SlideShare ist ein Scribd-Unternehmen logo

Host security

Als PPT, PDF herunterladen
N
Nguyen Tam
Technologie
1 von 25
Host Security: Basic Notions Applied Security
Host security measures  Host-centric:  Tailored to host architecture:   Comprehensive:   Takes into account not only type of operating system but also configuration protect installed applications Complex, costly, protects single host
Secure host configuration Unix-like systems
Common Unix Configuration Weaknesses  Password management issues:  weak passwords default passwords re-used passwords      Exploitable services    FTP/TFTP Sendmail other services   Improper file and directory permissions Improper use of setuid Improper network file configuration Unpatched known vulnerabilities
Basic UNIX access control In Unix, there are three levels of access control  Individual (user): Each user has a unique id (uid) in the system.  Group: All users by default belong to the “user” group (some distributions), or to a singleton group containing only that individual user.   Users can belong to more than one group (most modern versions). Usually a group is defined for access control category. E.g:      root/wheel (general administration) www/web (web server administration) mail (mail server administration) adhoc groups can be used to facilitate collaboration such as directory and file sharing World (or all): The universe of all users.
File permissions   File ownership: Each file and directory in UNIX (including programs) is “owned” by a specific user, a specific group, and the world. To each level of ownership there is an associated set of permission values: read, write and execute. These values can be true (permission granted) or false. Only the owner of a file (or the special user root) can change the file permission settings. Example: drwxr-xr-x  11 brenodem brenodem 374 30 Aug 13:39 . Indicates that the file ‘.’ (the current directory) is owned by user brenodem, who belongs to the singleton group brenodem. The directory was last modified on Aug. 30th at 13:39. The user brenodem is granted read, write, and execute privileges to the file. The group and world are granted read and execute (but not write) privileges to the files.
Meaning of file permissions   The meaning of permissions for files is clear, but can be complex for directories. For instance, if a world-accessible file is located deep within a directory structure, all the parent directories of the file must grant execute permissions to the whole world.   This is because, in order to traverse a directory structure, UNIX executes cd on each directory (starting from the lowest common directory, for instance ‘/home’ ). On the other hand, it is NOT necessary that the same directories be world-readable. If a directory is not readable by a principal, its contents cannot be listed. However, it may well contain files that are readable by that principal, and these can be opened if their name are known.
Proper file and directory permissions  Any UNIX system contains several directories that are world executable, where most of the OS services reside:       /bin (commands) /etc (configuration files for the above) /usr (utilities and applications) /usr/local or /local (extra utilities and applications) These directories are not required to be world readable, only their content files need to be world readable. If the directories are not world readable (and owned by root) then only the system administrator will be able to have a global view of the system configuration and capabilities. These directories should be writable only by root to prevent the installation of programs without the administrator’s knowledge. In particular they must be “owned” by root.
Changing ownership and permissions  The root user can change ownership and permissions on files at will.    In some distributions, a user may change ownership of its own files to other users. To change group ownership of a file, you must own the file and you must belong to the new group the file will be assigned to:   chown username filename chgrp groupname filename To change permissions, you must be the file’s owner   chmod [o|g|a|u][+|-][r|w|x] filename example: chmod og+wx filename adds permissions to write and execute the file to both the file owner and file group owner.
Effective ID  When a user tries to execute a program   When the program is initiated, its effective ID is set to the ID of the user (or program) calling it.   The UNIX system decides whether the user is authorized to execute (for instance, the user may belong the the file group owner, and the file may be executable by the group). For instance, if a utility program is owned by root (typical), but called by a regular user, the effective id of the running program will equal that of the caller (user), not root. This standard mechanism is not sufficient in some cases. For instance, the login program.
