

      		        =Users Basic Security Guide=
				 	   =Unix Security=
				  Assembled/Written by reptile
					  Revisions by gr1p
					    The c0re team
                                 [ www.c0re.org ] 
						  8/10/98



Note: This paper on Unix security was written for the newbie in mind. Someone 
who has heard of Unix and never used it, ot perhaps the Unix administrator 
who needs some tips on Unix Security.



     ---------> Users Basic Security Guide : Unix Security <-----------

	  			1. Introduction to Unix
				2. Unix Accounts
				3. Unix Shell
				4. Understanding Unix Passwords
				5. Unix Commands and File & Directory Structure
				6. Daemons
				7. Unix Vulnerabilities
				8. File Encryption in Unix



Section 1:

-> Introduction To Unix

	Originally developed by AT&T, Unix O/S has been the backbone of the 
internet and Web servers since the 1960's. Berkeley Unix is the most 
modern-day tool of Unix. There are also many different versions of Unix. 
Linux, OpenBSD, IRIX are to name a few. Unix is a text-based Operating 
System rather than a Graphical Users Interface such as Windows95/NT OS/2 
etc, however the X-Window system, turns Unix into a graphical User 
Interface with the stability of Unix.


Section 2:

-> Unix Accounts

	The Unix Operating system supports only two types of accounts- user 
and superuser accounts. Basically the user account is a standard account 
with few privileges. Superuser accounts are system operator accounts. This 
account has full privileges. So basically an account has either full 
privileges or limited privileges. Those with full privileges are not bound 
to a file or directory. 

	Unix Systems come initially configured with several accounts, some with
super user or userprivileges. root is the system administrator account which 
has access to everything. Its basically at the top of the directory tree. 
makefsys is a superuser account which is for specific purpose of creating a 
new file-system storage device. mountfsys is a super-user account which 
mounts the operating system. It also runs the startup daemon. umountfsys is 
used to un-mount the file system from a drive. Finally checkfsys is used to 
examine and debug the file-system.

Usernames:

	Unix supports usernames up to 14 characters long. Usernames can contain 
almost any character.
	
	A hacker could log into your system as an Innocent user and use what 
is known as su or Switch User Command to change to a superuser account. Here
I will list some of the basic defualt user accounts that you should be aware 
of when securing your system:  ip is a user level account which logs the 
line printer into the server. daemon is a user level defualt account which 
is an all purpose account. trouble is a user level defualt account which is 
a system debugging account. uucp is the Unix-to unix copy protocol account. 
nuucp is another account which is the new Unix-to-Unix copy protocol account.
 

Section 3:

-> Unix Shells

	A Unix shell is a  program that translates commands to the OS that 
accepts your input and carries the commands. Its the interface between the 
user and the Operating System. Sort of like a Window. Its actually just 
another program that the Operating system executes when you login. When you 
end the Shell it logs you out of the system. You can also execute multiple 
shell levels. 

This can cause a significiant problem. This opens significant attack routes 
for hackers. Below I will list the official shells in user on Unix machines.

csh: This command executes the C shell, developed by Berkeley University 
Science Dep. This type of shell has different shell programming control 
structures and unlike sh it supports aliasing. It also keeps a history of 
the commands you enter. user level accounts will see a "%" and the super 
user accounts will see a "#"


sh: This command executes the Bourne Shell. This is the standard shell of 
Unix System V. On System V. "$" represents the prompt for user level 
accounts. If you had a sh shell account on a system the $ will look 
familiar. "#" represents a super user account.


ksh: This command executes the ksh shell, or the new Korn shell. The Korn 
Shell combines features of the two shells listed above. It has command 
aliasing, command history, and the easier shell programming.

There is also a shell program which is a restricted Bourne Shell. To execute 
this use the rsh command. It basically lets users execute commands outside 
their searchpath and will not let the users change directories or change the 
shell.


