This document is created with a trial version of CHM2PDF Pilot http://www.colorpilot.com [ Team LiB ] • • • • • Table of Contents Index Reviews Reader Reviews Errata Practical Unix & Internet Security, 3rd Edition By Simson Garfinkel, Alan Schwartz, Gene Spafford Publisher Pub Date ISBN Pages : O'Reilly : February 2003 : 0-596-00323-4 : 984 This new edition of Practical Unix & Internet Security provides detailed coverage of today's increasingly important security and networking issues Focusing on the four most popular Unix variants today Solaris, Mac OS X, Linux, and FreeBSD this book contains new information on PAM (Pluggable Authentication Modules), LDAP, SMB/Samba, anti-theft technologies, embedded systems, wireless and laptop issues, forensics, intrusion detection, chroot jails, telephone scanners and firewalls, virtual and cryptographic filesystems, WebNFS, kernel security levels, outsourcing, legal issues, new Internet protocols and cryptographic algorithms, and much more [ Team LiB ] This document is created with a trial version of CHM2PDF Pilot http://www.colorpilot.com [ Team LiB ] • • • • • Table of Contents Index Reviews Reader Reviews Errata Practical Unix & Internet Security, 3rd Edition By Simson Garfinkel, Alan Schwartz, Gene Spafford Publisher Pub Date ISBN Pages : O'Reilly : February 2003 : 0-596-00323-4 : 984 Copyright Preface Unix "Security"? Scope of This Book Which Unix System? Conventions Used in This Book Comments and Questions Acknowledgments A Note to Would-Be Attackers Part I: Computer Security Basics Chapter Introduction: Some Fundamental Questions Section 1.1 What Is Computer Security? Section 1.2 What Is an Operating System? Section 1.3 What Is a Deployment Environment? Section 1.4 Summary Chapter Unix History and Lineage Section 2.1 History of Unix Section 2.2 Security and Unix Section 2.3 Role of This Book Section 2.4 Summary Chapter Policies and Guidelines Section 3.1 Planning Your Security Needs This document is created with a trial version of CHM2PDF Pilot http://www.colorpilot.com Section 3.2 Section 3.3 Section 3.4 Section 3.5 Section 3.6 Section 3.7 Section 3.8 Risk Assessment Cost-Benefit Analysis and Best Practices Policy Compliance Audits Outsourcing Options The Problem with Security Through Obscurity Summary Part II: Security Building Blocks Chapter Users, Passwords, and Authentication Section 4.1 Logging in with Usernames and Passwords Section 4.2 The Care and Feeding of Passwords Section 4.3 How Unix Implements Passwords Section 4.4 Network Account and Authorization Systems Section 4.5 Pluggable Authentication Modules (PAM) Section 4.6 Summary Chapter Users, Groups, and the Superuser Section 5.1 Users and Groups Section 5.2 The Superuser (root) Section 5.3 The su Command: Changing Who You Claim to Be Section 5.4 Restrictions on the Superuser Section 5.5 Summary Chapter Filesystems and Security Section 6.1 Understanding Filesystems Section 6.2 File Attributes and Permissions Section 6.3 chmod: Changing a File's Permissions Section 6.4 The umask Section 6.5 SUID and SGID Section 6.6 Device Files Section 6.7 Changing a File's Owner or Group Section 6.8 Summary Chapter Cryptography Basics Section 7.1 Understanding Cryptography Section 7.2 Symmetric Key Algorithms Section 7.3 Public Key Algorithms Section 7.4 Message Digest Functions Section 7.5 Summary Chapter Physical Security for Servers Section 8.1 Planning for the Forgotten Threats Section 8.2 Protecting Computer Hardware Section 8.3 Preventing Theft Section 8.4 Protecting Your Data Section 8.5 Story: A Failed Site Inspection Section 8.6 Summary Chapter Personnel Security Section 9.1 Background Checks Section 9.2 On the Job Section 9.3 Departure This document is created with a trial version of CHM2PDF Pilot http://www.colorpilot.com Section 9.4 Other People Section 9.5 Summary Part III: Network and Internet Security Chapter 10 Modems and Dialup Security Section 10.1 Modems: Theory of Operation Section 10.2 Modems and Security Section 10.3 Modems and Unix Section 10.4 Additional Security for Modems Section 10.5 Summary Chapter 11 TCP/IP Networks Section 11.1 Networking Section 11.2 IP: The Internet Protocol Section 11.3 IP Security Section 11.4 Summary Chapter 12 Securing TCP and UDP Services Section 