Abstract: Perhaps as many as 900 million nodes connected to the Internet are personal machines running Windows and Linux with little supervision from system administrators. These have become targets of script kiddies. This lecture and the associated lab experiment are intended to help configure personal systems running Linux.
There are two other lectures related to the current lecture: Fortification and Hardening. It is too pedantic to try to rigorously distinguish between proper configuration from these two topics. Proper configuration involves the examination of configuration settings of all installed software. Systems as distributed are often loosely configured. Occasionally this is due to sloppiness of the distributor. More commonly it is because the distributor has tried to configure a generic appeal-to-all setup. So, it is important that we examine the configuration at length and determine what changes must be made. Proper configuration of a system is a prerequisite to fortifying and/or hardening.
Proper configuration should happen immediately after a fresh install of the OS, and then after making changes to the system including adding or deleting services and user accounts. It should be done on the host machine without network connections. We ignore here the considerable amount of configuration tuning done to improve performance, reduce resource usage, and in general for cleanup.
We focus on the security of Linux systems. We only highlight what needs to be done leaving out the recipe-level descriptions to the references. Should you be interested in configuring Windows properly, consult the References section.
The Internet Domain Survey ( https:// www.isc.org/ solutions/survey ) reports that the number of hosts advertised in the DNS, as of Jan 2012 is 9000 million (in 2003 it was 171+ million, and as of Jan 2009 is 625+ million). Perhaps as many as 90% of these are personal machines, the rest being various servers. Perhaps 80% of these personal machines, and nearly 100% of those behind firewalls in private LANs, are running Windows 7/XP/... and Linux with little supervision from trained system administrators, the remaining systems being other variants of Unix and Macintoshes. These have become targets of script kiddies.
Installing a new OS image has become a straightforward activity. Nearly all well-known Linux distributions and Windows can be installed by non-computer specialist by booting from a supplied DVD and answering a few questions. This activity is not the focus of this lecture. In the lab experiment, we have simplified the install problem further. There is a so-called "frugal install" which leaves most of a Linux distribution installed as a single large (in the GB) file that is an image of a compressed file system. There is some performance loss as a result, but there is also greater assurance that the files within remain intact.
The rest of the lecture highlights checks you should make after this initial phase of installing a new OS image, and associated applications. Depending on the distribution, the path names cited below may be different.
Booting time is an excellent point where an attacker can install Trojans. Examine the booting sequence to verify that the kernel and other executables are what they claim to be. Also, compare the MD5 sums of the executables after each boot with those you saved immediately after fresh install.
Services are started in exactly three ways:
In all cases, only install the absolutely necessary services. If you are not sure what it is, disable it. These services (listed alphabetically) are commonly left running in improperly configured Unix/ Linux distributions. In the following, "wrapping" a service refers to initiating the service through a wrapper program that does extra checking and logging before invoking the original program that provides the service. Two well known wrappers are tcpwrapper and tcpd.
Most, but not all, Linux systems now use xinetd instead of inetd. The configuration files for xinetd are "distributed" into /etc/xinetd.conf and into files located in the subdirectory /etc/xinetd.d/ All references below to /etc/inetd.conf should be understood as including these if xinetd is in use.
bootp, bootps : Used for bootp services.
echo, daytime, discard, chargen: These services are used largely for testing and are largely unnecessary.
exec: Allow remote users to execute commands on a host without needing to log in. It exposes remote user passwords on the network, thus is highly insecure. We recommend disabling the service.
finger: allows remote users to use the finger utility to obtain information about arbitrary users on a host. Considered highly insecure. We recommend disabling the service or using a more secure version such as cfinger.
ftp : allows remote users to transfer files to/from a host using ftp. Since user passwords are easily sniffable (they are transmitted over the wire in clear text), we recommend disabling the service and using instead a secure file transfer mechanism which encrypts the entire session (such as Kerberized ftpd or SSH). If ftp access is a must, the service should be wrapped.