SUID   The login program is invoked by regular users, but must have root privileges in order to access the protected password files (/etc/shadow), and to authenticate the user. (Effectively spawning a program under a particular user name even if called by another.) This is called a “set user id” program (suid). -r-sr-xr-x  1 root wheel 26756 16 Aug 10:32 /usr/bin/login Note the ‘s’ in the list of privileges. That means that the caller (could be anybody, as the file is world executable) will spawn a program with the privileges of the group wheel (which can access the password file, and spawn programs (shell) under arbitrary user identities.)
Proper configuration of file permissions     The system of file access permissions underscores most of the access control decisions of the UNIX operating system. It is a flexible mechanism that enables different configurations to accommodate different usage needs. Improper configuration of file and directory permissions can create serious vulnerabilities. The use of SUID programs is a powerful mechanism that should be utilized only when necessary. For instance, a fragile program with SUID permissions can be easily exploited to grant administrative privileges to an attacker.
RPC Utilities  Most Unix systems include the RPC utilities suite for remote command execution:     rlogin (remote login) rsh (remote shell) rcp (remote copy) Two modes of authentication: host-based and password-based  RPCs originating at a trusted host (i.e., a host listed in /etc/hosts or /etc/hosts.allow or /etc/hosts.equiv), identified by network packet source address, are accepted and given uid equal to the claimed username. •RPCs called from non-trusted computers must provide both username and password. (Both sent as cleartext over the network.)
Disabling RPC utilities    The use of RPC utilities has been deprecated in favor of the ssh and scp programs, both built onto the SSH protocol, which provides encryption. For backward compatibility the SSH program supports host-based authentication. (This is stronger than in the RPC case, as hosts have SSH keys with which they can mutually authenticate their identities.) It is important to ensure that the configuration of the /etc/hosts files reflects the trust policies of your network, and that the RPC utilities are disabled whenever possible.
The UNIX password system Past and present
Early Unix Password System    In early versions of Unix, the password was processed using a “secure hash” function derived from the DES cipher. The salt was restricted to 12 bits, resulting in 4096 possible hash values for each password. Passwords were restricted to 8-character length.  8-character passwords converted into 56-bit DES keys     Password shorter than 8 characters long padded w/ zeros. Longer passwords truncated in some systems. Salt used to change the DES cipher, which is applied 25 times. Results stored in world readable /etc/passwd file
Unix crypt()
DES: IP and FP stand for initial and final permutations, respectively. F: Round function E: Expansion function 32→48 bits, is changed on crypt3() using the salt.
Old /etc/passwd file  An entry in the /etc/passwd file has the following form:  Name:Password:UserID:PrincipleGroup:Gecos: HomeDirectory:Shell  smith:Ep6mckrOLChF.:100:100:John Smith/home/smith:/usr/bin/sh guest:*:200:0::/home/guest:/usr/bin/sh    An entry ‘*’ for password means that the account has been disabled, while an empty password means that password is not required for login! When shadow passwords are used, ‘!’ or ‘x’ substitutes for the password.
New /etc/passwd file        nobody:*:-2:-2:Unprivileged User:/:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false smmsp:*:25:25:Sendmail User:/private/etc/mail:/usr/bin/false lp:*:26:26:Printing Services:/var/spool/cups:/usr/bin/false sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false qtss:*:76:76:QuickTime Streaming Server:/var/empty:/usr/bin/false
/etc/shadow file           Entries of the form: smithj:Ep6mckrOLChF.:10193:0:99999:5::: Where the password is followed by: The date when the password was last changed, measured in elapsed days since Jan. 1st, 1970. The number of days before the password can be changed again The number of days after which the password must be changed The number of days to warn user of an expiring password The number of days after password expires that account is disabled The number of days since January 1, 1970 that an account has been disabled A reserved field for possible future use
Other changes   Since the introduction of shadow passwords, and the new crypt(), other modifications have been introduced, such as the use of MD5 passwords, and also Blowfish-encrypted passwords. Blowfish is an interesting choice: The algorithm is very slow to change keys, making hashing password expensive (good for security).
Reading assignment for 01/16   Use of a Taxonomy of Security Faults, by T. Aslam, I. Krsul, and E. H. Spafford M. Bishop and D. Klein, Improving System Security Through Proactive Password Checking,Computers and Security 14(3) pp. 233-249 (May/June 1995) http://nob.cs.ucdavis.edu/~bishop/papers/1995c+s/proact.pdf

