Introduction to Unix Security

Greg Porter

Data Processing Manager

USPFO For California

Go to dpnet.caus.ca.ngb.army.mil for the latest information

A True StoryWe loaded linux on a PC, and connected it to the

network. Some ‘script kiddie’ came along with a scanner and determined that the linux box had an unpatched bind service. Within hours, they hacked the box, got root access, and installed a ‘root kit’ to hide their tracks.

Fortunately we run tools that allow us to detect and deny unauthorized access. Our Intrusion Detection System (IDS) found them.

WITHOUT IDS YOU WILL NEVER KNOW.

Proactive detection is your frontline defense. Don’t wait until bad guys are attacking the CP….

Go to dpnet.caus.ca.ngb.army.mil for the latest information

Disclaimers• IANASE I Am Not A Security Expert

• Existing CERT teams are unix illiterate

• ACERT approves security tools– NT point and click, no knowledge needed– You can’t afford them

• Proactive DP shops must do ‘self-help’

• DP shops are not CERT teams

Go to dpnet.caus.ca.ngb.army.mil for the latest information

Basic Security Steps

• Detect Them

• Stop them

• Document them

• Turn them in

• Harden your systems

Go to dpnet.caus.ca.ngb.army.mil for the latest information

Detect Them• Intrusion Detection System (IDS)

– Not a firewall, more like a radar detector – Watches network traffic– Notifies you if suspect traffic is found– A good free system is snort, www.snort.org– Will run on low powered Pentium– READ YOUR LOGS!!!! Use an automatic

log reader (Logcheck, www.psionic.com). No one has the time to read logs by hand.

Go to dpnet.caus.ca.ngb.army.mil for the latest information

Stop Them• Have a local firewall you control

– OK, so it’s not an official ‘firewall’– Could be same system as IDS– IDS could trigger firewall response– Will run on low powered Pentium with free

software• We use OpenBSD (www.openbsd.org)• Refer to it as a ‘bridge’ or a ‘router’

Go to dpnet.caus.ca.ngb.army.mil for the latest information

Document Them• Compromise should be in your COOP plan• Think ‘crime scene’, don’t destroy evidence• Disconnect system from network• Make an entire system backup for evidence• Reload from media, binaries may be hacked• If they got one, they probably got all

– They sniffed your local net, all passwords stolen– Consider reload from media on all systems

Go to dpnet.caus.ca.ngb.army.mil for the latest information

Turn Them In

• Your state CERT is your direct support– Probably new and inexperienced– Usually NT oriented, no unix knowledge– Assist them in escalating to NGB

• NGB CERT has some of the same problems, probably will be of little help

• LET SOMEONE HIGHER CALL THE FEDS or ACERT!

Go to dpnet.caus.ca.ngb.army.mil for the latest information

Harden Your Systems

• Ideally they didn’t get in the door, the IDS and ‘firewall’ stopped them

• A good source of unix (and NT) hardening info is at www.sans.org

• The Bastille Linux hardening scripts have good ideas, but need tweaks for HP-UX http://www.bastille-linux.org/

Go to dpnet.caus.ca.ngb.army.mil for the latest information

Harden Your Systems, Cont.• Some things you can do now

– CHECK YOUR LOGS!!! Use Logcheck, www.psionic.com

– Turn off non-essential network services– Consider loading network related patches – Know if you are port-scanned, use

PortSentry, www.psionic.com– Load TCPWrappers– Implement Secure Shell, kill telnet and ftp

Go to dpnet.caus.ca.ngb.army.mil for the latest information

For More Information

Check out DPNet– DP specific web site– Lots of topics, DP security discussion– Links to lots of good security sites– Our ‘how-tos’ on how to load for HP-UX– Get help in real-time

http://dpnet.caus.ca.ngb.army.mil