"filez" transfers: If you allow files to both be written to and read from by anonymous FTP users, attackers will find those accounts and use them to transfer "warez", MP3 files, and porn.
login: Allows remote users to use the Berkeley rlogin utility to log in to a host without supplying a password (via the .rhosts mechanism). Use SSH instead. If rlogin access is a must, the service should be wrapped.
netstat : Designed to provide network status information about a host to remote hosts.
shell : See login above.
smtp If you allow the "relay" feature on SMTP servers, spammers will find your server and use it to forward spam through (to hide themselves and also take advantage of your higher-speed connection).
systat : designed to provide status information about a host.
smurf amplifiers If you do not adjust your subnet masks and visible services, attackers will attempt to use your site as a "smurf" or "fraggle" amplifier to flood other victims on the net.
website defaults If you put a web server on the Internet, you must carefully remove all "defaults", "samples", and "CGI scripts" or attackers will at minimum deface web pages or compromise the machine.
telnet : Allows remote users to connect to a host via telnet. which transmits user passwords over the wire in plain text and can therefore be easily sniffed. Use ssh instead. If telnet access is a must, the service should be "TCP-wrapped".
talk, ntalk : allows remote users to use talk to have a real time conversation with a user on a host.
tftp : allows remote users to transfer files from a host without requiring login. Used primarily by X-terminals and routers. If tftp access is desired, the service be wrapped.
time: Used for clock synchronization. We recommend disabling the service and using xntp to synchronize your system clock to WWV.
uucp : allows remote users to transfer files to/from a host using the UUCP protocol. Unless you use UUCP, we recommend disabling the service.
RPC based services such as NFS and NIS are a major security hazards unless you are using secure RPC. Our general recommendation is therefore against the use of NIS or NFS unless the physical network segments are protected either physically or via the use of switched hubs. All RPC based services should be disabled in inetd.conf (unless NFS/NIS must be used).
Alternatives to NIS are: the use of Sun Microsystem's NIS+, and the use of rsync along with SSH to distribute /etc/passwd, /etc/group, etc. to clients from a central server.
Common RPC based services defined in inetd.conf are:
rexd : allows remote users to run RPC programs on a host. Can be used to run an arbitrary shell on the host, thus highly insecure. We recommend disabling the service.
rquotad : returns quotas for a user of a local file system which is mounted by a remote machine over the NFS. We recommend disabling it.
rstatd : extracts performance statistics from the kernel for use by programs such as perfmeter. We recommend disabling it.
ruserd : is used to return a list of users on a network. We recommend disabling it.
sprayd : records the packets sent by spray, and sends a response to the originator of the packets. We recommend disabling it.
walld : used for handling rwall and shutdown requests. We recommend disabling it.
ypupdated : used for updating NIS information. Since we recommend against the use of NIS in general, this service should be disabled.
Shutdown time also is an excellent point where an attacker can install Trojans. A clever attacker would have downloaded the needed files during the normal running, but would not have installed them until most of the system was shut down.
All work should be carried out in Operating Systems and Internet Security (OSIS) Lab, 429 Russ. No other WSU facilities are allowed.
This lab asks for a certain number of fixes in each of the categories: properly configured, fortified and hardened. Should you be unable to find that many fixes, report on what you discovered, and stake a claim that the Linux distribution you chose was "so perfect" that only that many problems exist. If we discover otherwise, you will earn corresponding negative points.
Write the fixes you suggest as a bash script that can be applied by root. Include these scripts as appendices to the lab report. All changes of "one kind" (e.g., weak passwords) will count as one item of change. These scripts can include commands such as wget URL or apt-get install/remove package. You are welcome to use a language other than bash; change the file name extension accordingly.
This lab is not net-centric; so there is no need for the NetUtils setup. But discovering network related problems is within its scope.
Objective: Examine a Linux installation for what needs to be properly configured, fortified and hardened. This lab deals with only the Linux OS, but similar details apply to Windows and other OS.