Empfohlen

prateekporwal
prateekporwalprateekporwal
prateekporwalprateekporwal
 
Linux 4 you
Linux 4 youLinux 4 you
Linux 4 youShashwat Shriparv
 
Unix file systems 2 in unix internal systems
Unix file systems 2 in unix internal systems Unix file systems 2 in unix internal systems
Unix file systems 2 in unix internal systems senthilamul
 
Basic Unix
Basic UnixBasic Unix
Basic UnixRajesh Kumar
 
QSpiders - Unix Operating Systems and Commands
QSpiders - Unix Operating Systems and CommandsQSpiders - Unix Operating Systems and Commands
QSpiders - Unix Operating Systems and CommandsQspiders - Software Testing Training Institute
 
Unix fundamentals
Unix fundamentalsUnix fundamentals
Unix fundamentalsDima Gomaa
 
User administration concepts and mechanisms
User administration concepts and mechanismsUser administration concepts and mechanisms
User administration concepts and mechanismsDuressa Teshome
 
Introduction to Unix-like systems (Part I-IV)
Introduction to Unix-like systems (Part I-IV)Introduction to Unix-like systems (Part I-IV)
Introduction to Unix-like systems (Part I-IV)hildenjohannes
 

Empfohlen

prateekporwal
prateekporwalprateekporwal
prateekporwalprateekporwal
 
Linux 4 you
Linux 4 youLinux 4 you
Linux 4 youShashwat Shriparv
 
Unix file systems 2 in unix internal systems
Unix file systems 2 in unix internal systems Unix file systems 2 in unix internal systems
Unix file systems 2 in unix internal systems senthilamul
 
Basic Unix
Basic UnixBasic Unix
Basic UnixRajesh Kumar
 
QSpiders - Unix Operating Systems and Commands
QSpiders - Unix Operating Systems and CommandsQSpiders - Unix Operating Systems and Commands
QSpiders - Unix Operating Systems and CommandsQspiders - Software Testing Training Institute
 
Unix fundamentals
Unix fundamentalsUnix fundamentals
Unix fundamentalsDima Gomaa
 
User administration concepts and mechanisms
User administration concepts and mechanismsUser administration concepts and mechanisms
User administration concepts and mechanismsDuressa Teshome
 
Introduction to Unix-like systems (Part I-IV)
Introduction to Unix-like systems (Part I-IV)Introduction to Unix-like systems (Part I-IV)
Introduction to Unix-like systems (Part I-IV)hildenjohannes
 
Unix files
Unix filesUnix files
Unix filesSunil Rm
 
Unix training session 1
Unix training session 1Unix training session 1
Unix training session 1Anil Kumar Kapil,PMP®
 
Unix File System
Unix File SystemUnix File System
Unix File Systemstudent(MCA)
 
Unix files
Unix filesUnix files
Unix filesSunil Rm
 
Linux: Basics OF Linux
Linux: Basics OF LinuxLinux: Basics OF Linux
Linux: Basics OF LinuxOmkar Walavalkar
 
Unix ppt
Unix pptUnix ppt
Unix pptDr Rajiv Srivastava
 
06 users groups_and_permissions
06 users groups_and_permissions06 users groups_and_permissions
06 users groups_and_permissionsShay Cohen
 
Linux practicals T.Y.B.ScIT
Linux practicals T.Y.B.ScITLinux practicals T.Y.B.ScIT
Linux practicals T.Y.B.ScITvignesh0009
 
Unix features, posix and single unix specification
Unix features, posix and single unix specificationUnix features, posix and single unix specification
Unix features, posix and single unix specificationsudha rani
 
Linux ppt
Linux pptLinux ppt
Linux pptRohit Kumar
 
Linux fundamentals
Linux fundamentalsLinux fundamentals
Linux fundamentalsRaghu nath
 
Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory StructureKevin OBrien
 
The unix file system
The unix file systemThe unix file system
The unix file systemgsandeepmenon
 
Introduction to unix
Introduction to unixIntroduction to unix
Introduction to unixsudheer yathagiri
 
Unix
UnixUnix
UnixErm78
 
Introduction to UNIX
Introduction to UNIXIntroduction to UNIX
Introduction to UNIXBioinformatics and Computational Biosciences Branch
 
Linux training
Linux trainingLinux training
Linux trainingParker Fong
 
File permissions
File permissionsFile permissions
File permissionsVarnnit Jain
 
Commands and shell programming (3)
Commands and shell programming (3)Commands and shell programming (3)
Commands and shell programming (3)christ university
 
Xfs file system for linux
Xfs file system for linuxXfs file system for linux
Xfs file system for linuxAjay Sood
 
Portal de stiri din Romania
Portal de stiri din RomaniaPortal de stiri din Romania
Portal de stiri din RomaniaMihaiu Paul
 
Data Protection in the Age of BYOD and Social Media by Vicki Bowles (Barrister)
Data Protection in the Age of BYOD and Social Media by Vicki Bowles (Barrister)Data Protection in the Age of BYOD and Social Media by Vicki Bowles (Barrister)
Data Protection in the Age of BYOD and Social Media by Vicki Bowles (Barrister)Brian Miller, Solicitor
 

Weitere ähnliche Inhalte

Was ist angesagt?

