320 Chapter 10 • Dissecting Hacks the standard passwd program in Solaris.They provide for password strength checking before passwords are actually changed in the system files. If the user chooses a password that is considered too weak, the password will be rejected and the user will be asked to choose another one. ; Be sure to require the minimum password length to be eight characters. This can be controlled by changing the value of PASSMIN in /etc/ default/passwd from the default value of six to eight. ; Do not run NIS unless absolutely necessary. Use NIS+ instead, or consider other authentication methods such as Kerberos or LDAP. ; Occasionally run a password-cracking program such as John the Ripper on the password/shadow files to find weak user passwords. Notify the user that their password has been cracked and should be changed. Securing against Trojan Horse Hacks ; Stay current on patch levels to limit or deny an attacker’s ability to gain root privilege levels and install rootkits. ; Restrict access to the cron through the use of the /etc/cron.allow and /etc/cron.deny files. ; Run file-integrity-checking programs such as Tripwire, Fcheck, or AIDE to try to detect trojan programs. ; Set the default search paths in /etc/default/login for users and for root to /usr/bin and /usr/bin:/usr/sbin:/sbin, respectively. Securing against IP Spoofing ; Use SSH in place of the r-services (i.e., rsh, rlogin, rcp, etc.). ; If disabling the r-services is not possible, specify unique IP addresses rather than entire subnets in the /etc/hosts.equiv or .rhosts files.Also specify the username to be granted trusted host access. For example, if the system 192.168.100.1 trusts the host 192.168.100.54, the entry in the /etc/hosts.equiv file for user jdoe would be: +192.168.100.54 jdoe www.syngress.com 158_HPsun_10 10/5/01 10:09 AM Page 320 Dissecting Hacks • Chapter 10 321 ; Use tools such as arpwatch to try to detect possible MAC address spoofing attempts. ; Use SSH in place of the r-services (i.e., rsh, rlogin, rcp, etc.). Q: How does John the Ripper work? A: John the Ripper works in three modes.The first is the wordlist mode. In this simplest mode, John uses a wordlist, encrypts each word, and compares the encrypted hash to the one in the password file.The second mode, single- crack mode, uses the information in the login/GECOS field of the password entry as passwords.This mode is significantly faster than wordlist mode.The third mode is incremental mode.This mode is the most powerful one, as it will try all possible character combinations as passwords. John the Ripper does have one more mode, called the external mode, which is not commonly used. In external mode John uses functions that are coded by the user in a subset of the C language to generate the words it tries.The functions are compiled by John at startup. Q: An attacker hit one of my systems and deleted evidence of the attack from the log files. How can I ensure that such evidence is protected? A: In order to ensure that the logs from a system survive an attack, you will have to setup the syslog facility on your system to log to a syslog server. A syslog server can be any other system that has a syslog daemon running on it and is set up to receive remote syslog messages from other systems.The syslog server should be configured to be as secure as possible, because if an attacker infil- trates a system and discovers that system messages are being logged to a syslog server, that server will most likely become the next target for the attacker. www.syngress.com Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. 158_HPsun_10 10/5/01 10:09 AM Page 321 322 Chapter 10 • Dissecting Hacks Q: How do I make TCP hijacking attacks more difficult? A:TCP hijacking attacks are made possible by a weakness in the TCP Initial Sequence Number (ISN).When a client opens a connection to a server using TCP, it sends a SYN packet with the Initial Sequence Number set to some value.The server responds with a SYN-ACK packet with its own ISN, along with an acknowledgement number that is equal to the client’s TCP ISN plus 1.The client then responds to the server with an ACK packet whose sequence number is set to the server’s TCP ISN plus 1. Once that is done, the connection is considered established.The following is an example of this three-way handshake: Sender(client) Destination(server) SYN > (Sequence #: X) < SYN-ACK (Sequence #: X+1, Sequence #: Y) ACK > (Sequence #: Y+1) The problem occurs in the generation of the TCP ISN. In the old days of UNIX, this value would increment by 64000 for every new connection.Today, many operating systems utilize pseudo-random number generators to generate a value for the TCP ISN for every new