Section 4:

-> Understanding Unix Passwords

	In Unix when you create a new account the account has no password. It 
will not have a password until a super user or the accounts owner sets one 
for that specific account. You should have a standard password sequence 
which apply to the accounts you create. The maximum amount of characters a 
unix password may have is 11 characters. It may contain any character, and 
unlike DOS the system the unix system takes upper-case and lower-case as 
perceive as being different. My advice as well is to set a password and 
expiration date for your user passwords.


Section 5:

-> Unix Commands and File & Directory Structure

	In Unix, files a directories are identified with path names. Unlike 
Windows, paths use a foreward slash ("/") rather than a backslash. "/" 
represents the root directory in Unix. Much like "\" represents the root 
directory in Windows95/NT. It is the top directory in the directory tree. 
This directory has two SubDirectories located in it. usr and happy. in the 
usr directory there is another subdir named source and a file called junk. 
in happy there are 2 files, memo and degrees.

Getting around: 

	Ok so lets assume you are at the top of the directory tree and you 
want to get to the usr directory. You could use the command "cd /usr" cd 
meaning Change Directory and /usr being the directory you want to change 
to. Remember that unix used foreward slashes rather than backslashes. 
Since /usr is in the root directory the user only needs to issue the 
command "cd usr". So if the directory you want to change to is currently in 
the directory you are in, all you need to do is issue the base name. You can 
also reference the file directory above your current directory in the system 
tree as ".." and you can reference the current directory you are in as "." . 

File names and Directory names:

	Unix file names and directories may be 14 characters long in length. 
It may contain ascii characters except a space. Also unix does not use 
filetype extensions such as Windows or Netware. A filename extension is 
like .txt or .doc. File names that begin with a period are hidden files so 
that you must issue a special command to reveal the file.

Unix File Types:

	The three type of files Unix uses are: text files, device files and 
binary. Text files are self explanitory although there is such a thing as a 
executable Text file. Binary files are executable machine code files. Device 
files are files that represent the systems input/output devices.

Unix File/DIR Protection: 

When a Unix account is created the OS assigns the account with a specific 
user number and group number. The system uses these to identify the user. 
Unix uses the user/groups numbers to determine a user's file and directory 
access privleages. There are three types of permissions to a file. read lets 
a user view the contents of the file. Write permission lets a user change 
the contents of a file. execute lets a user execute a file.

Unix divides users into three classes, user, groups and other. In Unix you 
can specify what permissions to a file for each user or group. The CHMOD 
command lets you change a file or directory permission. When you use this 
command you can change a file or directorys permissions symbolically or 
absolutely. The chown command is the format for symbolic permission changes. 
chown [u, g, or o] [+ or -] [rwx] [file/directory name] is the format for 
this permission change.

Unix Command Set:

	Wildcard: Say you want to specify a pathname, and you wish to reference 
files in other parts of the system. A wildcard is a character you use when 
referencing files and directories. "?" which is the question matk wildcard 
tells the Unix program to accept and single character in the place of the 
question mark. For example if you used "m?an" it would include both mean and 
moan. "[]" which is a double brackets tells Unix to accept and characters 
within the position of the brackets. For instance, "n[eoa]at" woulc include 
"neat", "noat" and "naat".  "*" is the asterisk wildcard which tells the Unix 
program to accept ANY character, group or no characters in the position of 
the "*".

Command-Line Options:

	The majority of Unix Commands have more than one option to them. In 
Unix you are able to specify the option when using the command. For example, 
say you had a program named Xpepper and there was an option called s. In 
order to use this option you would issue the command "Xpepper -s". Also if 
the program has more than on option (which is most likely the case)and the 
other option is called f. You could issue the command, "Xpepper -sf. You 
still can specify the options seperately.

Ping Command:

	To check to see if a remote server is running before you start sending 
commands to it you would use the PING program. It will be used in this case 
to send ICMP (Internet control Message Protocol) packets from one host to 
another. Basically the ping program transmits packets using the ICMP 
ECHO_REQUEST command. The the program waits for a ICMP ECHO_REPLY to each 
packet the program transmits. 