12.1 Understanding Unix Internet Servers and Services Section 12.2 Controlling Access to Servers Section 12.3 Primary Unix Network Services Section 12.4 Managing Services Securely Section 12.5 Putting It All Together: An Example Section 12.6 Summary Chapter 13 Sun RPC Section 13.1 Remote Procedure Call (RPC) Section 13.2 Secure RPC (AUTH_DES) Section 13.3 Summary Chapter 14 Network-Based Authentication Systems Section 14.1 Sun's Network Information Service (NIS) Section 14.2 Sun's NIS+ Section 14.3 Kerberos Section 14.4 LDAP Section 14.5 Other Network Authentication Systems Section 14.6 Summary Chapter 15 Network Filesystems Section 15.1 Understanding NFS Section 15.2 Server-Side NFS Security Section 15.3 Client-Side NFS Security Section 15.4 Improving NFS Security Section 15.5 Some Last Comments on NFS Section 15.6 Understanding SMB Section 15.7 Summary Chapter 16 Secure Programming Techniques Section 16.1 One Bug Can Ruin Your Whole Day Section 16.2 Tips on Avoiding Security-Related Bugs Section 16.3 Tips on Writing Network Programs Section 16.4 Tips on Writing SUID/SGID Programs Section 16.5 Using chroot( ) This document is created with a trial version of CHM2PDF Pilot http://www.colorpilot.com Section 16.6 Tips on Using Passwords Section 16.7 Tips on Generating Random Numbers Section 16.8 Summary Part IV: Secure Operations Chapter 17 Keeping Up to Date Section 17.1 Software Management Systems Section 17.2 Updating System Software Section 17.3 Summary Chapter 18 Backups Section 18.1 Why Make Backups? Section 18.2 Backing Up System Files Section 18.3 Software for Backups Section 18.4 Summary Chapter 19 Defending Accounts Section 19.1 Dangerous Accounts Section 19.2 Monitoring File Format Section 19.3 Restricting Logins Section 19.4 Managing Dormant Accounts Section 19.5 Protecting the root Account Section 19.6 One-Time Passwords Section 19.7 Administrative Techniques for Conventional Passwords Section 19.8 Intrusion Detection Systems Section 19.9 Summary Chapter 20 Integrity Management Section 20.1 The Need for Integrity Section 20.2 Protecting Integrity Section 20.3 Detecting Changes After the Fact Section 20.4 Integrity-Checking Tools Section 20.5 Summary Chapter 21 Auditing, Logging, and Forensics Section 21.1 Unix Log File Utilities Section 21.2 Process Accounting: The acct/pacct File Section 21.3 Program-Specific Log Files Section 21.4 Designing a Site-Wide Log Policy Section 21.5 Handwritten Logs Section 21.6 Managing Log Files Section 21.7 Unix Forensics Section 21.8 Summary Part V: Handling Security Incidents Chapter 22 Discovering a Break-in Section 22.1 Prelude Section 22.2 Discovering an Intruder Section 22.3 Cleaning Up After the Intruder Section 22.4 Case Studies Section 22.5 Summary Chapter 23 Protecting Against Programmed Threats This document is created with a trial version of CHM2PDF Pilot http://www.colorpilot.com Chapter 23 Protecting Against Programmed Threats Section 23.1 Programmed Threats: Definitions Section 23.2 Damage Section 23.3 Authors Section 23.4 Entry Section 23.5 Protecting Yourself Section 23.6 Preventing Attacks Section 23.7 Summary Chapter 24 Denial of Service Attacks and Solutions Section 24.1 Types of Attacks Section 24.2 Destructive Attacks Section 24.3 Overload Attacks Section 24.4 Network Denial of Service Attacks Section 24.5 Summary Chapter 25 Computer Crime Section 25.1 Your Legal Options After a Break-in Section 25.2 Criminal Hazards Section 25.3 Criminal Subject Matter Section 25.4 Summary Chapter 26 Who Do You Trust? Section 26.1 Can You Trust Your Computer? Section 26.2 Can You Trust Your Suppliers? Section 26.3 Can You Trust People? Section 26.4 Summary Part VI: Appendixes Appendix A Unix Security Checklist Section A.1 Preface Section A.2 Chapter 1: Introduction: Some Fundamental Questions Section A.3 Chapter 2: Unix History and Lineage Section A.4 Chapter 3: Policies and Guidelines Section A.5 Chapter 4: Users, Passwords, and Authentication Section A.6 Chapter 5: Users, Groups, and the Superuser Section A.7 Chapter 6: Filesystems and Security Section A.8 Chapter 7: Cryptography Basics Section A.9 Chapter 8: Physical Security for Servers Section A.10 Chapter 9: Personnel Security Section A.11 Chapter 10: Modems and Dialup Security Section