connection.The strength of Solaris’s TCP ISN generator is controlled by the value of the TCP_STRONG_ISS variable in the file /etc/default/inetinit.This value can be set to 0, 1, or 2. When set to 0, the TCP ISN generation is done using the old sequential method.This is extremely predictable and should never be used.When TCP_STRONG_ISS is set to 1 (which is the default), Solaris uses an improved sequential number generation with random variance in increment.To set Solaris’s TCP ISS generator to utilize strong pseudo-random number genera- tion, in which each TCP ISN is unique for each connection ID, the value of TCP_STRONG_ISS should be set to 2. Another way to increase the randomness of the TCP ISN number gener- ation is to echo a large set of random information to the kernel parameter tcp_1948_phrase.This parameter is write-only, and provides a seed for random number generation in accordance with RFC 1948.To seed the kernel random number generator using this feature, use the command: # ndd -set tcp_1948_phrase <some large set of random numbers> www.syngress.com 158_HPsun_10 10/5/01 10:09 AM Page 322 Dissecting Hacks • Chapter 10 323 Q: How can I keep a Solaris system from participating in denial of service attacks like SMURF? A:The SMURF attack involves sending a spoofed ICMP echo-request packet to a network’s broadcast address.All systems on the network will receive the ICMP echo-request and send an ICMP echo-reply to the source host in the spoofed packet.To keep a Solaris system from participating in a SMURF attack, the kernel parameter ip_respond_to_echo_ broadcast should be set to 0. To do this, use the command: # ndd -set ip_respond_to_echo_broadcast 0 Q: How can I tell if an attacker has installed trojan binaries on my system? A: Sun provides a tool on the SunSolve Web site called the Solaris Fingerprint Database.This is a large database of MD5 signatures for every binary in the Solaris operating system (including patched binaries). If you suspect that a program has been replaced with a trojan binary, go to the SunSolve Web site (http://sunsolve.sun.com) and download the MD5 signature program. Sun provides two versions of this program: one for Solaris SPARC and one for Solaris x86. Run the program with the name of the suspected binary as its argument.The output will be an MD5 hash signature for that binary. Copy that into the input field of the Solaris Fingerprint Database on SunSolve and click the submit button. If the MD5 signature for the suspect binary matches a signature in the database, a confirmation will be shown. Otherwise, the database will return a failure for the match. www.syngress.com 158_HPsun_10 10/5/01 10:09 AM Page 323 158_HPsun_10 10/5/01 10:09 AM Page 324 Detecting and Denying Hacks Solutions in this chapter: ■ Monitoring for Hacker Activity ■ Using Shell Scripts to Alert Systems Administrators ■ What to Do Once You’ve Detected a Hack ■ Monitoring Solaris Log Files ■ Creating Daily Reports ; Summary ; Solutions Fast Track ; Frequently Asked Questions Chapter 11 325 158_HPsun_11 10/4/01 5:37 PM Page 325 326 Chapter 11 • Detecting and Denying Hacks Introduction Someone once asked the Depression-era gangster John Dillinger why he robbed banks. He replied,“Because that’s where they keep the money.” If you have a Solaris system that contains important data or performs mission-critical duties, you certainly want to protect it. However, the more you lock down your system, the more enticing you make it to potential hackers.The first rule to remember when fortifying your defenses is that your efforts will most likely fail. If a deter- mined, skilled hacker wants in, chances are that he or she will get in. Much of this book focuses on configuring and utilizing existing tools to get the maximum intrusion detection and prevention benefits.This chapter focuses on creating your own unique blend of Solaris apps, third-party tools, and custom scripts to fortify your defenses. It also discusses ways to monitor for a breach in your security and methods to sound the alarm when such a breach happens. Monitoring for Hacker Activity Using the assumption that our well-planned defenses will someday fail, we need to put measures in place that will allow us to know when unauthorized access has occurred.The key is to know what to look for. In this section we cover sev- eral ways to monitor a Solaris system for unusual activity. Using Tripwire The term tripwire, when used in conjunction with hunting or warfare, relates to a thin wire stretched across a pathway.When broken by the approaching enemy, this wire sets off an alarm or trap of some kind.The security software called Tripwire, made by the company of the same name, operates much the same way. It