Unix files
Unix filesUnix files
Unix filesSunil Rm
 
Unix files
Unix filesUnix files
Unix filesSunil Rm
 
06 users groups_and_permissions
06 users groups_and_permissions06 users groups_and_permissions
06 users groups_and_permissionsShay Cohen
 
Linux practicals T.Y.B.ScIT
Linux practicals T.Y.B.ScITLinux practicals T.Y.B.ScIT
Linux practicals T.Y.B.ScITvignesh0009
 
Unix features, posix and single unix specification
Unix features, posix and single unix specificationUnix features, posix and single unix specification
Unix features, posix and single unix specificationsudha rani
 
Linux fundamentals
Linux fundamentalsLinux fundamentals
Linux fundamentalsRaghu nath
 
Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory StructureKevin OBrien
 
The unix file system
The unix file systemThe unix file system
The unix file systemgsandeepmenon
 
Unix
UnixUnix
UnixErm78
 
Commands and shell programming (3)
Commands and shell programming (3)Commands and shell programming (3)
Commands and shell programming (3)christ university
 
Xfs file system for linux
Xfs file system for linuxXfs file system for linux
Xfs file system for linuxAjay Sood
 

Was ist angesagt? (20)

Unix files
Unix filesUnix files
Unix files
 
Unix training session 1
Unix training session 1Unix training session 1
Unix training session 1
 
Unix File System
Unix File SystemUnix File System
Unix File System
 
Unix files
Unix filesUnix files
Unix files
 
Linux: Basics OF Linux
Linux: Basics OF LinuxLinux: Basics OF Linux
Linux: Basics OF Linux
 
Unix ppt
Unix pptUnix ppt
Unix ppt
 
06 users groups_and_permissions
06 users groups_and_permissions06 users groups_and_permissions
06 users groups_and_permissions
 
Linux practicals T.Y.B.ScIT
Linux practicals T.Y.B.ScITLinux practicals T.Y.B.ScIT
Linux practicals T.Y.B.ScIT
 
Unix features, posix and single unix specification
Unix features, posix and single unix specificationUnix features, posix and single unix specification
Unix features, posix and single unix specification
 
Linux ppt
Linux pptLinux ppt
Linux ppt
 
Linux fundamentals
Linux fundamentalsLinux fundamentals
Linux fundamentals
 
Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory Structure
 
The unix file system
The unix file systemThe unix file system
The unix file system
 
Introduction to unix
Introduction to unixIntroduction to unix
Introduction to unix
 
Unix
UnixUnix
Unix
 
Introduction to UNIX
Introduction to UNIXIntroduction to UNIX
Introduction to UNIX
 
Linux training
Linux trainingLinux training
Linux training
 
File permissions
File permissionsFile permissions
File permissions
 
Commands and shell programming (3)
Commands and shell programming (3)Commands and shell programming (3)
Commands and shell programming (3)
 
Xfs file system for linux
Xfs file system for linuxXfs file system for linux
Xfs file system for linux
 

Andere mochten auch

Portal de stiri din Romania
Portal de stiri din RomaniaPortal de stiri din Romania
Portal de stiri din RomaniaMihaiu Paul
 
Data Protection in the Age of BYOD and Social Media by Vicki Bowles (Barrister)
Data Protection in the Age of BYOD and Social Media by Vicki Bowles (Barrister)Data Protection in the Age of BYOD and Social Media by Vicki Bowles (Barrister)
Data Protection in the Age of BYOD and Social Media by Vicki Bowles (Barrister)Brian Miller, Solicitor
 
An Introduction to Intellectual Property by Brian Miller, Trademark Lawyer an...
An Introduction to Intellectual Property by Brian Miller, Trademark Lawyer an...An Introduction to Intellectual Property by Brian Miller, Trademark Lawyer an...
An Introduction to Intellectual Property by Brian Miller, Trademark Lawyer an...Brian Miller, Solicitor
 
Consumer Contracts Regulations 2013 - a Guidance Note by Brian Miller Solicitor
Consumer Contracts Regulations 2013 - a Guidance Note by Brian Miller SolicitorConsumer Contracts Regulations 2013 - a Guidance Note by Brian Miller Solicitor
Consumer Contracts Regulations 2013 - a Guidance Note by Brian Miller SolicitorBrian Miller, Solicitor
 
LinkedIn for Luddites by Brian Miller, Solicitor, Stone King LLP
LinkedIn for Luddites by Brian Miller, Solicitor, Stone King LLPLinkedIn for Luddites by Brian Miller, Solicitor, Stone King LLP
LinkedIn for Luddites by Brian Miller, Solicitor, Stone King LLPBrian Miller, Solicitor
 