A.12 Chapter 11: TCP/IP Networks Section A.13 Chapter 12: Securing TCP and UDP Services Section A.14 Chapter 13: Sun RPC Section A.15 Chapter 14: Network-Based Authentication Systems Section A.16 Chapter 15: Network Filesystems Section A.17 Chapter 16: Secure Programming Techniques Section A.18 Chapter 17: Keeping Up to Date Section A.19 Chapter 18: Backups Section A.20 Chapter 19: Defending Accounts Section A.21 Chapter 20: Integrity Management Section A.22 Chapter 21: Auditing, Logging, and Forensics Section A.23 Chapter 22: Discovering a Break-In This document is created with a trial version of CHM2PDF Pilot http://www.colorpilot.com Section A.24 Section A.25 Section A.26 Section A.27 Section A.28 Section A.29 Section A.30 Chapter 23: Protecting Against Programmed Threats Chapter 24: Denial of Service Attacks and Solutions Chapter 25: Computer Crime Chapter 26: Who Do You Trust? Appendix A: Unix Security Checklist Appendix B: Unix Processes Appendixes C, D, and E: Paper Sources, Electronic Sources, and Organizations Appendix B Unix Processes Section B.1 About Processes Section B.2 Signals Section B.3 Controlling and Examining Processes Section B.4 Starting Up Unix and Logging In Appendix C Paper Sources Section C.1 Unix Security References Section C.2 Other Computer References Appendix D Electronic Resources Section D.1 Mailing Lists Section D.2 Web Sites Section D.3 Usenet Groups Section D.4 Software Resources Appendix E Organizations Section E.1 Professional Organizations Section E.2 U.S Government Organizations Section E.3 Emergency Response Organizations Colophon Index [ Team LiB ] This document is created with a trial version of CHM2PDF Pilot http://www.colorpilot.com [ Team LiB ] Copyright Copyright © 2003, 1996, 1991 O'Reilly & Associates, Inc Printed in the United States of America Published by O'Reilly & Associates, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472 O'Reilly & Associates books may be purchased for educational, business, or sales promotional use Online editions are also available for most titles (http://safari.oreilly.com) For more information, contact our corporate/institutional sales department: (800) 998-9938 or corporate@oreilly.com Nutshell Handbook, the Nutshell Handbook logo, and the O'Reilly logo are registered trademarks of O'Reilly & Associates, Inc Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks Where those designations appear in this book, and O'Reilly & Associates, Inc was aware of a trademark claim, the designations have been printed in caps or initial caps The association between the image of a safe and the topic of Unix and Internet security is a trademark of O'Reilly & Associates, Inc While every precaution has been taken in the preparation of this book, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein [ Team LiB ] This document is created with a trial version of CHM2PDF Pilot http://www.colorpilot.com [ Team LiB ] Preface It's been 11 years since the publication of Practical Unix Security—and years since Practical Unix and Internet Security was published—and oh, what a difference that time has made! In 1991, the only thing that most Americans knew about Unix and the Internet was that they were some sort of massive computer network that had been besieged by a "computer virus" in 1988 By 1996, when our second edition was published, the Internet revolution was just beginning to take hold, with more than 10 million Americans using the Internet on a regular basis to send electronic mail, cruise the World Wide Web, and sometimes even shop Today it is increasingly difficult for people in much of the world to remember the pre-Internet era Perhaps 500 million people around the world now use the Internet, with several billion more touched by it in some manner In the United States more than half the population uses the Internet on a daily basis We have watched an Internet revolution become a dot-com craze, which then became a bust And nobody remembers that 1988 Internet worm anymore—these days, most Internet users are bombarded by network worms on a daily basis Despite our greater reliance on network computing, the Internet isn't a safer place today than it was in 1991 or in 1996 If anything, the Internet is considerably less secure Security mishaps on the Internet continue to be front-page stories in newspapers throughout the world Sadly, these flaws continue to be accommodated rather than corrected.