Table of Contents Previous Chapter Unix System Security.
Securing any computer system involves many steps, including:
The best place to start is by reading articles, such as:
- Knowing how the system may be attacked
- Knowing how to protect against these attacks
- Monitoring your system
- Teaching users how to be "safe" and getting them to work with you
- Knowing what to do when you detect you've been hit
Common methods of attack include:
Make sure you've applied all recommended security patches to your system.
- System crashes
- Repeat crashes usually hardware related
- Read log files/console for panic reasons
- Any patterns (e.g., time of day) should raise suspicion
- New accounts
- New files
- With setuid/setgid bits or root ownership
- Hidden directories (e.g., "..." or with control characters in the name, such as backspace)
- Modified file
- System programs (e.g., login, sh, csh, ps)
- Configuration files (e.g., /etc/rc, /etc/aliases, /etc/hosts.equiv)
- User files (e.g., .login, .cshrc, .history, .rhosts)
- Poor Performance
- May indicate password cracking or packet sniffing programs
- Programs to use: ps, iostat, vmstat, pstat, sar, netstat
- Denial of service
- Exhaustion of finite resources
- File space on partitions (e.g., filling /tmp)
- inode table
- process table
- open files
- virutal memory
- network services
- Destruction of data
- Deleting user files/system configuration files/system programs
Learn about, and use, tools and papers from sources such as these:
Only provide as much access as is necessary:
- Put access controls on IP services with tcp_wrapper
- Remove IP services you don't really need, such as fingerd, sendmail, and tftp
- At the very least, log access with something like tcp_wrapper - add to effectiveness by logging to another host (see "man syslogd")
- Read your log files, or use a tool like swatch
- Detect modified programs with tripwire
This Unix System Security Checklist can serve as a tool to help you with improving and auditing the security of your systems.
- Have security policies in place. COAST has example security policies, including examples from several Universities.
- There are some good guidelines in RFC1244 (chapters 5 and 6) on post-incident response, but it also provides much information on developing policies and procedures
- Send email to email@example.com to report the incident
- Gather and preserve evidence - it may be needed by law enforcement investigators
- Get a copy of Crack (a password cracker) from cert.sei.cmu.edu and run it against your /etc/passwd file. See how many passwords it can break.
- Get a copy of COPS (a system security checker) from cert.sei.cmu.edu and run it on your system to see what it finds. You may wish to set this up so it runs under cron to regularly check your system.
- Here are some interesting articles/papers on system security issues.
Table of Contents Next Chapter