Protecting your IP and Data Trustee Responsibilities by Brian Miller (Solici...
Protecting your IP and Data Trustee Responsibilities by Brian Miller (Solici...Protecting your IP and Data Trustee Responsibilities by Brian Miller (Solici...
Protecting your IP and Data Trustee Responsibilities by Brian Miller (Solici...Brian Miller, Solicitor
 
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Cloud Computing: Legal Issues and Safety Risks by Brian Miller SolicitorCloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Cloud Computing: Legal Issues and Safety Risks by Brian Miller SolicitorBrian Miller, Solicitor
 
Eleven Steps To Making Your Website Legally Compliant
Eleven Steps To Making Your Website Legally CompliantEleven Steps To Making Your Website Legally Compliant
Eleven Steps To Making Your Website Legally CompliantBrian Miller, Solicitor
 
Protecting Your Name and Brand from Abuse on Social Media
Protecting Your Name and Brand from Abuse on Social MediaProtecting Your Name and Brand from Abuse on Social Media
Protecting Your Name and Brand from Abuse on Social MediaBrian Miller, Solicitor
 
What All Organisations Need to Know About Data Protection and Cloud Computing...
What All Organisations Need to Know About Data Protection and Cloud Computing...What All Organisations Need to Know About Data Protection and Cloud Computing...
What All Organisations Need to Know About Data Protection and Cloud Computing...Brian Miller, Solicitor
 
How to Prevent Your Organisation’s IP from Being Stolen by Brian Miller Solic...
How to Prevent Your Organisation’s IP from Being Stolen by Brian Miller Solic...How to Prevent Your Organisation’s IP from Being Stolen by Brian Miller Solic...
How to Prevent Your Organisation’s IP from Being Stolen by Brian Miller Solic...Brian Miller, Solicitor
 
Social Media and Your Staff by Brian Miller and Jean Boyle, solicitors at Sto...
Social Media and Your Staff by Brian Miller and Jean Boyle, solicitors at Sto...Social Media and Your Staff by Brian Miller and Jean Boyle, solicitors at Sto...
Social Media and Your Staff by Brian Miller and Jean Boyle, solicitors at Sto...Brian Miller, Solicitor
 

Andere mochten auch (14)

Portal de stiri din Romania
Portal de stiri din RomaniaPortal de stiri din Romania
Portal de stiri din Romania
 
Data Protection in the Age of BYOD and Social Media by Vicki Bowles (Barrister)
Data Protection in the Age of BYOD and Social Media by Vicki Bowles (Barrister)Data Protection in the Age of BYOD and Social Media by Vicki Bowles (Barrister)
Data Protection in the Age of BYOD and Social Media by Vicki Bowles (Barrister)
 
An Introduction to Intellectual Property by Brian Miller, Trademark Lawyer an...
An Introduction to Intellectual Property by Brian Miller, Trademark Lawyer an...An Introduction to Intellectual Property by Brian Miller, Trademark Lawyer an...
An Introduction to Intellectual Property by Brian Miller, Trademark Lawyer an...
 
Consumer Contracts Regulations 2013 - a Guidance Note by Brian Miller Solicitor
Consumer Contracts Regulations 2013 - a Guidance Note by Brian Miller SolicitorConsumer Contracts Regulations 2013 - a Guidance Note by Brian Miller Solicitor
Consumer Contracts Regulations 2013 - a Guidance Note by Brian Miller Solicitor
 
LinkedIn for Luddites by Brian Miller, Solicitor, Stone King LLP
LinkedIn for Luddites by Brian Miller, Solicitor, Stone King LLPLinkedIn for Luddites by Brian Miller, Solicitor, Stone King LLP
LinkedIn for Luddites by Brian Miller, Solicitor, Stone King LLP
 
Protecting your IP and Data Trustee Responsibilities by Brian Miller (Solici...
Protecting your IP and Data Trustee Responsibilities by Brian Miller (Solici...Protecting your IP and Data Trustee Responsibilities by Brian Miller (Solici...
Protecting your IP and Data Trustee Responsibilities by Brian Miller (Solici...
 
