key in what GPG documen- tation calls an ASCII-armored format with a command like this: gpg armor export naba@comcast.net > nabakey.asc TEAM LinG - Live, Informative, Non-cost and Genuine ! Encrypting and Signing Files with GnuPG 496 This command saves my public key in an ASCII-armored format (it basically looks like garbled text) in the file named nabakey.asc. Of course, you replace the e-mail address with your e-mail address (the one you used when you created the key) and the output filename to something different. After you export the public key to a file, you can mail that file to others or place it on a Web site for use by others. When you import a key from someone else, you typically get it in an ASCII- armored format as well. For example, if I have a us-cert@us-cert.gov GPG public key in a file named uscertkey.asc, I import it into my key ring with the following command: gpg import uscertkey.asc Use the gpg list-keys command to verify that the key is in your key ring. For example, here’s what I see when I type gpg list-keys on my system: /home/naba/.gnupg/pubring.gpg pub 1024D/397F3C69 2004-09-21 Naba Barkakati (author) <naba@comcast.net> sub 1024g/AE72AD66 2004-09-21 pub 2048R/F0E187D0 2004-09-08 US-CERT Operations Key <us-cert@us-cert.gov> The next step is to check the fingerprint of the new key. I type the following command to get the fingerprint of the US-CERT key: gpg fingerprint us-cert@us-cert.gov GPG prints the fingerprint: pub 2048R/F0E187D0 2004-09-08 US-CERT Operations Key <us-cert@us-cert.gov> Key fingerprint = 049F E3BA 240B 4CF1 3A76 06DC 1868 49EC F0E1 87D0 At this point, you need to verify the key fingerprint with someone at the US-CERT organization. For a large organization such as US-CERT, you can verify the fingerprint from the US-CERT Web page ( www.us-cert.gov/pgp/ encryptmail.html ). I checked and the fingerprint matches what appears at the US-CERT Web site. If you think the key fingerprint is good, you can sign the key and validate it. Here’s the command you use to sign the key: gpg sign-key us-cert@us-cert.gov GPG displays a message and prompts you on the level of key verification you have performed. TEAM LinG - Live, Informative, Non-cost and Genuine ! Book VI Chapter 2 Securing a Linux Host Encrypting and Signing Files with GnuPG 497 gpg: checking the trustdb gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1 pub 2048R/F0E187D0 created: 2004-09-08 expires: 2005-10-01 trust: -/- (1). US-CERT Operations Key <us-cert@us-cert.gov> pub 2048R/F0E187D0 created: 2004-09-08 expires: 2005-10-01 trust: -/- Primary key fingerprint: 049F E3BA 240B 4CF1 3A76 06DC 1868 49EC F0E1 87D0 US-CERT Operations Key <us-cert@us-cert.gov> This key is due to expire on 2005-10-01. Do you want your signature to expire at the same time? (Y/n) How carefully have you verified the key you are about to sign actually belongs to the person named above? If you don’t know what to answer, enter “0”. (0) I will not answer. (default) (1) I have not checked at all. (2) I have done casual checking. (3) I have done very careful checking. Your selection? (enter ‘?’ for more information): After you answer and press Enter, GPG asks for confirmation and then prompts you for your passphrase. After that, GPG signs the key. Because the key verification and signing is a potential weak link in GPG, be careful about what keys you sign. By signing a key, you basically say that you trust the key to be from that person or organization. Signing a file You may find signing files useful if you send out a file to someone and want to assure the recipient that no one tampered with the file and that you did in fact send the file. GPG makes signing a file very easy. You can compress and sign a file named message with the following command: gpg -o message.sig -s message To verify the signature, type gpg verify message.sig To get back the original document, simply type gpg -o message decrypt message.sig Sometimes you don’t care about keeping a message secret, but you simply want to sign it to indicate that the message is from you. In such a case, you can generate and append a clear-text signature with the following command: gpg -o message.asc clearsign message TEAM LinG - Live, Informative, Non-cost and Genuine ! Encrypting and Signing Files with GnuPG 498 This command basically appends a clear-text signature to the text message. Here’s a typical clear-text signature block: BEGIN PGP SIGNATURE Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAfdhOH/butdGSkSMRAo5VAJsFGSlwA3z6PQJwXZVSDCVMjphZFACeIYfB YSZSM86EedATw/Hexeqa6TM= =vyUl END PGP SIGNATURE When a message has a clear-text signature appended, you can use GPG to verify the signature with the following command: gpg verify message.asc The last line of the output says that it’s good signature. Encrypting and decrypting documents To encrypt a message meant for a recipient, you can use the encrypt (or -e) GPG command. Here’s how you might encrypt a message for US-CERT using its GPG key: gpg -o message.gpg -e -r us-cert@us-cert.gov message The message is encrypted using the US-CERT public key (without any signa- ture, but you can add the signature with an -s command). When US-CERT receives the message.gpg file, the recipient has to decrypt it using US-CERT’s private key. Here’s the command someone at US-CERT can use: gpg -o message decrypt message.gpg GPG then prompts for the passphrase to unlock the US-CERT private key and then decrypts the message and saves the output in the file named message. If you simply want to encrypt a file and no one else has to decrypt the file, you can use GPG to perform what is called symmetric encryption. In this case, you provide a passphrase to encrypt the file with the following GPG command: gpg -o secret.gpg -c somefile GPG prompts you for the passphrase and asks you to repeat the passphrase (to make sure that you didn’t mistype anything). Then GPG encrypts the file using a key generated from the passphrase. TEAM LinG - Live, Informative, Non-cost and Genuine ! Book VI Chapter 2 Securing a Linux Host Monitoring System Security 499 To decrypt a file encrypted with a symmetric key, type gpg -o myfile decrypt secret.gpg GPG prompts you for the passphrase. If you enter the correct passphrase, GPG decrypts the file and saves the output (in this example) in the file named myfile. Monitoring