security for administrators presented by: greg smith pacsec.jp 2004
TRANSCRIPT
![Page 1: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/1.jpg)
Security for Administrators
Presented by: Greg SmithPacsec.jp 2004
![Page 2: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/2.jpg)
Introduction
Who am I? Who do I work for, and what is my
job? Why I am talking about this?
![Page 3: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/3.jpg)
Who am I?
Greg Smith Using UNIX based operating
systems for 8 years Administrator work for 5 years Working with security off and on
for 4 years.
![Page 4: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/4.jpg)
Who Do I Work For,and What is My Job?
I work for Secured Infrastructure Design Corporation.
I am a Security Analyst, and Administrator for various BSD / Linux servers
![Page 5: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/5.jpg)
Why I Am Talking About This?
I believe that administrators should be more concerned about the well being of their servers.
I want to try and share some of my basic views on security.
![Page 6: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/6.jpg)
Overview
My Definition of security Operating system level security Security via log monitoring Interactive security Administrator security measures
![Page 7: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/7.jpg)
My Definition of Security
Making intelligent choices Being educated, and always
learning Perceptiveness Adaptation Care and attention
![Page 8: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/8.jpg)
Operating System Level Security
Proper application management Keeping proper tabs on users’
interactions with the operating system
Noticing inconsistencies between the administrator and the user logins
Noticing inconsistencies in the file systems
![Page 9: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/9.jpg)
Proper Application Management
Distribution Method ExplanationFreeBSD CVS/portupgrade FreeBSD uses a CVS
system to keep its operating system and dependencies up to date.
Debian apt-get update Debian uses the apt package management system to keep up to date
Gentoo emerge sync You can update the Gentoo portage tree with the emerge sync command.
Fedora Yum update Yum is a great alternative to use alongside the RHN.
![Page 10: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/10.jpg)
Keeping Proper Tabs On Users
Watch login times, if you know said user was not in the office at a particular time, but appears to be logged in, check the logs further to see what this user did
Watch your own logins, if you notice an inconsistency with administrator logins, this would also warrant digging further into the logs.
![Page 11: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/11.jpg)
Noticing InconsistenciesIn The File Systems
Is a file moved, deleted, or copied somewhere else on the system, and you don’t remember doing it?
Are there symlinks from logs to /dev/null.
Are there extra directories created with files in them you have never seen?
Watch for differences in the file system from the last time you logged in.
![Page 12: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/12.jpg)
Security via Logging
Don’t be afraid to use tools like sed, awk, uniq, sort, to better navigate.
Interpret the logs, look for inconsistencies
Apache logs; look for file transfers from personal directories
FTP logs; look for suspicious transfers
Look for SSH authentication errors
![Page 13: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/13.jpg)
Using Text Parsing ToolsTo Make Life Easier
Examples here are all based off FreeBSD 4.9’s default logging system.Log Example
Cron An easier way to view differences in the entries, using different text parsing methods.
Secure/Auth.log Watching the Secure/Auth log for anything sketchy.
Message/Syslog Looking for possible compromise.
Lastlog Just looking for inconsistencies.
Apache – httpd-access Use sed/awk/grep to condense logs.
![Page 14: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/14.jpg)
Interpret The Logs, Look For Inconsistencies
Examples of this, in cron, 1000 entries
sed s/[0-9]/#/g cron.ot | sort | uniq
![Page 15: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/15.jpg)
Secure/Auth Log Analysis
There are similar lines, parse them out better using awk and grep.
![Page 16: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/16.jpg)
Secure/Auth Log Analysis
cat auth.log | grep Failed | awk '{print $3" "$6" "$7" "$11" "$13}‘
Using simple grep/awk, weeded out a lot of useless information.
![Page 17: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/17.jpg)
Messages Log Analysis
There are similar lines, parse them out better with grep.
![Page 18: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/18.jpg)
Messages Log Analysis
Using grep to parse better
Going even further
cat messages | grep root | grep BAD
With those simple instructions, your viewing time can be cut substantially.
![Page 19: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/19.jpg)
More Security via Logging
Watch the last log, using the last command
The httpd-access and httpd-error log can be handy in tracing a possible compromise. Use the same methods as in the other examples to better parse the httpd logs.
![Page 20: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/20.jpg)
More Security Via Logging
Monitor logs on a regular basis Learn the logging system for the
particular operating system at hand
To save time, skim logs looking for said inconsistencies; if found then probe deeper.
Watch for inconsistencies in log file sizes
![Page 21: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/21.jpg)
Interactive Security
What do I consider interactive security?
Why would someone use this method?
![Page 22: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/22.jpg)
What Do I ConsiderInteractive Security?
Perceptiveness. Know your system. Customize your server or
workstation to better suit you. Understand that proper mindset
can increase security substantially.
![Page 23: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/23.jpg)
Why Would Someone Use This Method?
Cut down on man-hours used maintaining systems; less time will have to be spent by administrators on tedious tasks.
Enhance knowledge about basic functions of the operating system.
Less stressful work environment.
![Page 24: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/24.jpg)
Administrative Measures
If a server has been compromised, learn from this, and adapt accordingly.
Segregation Common sense
![Page 25: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/25.jpg)
Conclusions
Administrators work closest with the actual infrastructure that needs the most attention.
Better education of administrators could lead to less of a chance of being compromised.
![Page 26: Security for Administrators Presented by: Greg Smith Pacsec.jp 2004](https://reader035.vdocuments.us/reader035/viewer/2022081514/56649ed05503460f94bde6b4/html5/thumbnails/26.jpg)
Questions?
Special Thanks to:Richard S. Keirstead
Lars MaulSteve Manzuik