Key Points on The Law Relating To CCTV
Key Points on The Law Relating To CCTVKey Points on The Law Relating To CCTV
Key Points on The Law Relating To CCTV
 
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Cloud Computing: Legal Issues and Safety Risks by Brian Miller SolicitorCloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
 
Eleven Steps To Making Your Website Legally Compliant
Eleven Steps To Making Your Website Legally CompliantEleven Steps To Making Your Website Legally Compliant
Eleven Steps To Making Your Website Legally Compliant
 
Protecting Your Name and Brand from Abuse on Social Media
Protecting Your Name and Brand from Abuse on Social MediaProtecting Your Name and Brand from Abuse on Social Media
Protecting Your Name and Brand from Abuse on Social Media
 
What All Organisations Need to Know About Data Protection and Cloud Computing...
What All Organisations Need to Know About Data Protection and Cloud Computing...What All Organisations Need to Know About Data Protection and Cloud Computing...
What All Organisations Need to Know About Data Protection and Cloud Computing...
 
A Guide to the Consumer Rights Act 2015
A Guide to the Consumer Rights Act 2015A Guide to the Consumer Rights Act 2015
A Guide to the Consumer Rights Act 2015
 
How to Prevent Your Organisation’s IP from Being Stolen by Brian Miller Solic...
How to Prevent Your Organisation’s IP from Being Stolen by Brian Miller Solic...How to Prevent Your Organisation’s IP from Being Stolen by Brian Miller Solic...
How to Prevent Your Organisation’s IP from Being Stolen by Brian Miller Solic...
 
Social Media and Your Staff by Brian Miller and Jean Boyle, solicitors at Sto...
Social Media and Your Staff by Brian Miller and Jean Boyle, solicitors at Sto...Social Media and Your Staff by Brian Miller and Jean Boyle, solicitors at Sto...
Social Media and Your Staff by Brian Miller and Jean Boyle, solicitors at Sto...
 

Ähnlich wie Host security

Unix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell ScriptUnix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell Scriptsbmguys
 
16. Computer Systems Basic Software 2
16. Computer Systems Basic Software 216. Computer Systems Basic Software 2
16. Computer Systems Basic Software 2New Era University
 
Lesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemLesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemSadia Bashir
 
Unix Operating System
Unix Operating SystemUnix Operating System
Unix Operating Systemsubhsikha
 
Linux: An Unbeaten Empire
Linux: An Unbeaten EmpireLinux: An Unbeaten Empire
Linux: An Unbeaten EmpireYogesh Sharma
 
linux-lecture1.ppt
linux-lecture1.pptlinux-lecture1.ppt
linux-lecture1.pptNikhil Raut
 
UNIT II-Programming in Linux
UNIT II-Programming in LinuxUNIT II-Programming in Linux
UNIT II-Programming in LinuxDr.YNM
 
Unix_Introduction_BCA.pptx the very basi
Unix_Introduction_BCA.pptx the very basiUnix_Introduction_BCA.pptx the very basi
Unix_Introduction_BCA.pptx the very basiPriyadarshini648418
 
LINUX
LINUXLINUX
LINUXARJUN
 
Linux Getting Started
Linux Getting StartedLinux Getting Started
Linux Getting StartedAngus Li
 
Basics of Linux Commands, Git and Github
Basics of Linux Commands, Git and GithubBasics of Linux Commands, Git and Github
Basics of Linux Commands, Git and GithubDevang Garach
 
Introduction 2 linux
Introduction 2 linuxIntroduction 2 linux
Introduction 2 linuxPapu Kumar
 

Ähnlich wie Host security (20)

Unix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell ScriptUnix/Linux Basic Commands and Shell Script
Unix/Linux Basic Commands and Shell Script
 
16. Computer Systems Basic Software 2
16. Computer Systems Basic Software 216. Computer Systems Basic Software 2
16. Computer Systems Basic Software 2
 
Tutorial 2
Tutorial 2Tutorial 2
Tutorial 2
 
Lesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemLesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File System
 
Unix Operating System
Unix Operating SystemUnix Operating System
Unix Operating System
 
Basic orientation to Linux
Basic orientation to LinuxBasic orientation to Linux
Basic orientation to Linux
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
Linux security
Linux securityLinux security
Linux security
 
Linux: An Unbeaten Empire
Linux: An Unbeaten EmpireLinux: An Unbeaten Empire
Linux: An Unbeaten Empire
 
linux-lecture1.ppt
linux-lecture1.pptlinux-lecture1.ppt
linux-lecture1.ppt
 
Linux
LinuxLinux
Linux
 
UNIT II-Programming in Linux
UNIT II-Programming in LinuxUNIT II-Programming in Linux
UNIT II-Programming in Linux
 
Unix_Introduction_BCA.pptx the very basi
Unix_Introduction_BCA.pptx the very basiUnix_Introduction_BCA.pptx the very basi
Unix_Introduction_BCA.pptx the very basi
 
