SuperLinux Encyclopedia - Security

This page mixes most "network security" with other security topics. This seems unavoidable, but shares this undesirable feature of most security discussions: One cannot easily ignore discussion of network security topics when using a non-networked computer (one with only port-driven terminals).

Also see "ssh" in Shells.
Also see some related topics in IP - Internet Protocol.
Also see "firewalls" in Networking.

Introductory stuff:

• Security HOWTO General overview of security issues.
• Linux Security 101  An introduction.
• Linux Security 101  Feb'97 LG
• Securing Your Linux Box  Nov'98 LG
• A Bit About Security  Jan'98 LG
• Adding Security to Common Linux Distributions (Article in Linux Fucus)
• More Linux Security  Apr'97 LG
• Learning about Security  Mar'97 LG
• Secure Systems has a nice list of tips for the Linux PC user.
• Cleaning Up Your /tmp The Safe Way  Jun'97 LG & Part 2  Aug'97 LG
• Basic *nix Secuity  At LinuxBerg.
• Basic Network Security  At LinuxBerg.
• Courses on Computer/IT security  A list.

General Subject:

• Books and Book Reviews:
  • "Maximum Security"  Review at LWN.
  • Securing RedHat 5.X (e-book)
  • Web Security Sourcebook  Apr'98 LG
• Conferences
• News, Magazines, Alerts, Exploits, etc:
  • Hacker News  Emphasis on security and computer underground.

  • Bugtraq
  • CERT Coordination Center  "part of the Networked Systems Survivability Program" at CMU.   CERT's PGP key
  • CRYPTO-GRAM  "newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security." The link is to a corporate home page.
  • Fyodor's Playhouse
  • HERT - Hacker Emergency Response Team  Claims to be International version of CERT. Based in France, it claims fewer (none (as far as they know)) ties to USA spy agencies.
  • Rootshell (exploits sorted by date and links)
  • Vulnerability Engine (online, user-modifiable database of security probs)
  • Technotronic
  • X-Force Search (query a security database for threats and vulnerabilities)

  • Debian Security page
  • OpenLinux Security (at Caldera's tech.support site)
  • problems with RedHat 5.2 security
• Reading material:
  • Ask Slashdot: System Crackers
  • Dealing with System Crackers--Basic Combat Techniques  Aug'97 LG
  • How to recover a root-compromised system  At CERT.org.
  • kerberos - An introduction
  • Reflections on Trusting Trust by Ken Thompson, Sep'95
  • Secure Deletion of Data from Magnetic and Solid-State Memory (Doc by Peter Gutmann)
  • Secure Deletion of Data from Magnetic and Solid-State Memory  (alt.URL)
  • Software Distribution Security  "The Trojan Horse" by Bruce Perens Nov'98.
  • Trojan Horses  Great article at CERT.org.
  • Securing Java  Online book.
  • Secure UNIX Programming FAQ 
• Sites:
  • European Network Security Institute
  • fish.com's security page  Some interesting reading here.
  • Insecure.org
  • Linux Security (aoy.com) Said to be a good one.
  • Linux Security (Eric's site)
  • Linux Security (Chris Green's site)
  • Linux Security (jtmurphy's site)
  • Linux Security Archive (at sonic.net)
  • Linux Security Bulletins (mailing lists, etc. at Linux Resource Exchange)
  • Netect, Inc.  Computer security SW and services.
  • Netscan.org  Info on Smurf, Fraggle, and "directed broadcast" attacks.
  • SANS (a security organization)
  • Security Portal Linux page 
  • SecureZone (>1000 links; not Unix- or Linux-specific)
• Tools, misc:
  • Other lists:
    • Freshmeat: Firewall and Security (text)
    • Freshmeat: Firewall and Security (X11)
    • Security Tools  At CERT.org.
    • antivirus software for Linux  Rainer Link's annotated list.
  • AMaViS - A Mail Virus Scanner  For viruses in email to be read on a M$OS.
  • CyberSoft Inc.  $; Anti-virus SW, including CyberSoft VFind Security ToolKit (VSTK).
  • FreeS/WAN  "privacy through encrypted Internet communications"; IPSEC-based " FreeS/WAN negotiates strong keys using Diffie-Hellman key agreement with 1024-bit keys, and encrypts each packet with 168-bit Triple-DES (3DES). A modern $500 PC can set up a tunnel in less than a second, and can encrypt 6 megabits of packets per second, easily handling the whole available bandwidth at the vast majority of Internet sites."
  • H+B EDV AntiVir/X  $; Free for some. Mostly (only?) for protecting M$OS files)
  • hand  "Hand provides a secure execution environment for all types of Unix applications including utilities, system services and graphical programs."
  • IsinGlass "IsinGlass is a firewall setup script designed to protect dial-up users (but also useful for others). It protects your system against security holes in programs the user may not even know they're running. Most users can run it "out of the box" without any configuration required. It will automatically detect network interfaces and IP addresses."
  • KasperskyLab AntiViral Toolkit Pro (AVP) for Linux [Intel] 
  • McAfee ($; security SW)
  • NAI Netshield (uvscan) for Unix  $
  • slocate (FTP dir)  A "locate" command that respects permission bits.
  • Sophos Sweep for Linux [Intel/Alpha]  $ Free for some.
  • StackGuard  Version of gcc which protects programs agains stack overflow attacks; with a protected Linux distro.
  • tcpserve  A replacement for inetd for better security. allows limiting the *_number_* of concurrent processes forked out of the inet facilities, as opposed to the *_rate_* of forked processes. Also, optionally, allows logging by port, with access control via a fast database, by IP, and user.
  • Titan  "collection of programs, each of which either fixes or tightens one or more potential security problems with a particular aspect in the setup or configuration of a Unix system." Mostly Bourne scripts; some C.
  • Trinux "A Linux Security Toolkit" (2-floppy Linux-in-RAM with many networking & security tools)
  • Wipe "for securely erasing files from magnetic media" (over-rights with various patterns)
  • xinetd - A more secure version of inetd. ??
• Misc:
  • EROS: The Extremely Reliable Operating System  $ & some free use; uses "capabilities" security; some good docs.
  • A List of Debian's security advantages 
  • silent  Make "Workstation which doesn't answer for ping and traceroute."