 Below is the PING programs set of options

-c count : This switch tells ping to continue sending packets until it has 
sent count number of packets and received count number of responses.

-d : This switch turns on the debug option for the socket that ping uses to 
transmit data

-f : instructs the ping program to generate a flood ping; ping outputs 
packets as fast as the remote server returns packets, or 100 times per 
second. When ping is flood pinging ping shows each request with a period and 
each response prints a back space.

-s seconds : This option tells the ping to wait a number of seconds after 
wach packet transmission.

-n : This switch tells ping to only return the hosts IP address and not host 
names.

-q : This tells the ping program to run in quiet mode. Which means you dont 
see anything untill the program has finished the packet tranmissions.

-s packetsize : This option lets you set the size of the ping packet to 
packetsize bytes. This could be used as a type of DoS, but im not going to 
get into that in this paper. 

The following is an example of the Ping program.

$ ping msn.com 
PING msn.com (207.68.179.111): 32 data bytes
32 bytes from msn.com (207.68.179.111): icmp_seq=0 tt1=254 time=10ms
32 bytes from msn.com (207.68.179.111): icmp_seq=0 tt1=254 time=10ms
32 bytes from msn.com (207.68.179.111): icmp_seq=0 tt1=254 time=10ms
32 bytes from msn.com (207.68.179.111): icmp_seq=0 tt1=254 time=10ms
- msn.com ping statistics - 
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 10/10/10 ms
$

Finger Command:

	The Finger command is a user-information protocol to obtain level of 
information about remote computer such as who is connected to that remote 
server, where the person logged in from and kind of what there doing. 
Project. From the unix terminal you use issue the finger command and it 
will return a list of currently logged in users at the target of the server. 
You will usually get some information or watever the server knows about the 
person.

Rlogin:

	This program lets a user log into a remote host from a local server 
by issuing the command rlogin and the host you want to connect and log into.


Section 6:

-> Daemons

	Daemon is a simplifiedterm for daemon process. Its a system wide 
process that performs functions for the operating system, such as 
administration and control, network services, print services and execution 
of time-dependant activities. In order to qualify as a daemon process the 
operating system canot associate the process with a user's terminal session, 
and the process must continue after user logs off the server. Basically 
they accept user requests and process them.

LPD Daemon: lpd daemon manages print services, and listens for a print 
request. Once there is a print request the daemon prints to printers on the 
network.

INIT Daemon: This is the parent process for all proccesses on the system. The 
main process is to boot the operating system, so withought this the system 
will not boot.

Sendmail Daemon: command Mail Transport Agent for Unix systems which listend 
across TCP/IP ports for email connections from other systems, and once it 
recieves the electronic mail it delivers the message to local or remote users.


Section 7:

-> Unix Vulnerabilities

Unix Passwords: A password is used to verify the authenticity of user logins 
and the database is in /etc/passwd. When the user issues the password to the 
Unix system, it is converted into a byte series, and uses a one-way hash 
algorithm to convert the password into a one-way hash value. The server 
checks the generated hash value in the password database. If the values match 
the server logs the user into the system. Unix systems are VERY susceptible 
to sniffing attacks because the Unix operating system doesnt encrypt 
passwords by defualt. The password file is NOT hidden from users unlike NT 
or netware and it is word readable which makes it more susceptible to Brute 
force attacks.

	If a person has access to the network itself they can gain access to 
this file with only minimal access rights to the server, and worse if there 
is a bounce flaw.

Shadowing your password file is used for greater protection against attacks 
such as these. A third-party daemon is used to implement. The /etc/passwd 
is replaced with a special token and the passwords are stored in a seperate 
file which is not readable to normal system users.