LINUX
LINUXLINUX
LINUX
 
Linux Getting Started
Linux Getting StartedLinux Getting Started
Linux Getting Started
 
Basics of Linux Commands, Git and Github
Basics of Linux Commands, Git and GithubBasics of Linux Commands, Git and Github
Basics of Linux Commands, Git and Github
 
Linux filesystemhierarchy
Linux filesystemhierarchyLinux filesystemhierarchy
Linux filesystemhierarchy
 
Linux administration classes in mumbai
Linux administration classes in mumbaiLinux administration classes in mumbai
Linux administration classes in mumbai
 
Introduction 2 linux
Introduction 2 linuxIntroduction 2 linux
Introduction 2 linux
 
Introduction to Unix
Introduction to UnixIntroduction to Unix
Introduction to Unix
 

Kürzlich hochgeladen

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Kürzlich hochgeladen (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

Host security

  • 2. Host security measures  Host-centric:  Tailored to host architecture:   Comprehensive:   Takes into account not only type of operating system but also configuration protect installed applications Complex, costly, protects single host
  • 3.
  • 4.
  • 6. Common Unix Configuration Weaknesses  Password management issues:  weak passwords default passwords re-used passwords      Exploitable services    FTP/TFTP Sendmail other services   Improper file and directory permissions Improper use of setuid Improper network file configuration Unpatched known vulnerabilities
  • 7. Basic UNIX access control In Unix, there are three levels of access control  Individual (user): Each user has a unique id (uid) in the system.  Group: All users by default belong to the “user” group (some distributions), or to a singleton group containing only that individual user.   Users can belong to more than one group (most modern versions). Usually a group is defined for access control category. E.g:      root/wheel (general administration) www/web (web server administration) mail (mail server administration) adhoc groups can be used to facilitate collaboration such as directory and file sharing World (or all): The universe of all users.
  • 8. File permissions   File ownership: Each file and directory in UNIX (including programs) is “owned” by a specific user, a specific group, and the world. To each level of ownership there is an associated set of permission values: read, write and execute. These values can be true (permission granted) or false. Only the owner of a file (or the special user root) can change the file permission settings. Example: drwxr-xr-x  11 brenodem brenodem 374 30 Aug 13:39 . Indicates that the file ‘.’ (the current directory) is owned by user brenodem, who belongs to the singleton group brenodem. The directory was last modified on Aug. 30th at 13:39. The user brenodem is granted read, write, and execute privileges to the file. The group and world are granted read and execute (but not write) privileges to the files.
  • 9. Meaning of file permissions   The meaning of permissions for files is clear, but can be complex for directories. For instance, if a world-accessible file is located deep within a directory structure, all the parent directories of the file must grant execute permissions to the whole world.   This is because, in order to traverse a directory structure, UNIX executes cd on each directory (starting from the lowest common directory, for instance ‘/home’ ). On the other hand, it is NOT necessary that the same directories be world-readable. If a directory is not readable by a principal, its contents cannot be listed. However, it may well contain files that are readable by that principal, and these can be opened if their name are known.
  • 10. Proper file and directory permissions  Any UNIX system contains several directories that are world executable, where most of the OS services reside:       /bin (commands) /etc (configuration files for the above) /usr (utilities and applications) /usr/local or /local (extra utilities and applications) These directories are not required to be world readable, only their content files need to be world readable. If the directories are not world readable (and owned by root) then only the system administrator will be able to have a global view of the system configuration and capabilities. These directories should be writable only by root to prevent the installation of programs without the administrator’s knowledge. In particular they must be “owned” by root.
  • 11. Changing ownership and permissions  The root user can change ownership and permissions on files at will.    In some distributions, a user may change ownership of its own files to other users. To change group ownership of a file, you must own the file and you must belong to the new group the file will be assigned to:   chown username filename chgrp groupname filename To change permissions, you must be the file’s owner   chmod [o|g|a|u][+|-][r|w|x] filename example: chmod og+wx filename adds permissions to write and execute the file to both the file owner and file group owner.
  • 12. Effective ID  When a user tries to execute a program   When the program is initiated, its effective ID is set to the ID of the user (or program) calling it.   The UNIX system decides whether the user is authorized to execute (for instance, the user may belong the the file group owner, and the file may be executable by the group). For instance, if a utility program is owned by root (typical), but called by a regular user, the effective id of the running program will equal that of the caller (user), not root. This standard mechanism is not sufficient in some cases. For instance, the login program.