System Security Even if you secure your system, you have to monitor the log files periodically for signs of intrusion. You may want to install the Tripwire software, a great tool for detecting any changes made to the system files so that you can moni- tor the integrity of critical system files and directories. Your Linux system probably does not come with the Tripwire package. To use Tripwire, you have to download it from www.tripwire.org/downloads/index.php. You should know that you have to download the source tarball (a compressed archive of source files) and then build Tripwire. (Book V, Chapter 4 provides more information on how to build software packages from source files.) After you build and install Tripwire, you can configure it to monitor any changes to specified system files and directories on your system. In Debian, type apt-get install tripwire to download and install Tripwire. Periodically examine the log files in the /var/log directory and its subdirec- tories. Many Linux applications, including some servers, write log informa- tion using the logging capabilities of syslogd. On Linux systems, the log files written by syslogd reside in the /var/log directory. Make sure that only the root user can read and write these files. The syslogd configuration file is /etc/syslog.conf. The default configura- tion of syslogd generates the necessary log files; however, if you want to examine and understand the configuration file, type man syslog.conf for more information. TEAM LinG - Live, Informative, Non-cost and Genuine ! Book VI: Security 500 TEAM LinG - Live, Informative, Non-cost and Genuine ! [...]... you connect your Linux system to the Internet through a DSL or cable modem You can essentially have a packet-filtering firewall inside your Linux system, sitting between the kernel and the applications TEAM LinG - Live, Informative, Non-cost and Genuine ! Setting Up Simple Firewalls 511 Using the security level configuration tool Some Linux distributions, such as Fedora Core and SUSE, include GUI tools... system, place the following line in the /etc/hosts.allow file: ALL: 192.1 68. 1.0/255.255.255.0 127.0.0.1 3 If you want to permit access to a specific Internet service to a specific remote host, you can do so by using the following syntax for a line in /etc/hosts.allow: server_program_name: hosts TEAM LinG - Live, Informative, Non-cost and Genuine ! Improving Network Security Configuring TCP wrapper security... grep inetd to see which Internet super server — inetd or xinetd — your system runs The inetd server is configured through the /etc/inetd.conf file You can disable a service by locating the appropriate line in that file and commenting it out by placing a hash mark (#) at the beginning of the line After saving the configuration file, type /etc/init.d/inetd restart to restart the inetd server TEAM LinG... good performance so that it doesn’t hinder the internal users’ access to specific Internet services (such as HTTP and FTP) A firewall can take many different forms Here are three common forms of a firewall: ✦ Packet filter firewall: This simple firewall uses a router capable of filtering (blocking or allowing) packets according to a number of their characteristics, including the source and destination... Improving Network Security In This Chapter ߜ Securing Internet services ߜ Using Secure Shell (SSH) for secure remote logins ߜ Setting up simple firewalls ߜ Enabling packet filtering on your Linux system T o secure your Linux system, you have to pay attention to both host security and network security The distinction between the two types of security is somewhat arbitrary because securing the network involves... chain, which is a sequence of rules Each rule says what to do TEAM LinG - Live, Informative, Non-cost and Genuine ! Setting Up Simple Firewalls 513 with a packet if the header contains certain information (such as the source or destination IP address) If a rule does not apply, iptables consults the next rule in the chain By default, there are three chains: ✦ INPUT chain: The first set of rules against... shortage of IP addresses Hiding NAT technology is seldom used because port address translation offers additional features Port address translation is often the most convenient and secure solution Enabling packet filtering on your Linux system Your Linux system comes with built -in packet-filtering software in the form of something called netfilter that’s in the Linux kernel All you have to do is use the... involves fixing up things on the host that relate to what Internet services your system offers In this chapter, I explain how you can secure the Internet services (mostly by not offering unnecessary services), how you can use a firewall to stop unwanted network packets from reaching your network, and how to use Secure Shell for secure remote logins Securing Internet Services For an Internet-connected Linux. .. network interface (by device name such as eth0, ppp0, and so on) In Step 2, you select services (such as HTTP and FTP) that your SUSE system should be allowed to provide Step 3 is for configuring a few more features such as forwarding packets between network interfaces and for not allowing any services except those explicitly enabled in Step 2 Finally, in Step 4, you turn on different levels of logging (For. .. gateway firewall are superior to those found in packet filter or stateful inspection firewalls 510 Setting Up Simple Firewalls Using NATs Network Address Translation (NAT) is an effective tool that enables you to “hide” the network addresses of an internal network behind a firewall In essence, NAT allows an organization to use private network addresses behind a firewall while still maintaining the ability . solution. Enabling packet filtering on your Linux system Your Linux system comes with built -in packet-filtering software in the form of something called netfilter that’s in the Linux kernel. All you have to. you have performed. TEAM LinG - Live, Informative, Non-cost and Genuine ! Book VI Chapter 2 Securing a Linux Host Encrypting and Signing Files with GnuPG 497 gpg: checking the trustdb gpg: checking. software is installed during Linux installation. Table 3-1 lists the main components of the OpenSSH software. Table 3-1 Components of the OpenSSH Software Component Description /usr/sbin/sshd This