	A large amount of servers do not incorporate the passwd shadowing 
suite and incorrectly chmod their /etc/passwd do that it is readable to 
every user on the system.  If the passwd shadowing suite is present make 
sure that /etc/shadow is chmod 600 and therefore only readable via root. If 
shadow passwds are active the /etc/passwd will effectively become useless 
to users trying to gain access to others accounts by attempting to crack 
their passwds using passwd cracker programs such as john the ripper.

Password Attacks: One method of attacking a system is Brute force attacks. In 
Unix a user is not locked out of the system if there has been too many failed 
attempts to login to the server. Usually a low-level password is targeted and 
the password database is attacked. Once the /etc/passwd is accessible the 
hacker may brute force attack to get a accepted password to log into the 
network. Basically Brute Force tries and tries throwing passwords until every 
legal character combination is used.

	Some of the most important files in a Unix system are important to know 
when you want to secure your system. Below i will list the most important 
files in the Unix system.

/etc/passwd		-password file, info on accounts for the system is here

/etc/group		-group file. lets super user give accounts group access.

/dev/tty##		-this is the device files for systems terminals. 

/dev/console	-device file for the system console

/usr/adm/loginlog	-log of all logins to the system. includes time/accounts 
			 username.

mbox			-these files are located in the home directories of the 
			 system users.

/dev/null		-null device file.

/tmp 			-This provies storage space for temp files programs and 
			 other processes create.

The vulnerabilities within Unix systems is high considering it has been the 
major installed base of systems on the internet. .rhosts file contains a list 
of network approved remote hosts. The security problem with .rhosts is that 
any user can create an rhosts file. As a Unix Administrator make sure no user 
in /home has the rhost file. 


Unix Tips

Unix Security - 	/ETC/HOSTS.EQUIV

	I recommend removing this file but if you must have it, and whether or 
not your network lets users use r commands for access you should still 
consider deleting it. First you should check and see if the file 
/etc/hosts.equiv is required. rlogin can be used to log on the the same 
account on your machine from a trusted machine with no passwd. If you dont 
use the r command you should definately consider deleting this file because 
there is no need for it. If you should have this file below is some rules 
ive gathered to use host.equiv to minimize exposure risk:

1: DO only trust hosts within your domain or under your management.
2: Make sure that you list only small number of trusted hosts within the 
   file.
3: Also make sure you dont have a '+' entry by itself in the file. if you 
   do users might get access to the system.
4: Make sure there is no '!' or '#' in the file.
5: Ensure that the first character of the file is not '_'.
6: Make sure that owner is set to root.
7: Ensure that the permissions are set to 600
8: Check the file again after installation of each patch or O/S.

Unix Security - /etc/hosts.lpd

	For this file make sure that the first character of the file is not 
'-', permissions are set to 600, make sure that owner is root, and no '!' 
or '#' in the file.

Unix Security - /etc/host.allow

        Allowing access only to certain trusted hosts is a good way of
securing your system from attack, as this will deny telnet access from
servers which are not contained within your host.allow file.  If you want
NO outside access to your server than you could just use the opposite
file, the /etc/host.deny file and echo the following line into the
file.

# echo ALL:ALL >> /etc/host.deny

this would result in denial of access from all outside hosts, keeping
access local.

Unix Security - /etc/services

	Make sure permissions are set to 644, and the owner of /etc/services 
is set to root.

Unix Security - /etc/aliases

	Comment out the decode alias with a '#' at the beginning of the line.
ENSURE that all programs executable by an alias are owned by root, have 
permissions 755 and are stored in a systems directory 

Unix Security - Default Accounts

Many systems have default accounts on them and on some older operating
system versions these accounts were shipped by default.  The common
default accounts that can be put to use by a possible intruder include -

guest
test
tester
www
lynx

These could then be brute forced with a few simple passwds which they are
usually found to have.  These accounts should be removed plainly because
they do provide a great security risk of allowing an intruder to gain
local access to the server.