  • 13. SUID   The login program is invoked by regular users, but must have root privileges in order to access the protected password files (/etc/shadow), and to authenticate the user. (Effectively spawning a program under a particular user name even if called by another.) This is called a “set user id” program (suid). -r-sr-xr-x  1 root wheel 26756 16 Aug 10:32 /usr/bin/login Note the ‘s’ in the list of privileges. That means that the caller (could be anybody, as the file is world executable) will spawn a program with the privileges of the group wheel (which can access the password file, and spawn programs (shell) under arbitrary user identities.)
  • 14. Proper configuration of file permissions     The system of file access permissions underscores most of the access control decisions of the UNIX operating system. It is a flexible mechanism that enables different configurations to accommodate different usage needs. Improper configuration of file and directory permissions can create serious vulnerabilities. The use of SUID programs is a powerful mechanism that should be utilized only when necessary. For instance, a fragile program with SUID permissions can be easily exploited to grant administrative privileges to an attacker.
  • 15. RPC Utilities  Most Unix systems include the RPC utilities suite for remote command execution:     rlogin (remote login) rsh (remote shell) rcp (remote copy) Two modes of authentication: host-based and password-based  RPCs originating at a trusted host (i.e., a host listed in /etc/hosts or /etc/hosts.allow or /etc/hosts.equiv), identified by network packet source address, are accepted and given uid equal to the claimed username. •RPCs called from non-trusted computers must provide both username and password. (Both sent as cleartext over the network.)
  • 16. Disabling RPC utilities    The use of RPC utilities has been deprecated in favor of the ssh and scp programs, both built onto the SSH protocol, which provides encryption. For backward compatibility the SSH program supports host-based authentication. (This is stronger than in the RPC case, as hosts have SSH keys with which they can mutually authenticate their identities.) It is important to ensure that the configuration of the /etc/hosts files reflects the trust policies of your network, and that the RPC utilities are disabled whenever possible.
  • 18. Early Unix Password System    In early versions of Unix, the password was processed using a “secure hash” function derived from the DES cipher. The salt was restricted to 12 bits, resulting in 4096 possible hash values for each password. Passwords were restricted to 8-character length.  8-character passwords converted into 56-bit DES keys     Password shorter than 8 characters long padded w/ zeros. Longer passwords truncated in some systems. Salt used to change the DES cipher, which is applied 25 times. Results stored in world readable /etc/passwd file
  • 20. DES: IP and FP stand for initial and final permutations, respectively. F: Round function E: Expansion function 32→48 bits, is changed on crypt3() using the salt.
  • 21. Old /etc/passwd file  An entry in the /etc/passwd file has the following form:  Name:Password:UserID:PrincipleGroup:Gecos: HomeDirectory:Shell  smith:Ep6mckrOLChF.:100:100:John Smith/home/smith:/usr/bin/sh guest:*:200:0::/home/guest:/usr/bin/sh    An entry ‘*’ for password means that the account has been disabled, while an empty password means that password is not required for login! When shadow passwords are used, ‘!’ or ‘x’ substitutes for the password.
  • 22. New /etc/passwd file        nobody:*:-2:-2:Unprivileged User:/:/usr/bin/false root:*:0:0:System Administrator:/var/root:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false smmsp:*:25:25:Sendmail User:/private/etc/mail:/usr/bin/false lp:*:26:26:Printing Services:/var/spool/cups:/usr/bin/false sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false qtss:*:76:76:QuickTime Streaming Server:/var/empty:/usr/bin/false
  • 23. /etc/shadow file           Entries of the form: smithj:Ep6mckrOLChF.:10193:0:99999:5::: Where the password is followed by: The date when the password was last changed, measured in elapsed days since Jan. 1st, 1970. The number of days before the password can be changed again The number of days after which the password must be changed The number of days to warn user of an expiring password The number of days after password expires that account is disabled The number of days since January 1, 1970 that an account has been disabled A reserved field for possible future use
  • 24. Other changes   Since the introduction of shadow passwords, and the new crypt(), other modifications have been introduced, such as the use of MD5 passwords, and also Blowfish-encrypted passwords. Blowfish is an interesting choice: The algorithm is very slow to change keys, making hashing password expensive (good for security).
  • 25. Reading assignment for 01/16   Use of a Taxonomy of Security Faults, by T. Aslam, I. Krsul, and E. H. Spafford M. Bishop and D. Klein, Improving System Security Through Proactive Password Checking,Computers and Security 14(3) pp. 233-249 (May/June 1995) http://nob.cs.ucdavis.edu/~bishop/papers/1995c+s/proact.pdf