was originally written by Gene Kim and Dr. Eugene Spafford of Purdue University.The goal was to take a “snapshot” of important system files, which would then be compared periodically to the current system files.Any changes from the original snapshot set off an alarm.The company very responsibly made the software available to others who had similar security needs, and today it is one of the most popular and effective security tools you can have in your toolbox. Sun Microsystems is a big supporter of Tripwire’s products and recently invested heavily in the company.You can read more about Sun’s relationship with Tripwire at www.sun.com/security. www.syngress.com 158_HPsun_11 10/4/01 5:37 PM Page 326 www.syngress.com The commercial versions of Tripwire’s products cover a wide variety of capa- bilities and services. In this section, we cover the open-source version of Tripwire, which can be compiled for a Solaris system, as well as the commercial versions. Tripwire offers products that will protect your Web services and even your routers, but here we concentrate on the Tripwire for Servers product. Tripwire for Servers offers a graphical user interface (GUI) for installation as well as the ability to be managed remotely with Tripwire’s Tripwire Manager.As you can see from Figure 11.1,Tripwire Manager can manage multiple systems that have the Tripwire agent software installed. Many people use the open-source ver- sion of Tripwire on Linux systems, but there’s no reason you can’t compile your own from the source to run on your Solaris system.The open-source and commer- cial versions of Tripwire use the same policy file, named tw.pol.Tripwire for Servers version 2.4.2 place the policy file in the /usr/local/tripwire/tfs/policy directory. By default,Tripwire does a very good job of protecting a Solaris system. However, if you need added security or want to make changes to the default set- tings, you can do so very easily. In the following sections, we look at several areas of the tw.pol file. Detecting and Denying Hacks • Chapter 11 327 Figure 11.1 Tripwire Manager 158_HPsun_11 10/4/01 5:37 PM Page 327 328 Chapter 11 • Detecting and Denying Hacks The Tripwire Global Settings First let’s look at the global settings in the default tw.pol file (Figure 11.2). Figure 11.2 Global Settings in the Default tw.pol File ########################################################## # ## ######################################################## # # # # # General Use Policy file for Solaris # # # V2.0.2 # # # August 25, 2001 # # # ## ########################################################## ########################################################## # ## ######################################################## # # # This policy file is designed to be generic to all known # solaris distributions. This file provides general # security, quiet reports and fast execution. However, it # is not intended to be a high-security solution for # every machine. # # Tripwire has provided a series of distribution-matched # policy files that provide a higher level of security # than this policy file. These matched files are located # on the Tripwire for Servers CDROM in the policies # folder. Please choose (and modify) the policy file that # is right for your application. # # Tripwire has also provided an on-line policy tool # designed to assist users in creating their own tailored # policy files. Please visit our policy tool site at www.syngress.com Continued 158_HPsun_11 10/4/01 5:37 PM Page 328 Detecting and Denying Hacks • Chapter 11 329 # http://policy.tripwire.com # # The example policy file is best run with Loose # DirectoryChecking enabled. # Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire # Configuration file. # ########################################################## ########################################################## # ## ######################################################## # # # Global Variable Definitions # # These are defined at install time by the installation # script. You may manually edit these if you are using # this file directly and not from the installation script # itself. # # TWROOT = the root folder of Tripwire for Servers # TWBIN = the folder where the Tripwire for Servers # binaries are installed # TWPOL = the folder where the Tripwire for Servers # policy files are kept # TWDB = the folder where the Tripwire for Servers # databases are kept # TWSKEY = the folder where the Tripwire for Servers site # key is kept # TWLKEY = the folder where the Tripwire for Servers # local key is kept # TWREPORT = the folder where the Tripwire for Servers # report files are kept www.syngress.com Figure 11.2 Continued Continued 158_HPsun_11 10/4/01 5:37 PM Page 329 [...]