	Another Unix security problem lies in the Sendmail program involving 
the -d command line option, which lets a user specify a debug level. A 
person who gained access to the network could specify a very large value to 
the debug option. This would then overwrite the stack frame, which in turn 
would cause a OS to executre unexpected commands. My advice is to get 8.7.3 
newest version of Sendmail with no vulnerabilities.  

	Sendmail problems: Sendmail accepts connections via port 25, which is 
known to people and is a favorite target to get into a Unix Host or use the 
host to forward false mail. Older versions of sendmail are easily 
exploitable both remotely and locally, it is therefore recommended that 
people keep up to date with the latest sendmail versions to avoid possible 
sendmail vulnerabilities - www.sendmail.org is the official resource to keep 
people up to date which - WITH sendmail issues. 


FINGERD Program 

	One of the Unix vulnerabilities which the Internet worm exploited of 
1988 was a buffer overrun problem with the fingerd daemon. If a user writes 
a single line of information longer than 512 bytes long, the daemon 
overwrites the stack frame, letting the hacker create a new shell and 
execute commands with the new shell. If your version of fingerd is older 
than than 5 November 1988 replace it with a newer version.

Startup and shutdown scripts

	Make sure that startup and shutdown scripts do not chmod 666 motd. 
This will let users change the systems message of the day. The line 
rm -f /tmp/t1 should exist in a startup script to clean up the temporary 
file used to create /etc/motd.

File Permissions

	1: /etc/utmp should be set to 644.
	2:  /etc/state must be set to 644
	3: /etc/motd and /etc/mtab should be set to 644
	4: Remove access files to users that dont need that access.
	5: Make /vmlinux the kernel is owned by root. has group set 
         to 0 and permissions set to 644.
	6: CHECK that files which have the suid or sgid bit enabled, should 
	   have it enabled 
	7: Make sure that /dev files are special files.

Listening Ports

Although this may not seem as obvious as other methods to improve
security, the ports that are open on a box can result in its possible
security/vulnerability from outside attackers.  For example, port 79, the
finger daemon port is not always necessary and often provides an attacker
with quite alot of information about the system.  An possible intruder can
use this to find out which users are actually on the system, look for
default accounts such as guest, www, test etc. and possibly brute force
these with default logins.  This should also provide a warning for
administrators as already illustrated in a previous section that these
default accounts should be removed to ensure that misuse cannot take
place.
	

File Encryption

	Its a good idea for all the users on your Unix system to encrypt 
sensitive files whenever the user stores the file in a public area, or 
transmits via public communication circuits 

Secure methods for programming in Unix

	Avoid creating a setuid shell script. List complete file name, 
including the full path, in any system or popen call.

Unix Security Tools

	SATAN: Security Administrator Tool for Analyzing Networks. You can use 
this tool to determine what holes remain within their networks. They yeild 
extensive reports about vulnerabilities, trust levels, and other system 
information. SATAN finds one or more of the following problems with the Unix 
installation.

1: NFS file systems exported to arbitrary hosts
2: NFS file systems exported to unprivileged programs.
3: NDS file system exported using port mapper
4: REXD access from arbitrary hosts.
5: X-server access control disabled
6: Remote shell access from arbitrary hosts.
7: Writeable anonymous FTP home directorys.
8: NIS password file access from arbirary hosts
9: Outdated sendmail daemon versions, with vulnerabilities.

tcp_wrapper: Get and install this program. The name explains it all. 

	There are lot of Unix Security Tools out there. Some are better than 
others. There are tools available at c0re.org, technotronic.com and other
misc sites.

OVERVIEW

1: Shells are used to access the Unix Operating Systems
2: The Unix OS uses special programs, called daemons to perform tasks etc.
3: There are only two types of permissions in Unix, user and superuser (root)
4: Unix has well known vulnerabilities but can be secured.
5: Most vulnerabilities can be corrected by careful administration and 
   upkeep the operating system.