UNIX Hints & Hacks		ContentsIndex
Chapter 3: Security		Previous ChapterNext Chapter
Sections in this Chapter:   3.1 Delegating root to Multiple Admins   3.5 Permissions Levels   3.8 File Encryption 3.2 The Full Path to Superuser   3.6 Protect root at All Costs   3.9 Clear and Lock 3.3 Monitoring root in the Password File   3.7 File Collecting   3.10 Power Tools 3.4 Vulnerabilities in UNIX		Previous SectionNext Section

3.4 Vulnerabilities in UNIX

3.4.1 Description

Watch out! Certain key areas in the UNIX environment that are targets by hackers often are left vulnerable and probably always will be.

Reason

Poor system administration practices   Treat every system as if an intruder is waiting at your doorstep. Don't be sloppy and leave holes open for intruders to take advantage of. Don't let yourself say, "I'll clean it up later." It usually doesn't take that much time. Here are some of the holes to which I am referring:

• Empty passwords left open and blank in the password file. The same holds true for using the word test and setting the users' passwords to their user IDs.

• Not cleaning up old users' accounts in the password file.
• A fully trusted disregard for root access from host to host.
• Exporting filesystems to the world with root access.
• Opening your console so anyone can display on it.
• Not utilizing shadow passwords when they're available on the system.
• Passing out the root password to those who want it.
• Walking away from an open terminal without locking the screen or logging off the system or walking away with root in an open shell.
• In haste, opening permissions (777) on directories to save time and not dealing with any permission problems.
• Ignoring users for so long that they attempt to do the job themselves.

Reusable/poor passwords   There is no excuse to use recycled passwords or be caught with bad passwords. A lot of users are still ignorant about good passwords. If you must, recommend some to them. A little 10,000 word dictionary can still often crack many passwords. Educate users, enforce the use of good passwords, and use password-cracking software on a regular basis.

CGI applications   One of the biggest holes in systems comes from CGIs. Most Web designers and programmers don't think that a system could be compromised through CGI when a Web site is designed. They are concerned about secure transactions for commerce on the Internet, but not how the computer system itself could be compromised. An insecure CGI can provide access to password files and any other system file if not locked down properly.

Email bombs and spamming   Sending or receiving large quantities of unsolicited email can degrade network and host performance, fill up a disk, or waste users' time. The older versions of sendmail, prior to version 8.9, do not protect against many of the following vulnerabilities:

• The sender does not need to specify a valid domain for any inbound mail to your mailserver.

• Mail can be relayed through your mailserver and create an unnecessary load on your mailserver.
• The sender can use a valid return (Reply To) address in the domain the mail is bouncing through and also create an unnecessary load on your mailserver.
• Inbound mail can not refuse mail if it is not fully qualified when the mailserver receives it.
• There are no access control databases that permit or deny mail from senders or their domains.

Anonymous FTP server   If an anonymous FTP server is not properly configured, users can gain unauthorized access to information or execute arbitrary commands on the server and compromise the system. Avoid using the vendor supplied FTP package that comes with the OS you installed. WU-FTP, from Washington University, is currently the most secure FTP out on the Internet, offering extended features that don't exist in the standard version of FTP. Some of these features include

• Various classification rules can be placed on users to allow or deny access into certain areas. Restricted guest accounts can also be configured.

• This version handles compression and archiving of files on-the-fly.
• A message can be placed on every directory that has the ability to be accessed throughout the system.
• Access control can be set up to allow or deny local domains within a company to have certain rights and privileges over domains coming to the site from the Internet.
• Extra logging features over the standard version of FTP include the logging of all file transfers and commands executed.

BIND and named   There are three distinct problems in recent versions of BIND 4.9 and BIND 8 releases. ( BIND stands for Berkeley Internet Name Domain .) The problems can enable an intruder to gain root-level access to a nameserver or disrupt normal operations to a nameserver in the following ways:

• An improper or maliciously formatted inverse query on a TCP stream can crash the server or enable an attacker to gain root privileges.

• An improperly or maliciously formatted DNS message can cause the server to read invalid memory locations. This yields garbage record data or crashes the server.
• If a self-referential resource record is in cache on a nameserver and this record is in the cache, issuing a zone transfer request using its name causes the server to abort. The hostname cannot match the CNAME. It doesn't even matter if the hostname or target CNAME are valid domains.

Real World Experiences

If you find that some of these problems exist in your environment, don't dive in and make hasty decisions in trying to correct these problems. Fixing one thing can break another. Evaluate each situation individually and take the appropriate steps to rectify the problem. Sometimes it isn't a configuration change but an entire upgrade to new software packages that's necessary.

In the early days of the UNIX Guru Universe (UGU), I knew every level of administrator would be using the Web site and there would be more than a few, like me, who would try to hack into it. UGU is driven by a single CGI. What better Web site to hack into? After 800,000 hits and 15,000 administrators, the site was never compromised. It wasn't until fatigue set in at 3:15 in the morning, when I put an upgraded version in place and forgot to add the security model into the CGI that trouble struck. It didn't take long, fewer than 500 impressions, before I got the email from another administrator informing me that he'd hacked UGU. It was really subtle, in the form of the password file. There was no malicious intent on his part; he wanted to see whether he could and let me know what needed patching. This reaffirms my belief that admins help admins, and don't destroy, punish, hurt, or abuse one another.

Other Resources

World Wide Web:

BIND (ISC)-- http://www.isc.org/new-bind.html

CERT Coordination Center-- http://www.cert.org

Sendmail Consortium-- http://www.sendmail.org

WU-FTP (Academ Consulting Services)-- http://www.academ.com/academ/wu-ftpd

UNIX Hints & Hacks		ContentsIndex
Chapter 3: Security		Previous ChapterNext Chapter
Sections in this Chapter:   3.1 Delegating root to Multiple Admins   3.5 Permissions Levels   3.8 File Encryption 3.2 The Full Path to Superuser   3.6 Protect root at All Costs   3.9 Clear and Lock 3.3 Monitoring root in the Password File   3.7 File Collecting   3.10 Power Tools 3.4 Vulnerabilities in UNIX		Previous SectionNext Section

© Copyright Macmillan USA. All rights reserved.