... Aug 19 17:17:17 chevron2 fdc: [ID 114370 kern.info] fd0 at fdc0 Aug 19 17:17:17 chevron2 genunix: [ID 93 67 69 kern.info] fd0 is www.syngress.com 158_HPsun_11 10/4/01 5:37 PM Page 3 49 Detecting and Denying Hacks • Chapter 11 /isa/fdc@1,3f0/fd@0,0 Aug 19 17:17: 19 chevron2 isa: [ID 20 293 7 kern.info] ISA-device: asy0 Aug 19 17:17: 19 chevron2 genunix: [ID 93 67 69 kern.info] asy0 is /isa/asy@1,3f8 Aug 19 17:17:22... 16 89 Good morning - Here's the news from chevron1 for Mon Aug 27 17:21:44 EDT 2001 ************ The last entries in the syslog are: Aug 19 17:17:17 chevron1 genunix: [ID 93 67 69 kern.info] fd0 is /isa/fdc@1,3f0/fd@0,0 Aug 19 17:17: 19 chevron1 isa: [ID 20 293 7 kern.info] ISA-device: asy0 Aug 19 17:17: 19 chevron1 genunix: [ID 93 67 69 kern.info] asy0 is /isa/asy@1,3f8 Continued www.syngress.com 158_HPsun_11... pseudo: [ID 1 296 42 kern.info] pseudo-device: xsvc0 Aug 19 17:17:22 chevron2 genunix: [ID 93 67 69 kern.info] xsvc0 is /pseudo/xsvc@0 Aug 19 17:17:24 chevron2 i8042: [ID 526150 kern.info] 8042 device: mouse@1, mouse8042 # 0 Aug 19 17:17:24 chevron2 genunix: [ID 93 67 69 kern.info] mouse80420 is /isa/i8042@1,60/mouse@1 Aug 19 17:17:25 chevron2 pseudo: [ID 1 296 42 kern.info] pseudo-device: pm0 Aug 19 17:17:25... Denying Hacks • Chapter 11 Figure 11.5 Continued Aug 19 17:17:22 chevron1 pseudo: [ID 1 296 42 kern.info] pseudo-device: xsvc0 Aug 19 17:17:22 chevron1 genunix: [ID 93 67 69 kern.info] xsvc0 is /pseudo/xsvc@0 Aug 19 17:17:24 chevron1 i8042: [ID 526150 kern.info] 8042 device: mouse@1, mouse8042 # 0 Aug 19 17:17:24 chevron1 genunix: [ID 93 67 69 kern.info] mouse80420 is /isa/i8042@1,60/mouse@1 Aug 19 17:17:25... # more /etc/syslog.conf #ident "@(#)syslog.conf 1.5 98 /12/14 SMI" /* SunOS 5.0 */ # # Copyright (c) 199 1- 199 8 by Sun Microsystems, Inc # All rights reserved # # syslog configuration file # # This file is processed by m4 so be careful to quote (`') names www.syngress.com 347 158_HPsun_11 348 10/4/01 5:37 PM Page 348 Chapter 11 • Detecting and Denying Hacks # that match m4 reserved words Also, within ifdef's,... pseudo: [ID 1 296 42 kern.info] pseudo-device: pm0 Aug 19 17:17:25 chevron1 genunix: [ID 93 67 69 kern.info] pm0 is /pseudo/pm@0 *********** The current CPU load over the last 1, 5 and 15 mins is: 0.00 , 0.03 , 0.04 The system was last rebooted: system boot Aug 19 17:16 ******* The users currently logged in are: root console joneill pts/4 scarter pts/5 Aug 19 17:20 (:0) Aug 30 17:16 (luna) Aug 19 17:20 (:0)... It lures the hackers away from our protected systems, it warns us of the hackers’ presence, and it attempts to restrict and record their activities How to Build a Honeypot on a Sun System First, we want to get the hackers’ attention.We do that by making two decisions: Where will the honeypot be located, and what will we call it? Since we’re building a system that we hope will attract hackers, many... important file is /etc/nsswitch.conf, www.syngress.com 3 49 158_HPsun_11 350 10/4/01 5:37 PM Page 350 Chapter 11 • Detecting and Denying Hacks which is used to configure how your system resolves names In addition, a popular directory for hackers to manipulate is /etc/rc.d Since these directories contain the start and stop scripts for each run level, a hacker often inserts code that will keep his or her... of a network of systems One Sun ULTRA 5 can be configured to www.syngress.com 158_HPsun_11 10/4/01 5:37 PM Page 345 Detecting and Denying Hacks • Chapter 11 look like a group of FTP,Web, and Sendmail servers Since you’re running the full Solaris operating system for each “cage,” you’ll require the necessary disk space and RAM for each, but ManTrap is a great tool for luring hackers in another direction... the proper execute permissions, and using the crontab command, we can set cron to run it every 15 minutes www.syngress.com 3 39 158_HPsun_11 340 10/4/01 5:37 PM Page 340 Chapter 11 • Detecting and Denying Hacks What to Do Once You’ve Detected a Hack Now that you’ve detected a hack, what do you do? Most experts will tell you to disconnect all network cables, making sure that there is no physical way . binary, go to the SunSolve Web site (http://sunsolve .sun. com) and download the MD5 signature program. Sun provides two versions of this program: one for Solaris SPARC and one for Solaris x86. Run. match. www.syngress.com 158_HPsun_10 10/5/01 10: 09 AM Page 323 158_HPsun_10 10/5/01 10: 09 AM Page 324 Detecting and Denying Hacks Solutions in this chapter: ■ Monitoring for Hacker Activity ■ Using. if the system 192 .168.100.1 trusts the host 192 .168.100.54, the entry in the /etc/hosts.equiv file for user jdoe would be: + 192 .168.100.54 jdoe www.syngress.com 158_HPsun_10 10/5/01 10: 09 AM Page