[1] The results are increasingly disastrous The second edition of this book, for example, noted a security incident in which 20,000 people had their credit card numbers stolen from an Internet service provider; a few months before this third edition went to print, attackers broke into a system operated for the State of California and downloaded personal information on 262,000 state employees Included in the haul were names, addresses, Social Security numbers—everything needed for identity theft.[2] [1] We note, however, that the vast majority of viruses, worms, security flaws, and incidents tend to occur in non-Unix systems [2] http://www.gocsi.com/press/20020407.html Computer crime and the threat of cyberterrorism continue to be growing problems Every year the Computer Security Institute (CSI) and the San Francisco Federal Bureau of Investigation (FBI) Computer Intrusion Squad survey organizations to find their current level of computer crime and intrusions The 2002 survey had 503 responses from security practitioners in U.S corporations, government agencies, financial institutions, medical institutions, and universities Some of the results of the survey include: Ninety percent of respondents (primarily large corporations and government agencies) detected computer security breaches within the last 12 months.[3] [3] This may mean the others had incidents too, but were unable to detect them or declined to report them Eighty percent acknowledged financial losses as a result of system security breaches The combined loss of the 223 respondents who gave dollar values for their annual loss was more than $456 million, of which $171 million was the theft of proprietary information, and $116 million was financial fraud Contrary to conventional wisdom that insiders are a bigger threat than outsiders, 74% of respondents cited their Internet connection as a frequent point of attack, versus 33% who cited their internal systems as a frequent point of attack (Of course, insiders could be attacking through the Internet to make themselves look like outsiders.) This document is created with a trial version of CHM2PDF Pilot http://www.colorpilot.com Slightly more than one-third (34%) reported the intrusions to law enforcement—up from 16% reporting in 1996 Incidents reported included: Computer viruses (85%) Employees abusing their Internet connection, such as downloading pornography or pirated software, or sending inappropriate email (78%) Penetration from outside the organization (40%) Denial of service (DOS) attacks (40%) Unauthorized access or misuse of the company's web sites (38%) One quarter of the respondents who suffered attacks said that they had experienced between and incidents; 39% said that they had experienced 10 or more incidents The average reported financial loss per company per year was in excess of $2 million What all of these numbers mean for Unix? To be sure, most of the systems in use today are based on Microsoft's Windows operating system Unix and Unix variants are certainly more secure than Windows, for reasons that we'll discuss in this book Nevertheless, experience tells us that a poorlyadministered Unix computer can be just as vulnerable as a typical Windows system: if you have a vulnerability that is known, an attacker can find it, exploit it, and take over your computer It is our goal in this book to show you how to prevent yourself from ever experiencing this fate—and if you do, it is our goal to tell you what to about it [ Team LiB ] ... and Internet Security Chapter 10 Modems and Dialup Security Section 10.1 Modems: Theory of Operation Section 10.2 Modems and Security Section 10.3 Modems and Unix Section 10.4 Additional Security... Team LiB ] Preface It's been 11 years since the publication of Practical Unix Security—and years since Practical Unix and Internet Security was published—and oh, what a difference that time has... Networking Section 11.2 IP: The Internet Protocol Section 11.3 IP Security Section 11.4 Summary Chapter 12 Securing TCP and UDP Services Section 12.1 Understanding Unix Internet Servers and Services