Security, specific topics:

• Auditing of a site's or computer's security:
  Also see "Intrusion Detection" below.
  • Linux Security Audit Home Page
  • auditd  Part of a toolkit which supports the kernel audit mechanism.
  • JSecure Run this applet from all of your Java applet runners (e.g. "Netscape") to check security.
  • Network Associates, Inc.  CyberCop Scanner, risk assessment tool,
  • The Nessus Project  "open-sourced and easy-to-use security auditing tool"; well developed. Looks good.
  • nmap network mapper  Shows what services a host offers. Good use: nmap -t -v -D my_host.my_domain.com.
  • Saint home page ($; checks security)
  • Protecting Networks with SATAN (at O'Reilly; links to other security books)
  • Xni  "network analysis, security and accounting package"
• Authentication:
  • Ask Slashdot: Cryptography and Digital Signatures
  • PAM (Plugable Authentication Modules):
    • PAM Home Page
    • pam_smb "a PAM module which allows authentication of UNIX users using an NT server"
    • PAM commands & files:
      • userhelper: Non-interctive program to change user info as in /etc/passwd.
      • userpasswd: GUI program to change password.
      • userinfo: GUI version of "chfn".
      • /etc/pam.conf or /etc/pam.d:
  • Passwords:
    • LILO passwords: Adding the lines "password=your_password" and "restricted" to your lilo config file (usually /etc/lilo.conf) and rerunning lilo will prevent anyone from booting up without a password using a simple fairly well known trick. Except if they boot off a floppy. The only way to prevent that is to remove it or use the password protection of your BIOS.
    • BIOS passwords (from usenet article): "Some BIOS'es will reset/disable a password with a key combination. I've seen ctrl-enter, ctrl-alt-ins, ctrl-alt-esc."
    • gpasman  A personal password manager which keeps list of passwords encrypted.
    • npasswd: A (non-PAM) password package (once used by Red Hat). Has some nice features.
    • vipw, vigr - edit the password or group files. (Locks the files, etc.)
    • Passync "Windows NT/UNIX password synchronization tool"
    • HOW TO allow passwords longer than 8 chars (from usenet article):

      >Is there a way or a program that can be installed under Linux RedHat 5.0 to
      >allow > 8 character passwords.  Not only would this increase security, but 
      >it would keep the probablility of a reused password on a many user system
      >low.  Thanks for any info or suggestions 'yall might have.
        
      Look at file:/usr/doc/pam-0.59/html/pam.html
        
      on your system with a web browser.  You basically just need to add
      "md5" to /etc/pam.d/passwd on the "pwdb" line.  Then force all your
      users to change their passwords (they can use the same one if they
      want, but they have to go through the act so that your system can
      re-encrypt all the passwds to md5 format).  Then everything should
      just "work".
                  

    • HOWTO handle a forgotten root password: This assumes certain things and so won't work for everyone..

      -- Boot a rescue floppy.
      -- Mount the partition holding /etc/passwd, ex: "mount -t ext2fs /dev/hda1 /mnt".
      -- Edit the passwd file, ex: "vi /mnt/etc/passwd".
         Remove second ":"-delimited field of the line who's first field is "root".
      -- Unmount the just-mounted partition (said to be necessary), ex: "umount /dev/hda1"
      -- Remove the boot floppy, reboot, log in as root (without password).
      -- Change the password, ex: "passwd", etc.
                  

    • Shadow Passwords:
      • Shadow Password HOWTO (How to obtain, install, and configure shadow passwords.)
      • HOW TO move info from non-shadowed passwd file to shadowed version:
        Someone said there is a program called "something like pwconv5" that works great.
• Cryptography; Encryption; Codes; Decoding
• Intrusion Detection:
  • AAFID2 "Architecture for Intrusion Detection using Autonomous Agents"
  • check-ps: Intrusion checker program; checks for bogus ps process. [link broke]
  • EARS - Emergency Audit Response System  Distributed intrusion detection, by Tishina Syndicate.
  • Intrusion Detection  Treatise.
  • Nannie  Tell you when files that shouldn't change do change.
  • RealSecure  $ "threat management solution"
  • SHADOW security monitor
  • sscan  Not sure, but it sounds like a security hole checker.
  • Tripwire Security, Inc.  $ and free. Popular security breach detection SW.
• RSA:
  • RSA Data Security, Inc.  SSL SW, other security SW.
  • RSA Australia  Most secure versions of RSA SW.
• SSL - Secure Sockets Layer
  • OpenSSL  "effort to develop a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide."
  • See RSA entry on this page.
  • Ask Slashdot: How do you get non-"Certified" SSL Keys to Work?
• SUID & SGID programs, including scripts:
  • Have as few programs as practical that run SUID or SGID to "root" ID. These may be located using "find / -perm +6000".
  • A standard Linux kernel and bash shell will ignore SUID & SGID bits on bash script programs. (I'm not sure whether it's the kernel or shell and whether other shells and interpreters (eg perl) have this restriction. Some Unix-shell combinations don't have this restriction.)
  • To write a possibly dangerous wrapper program follow this example:

    main(argc,argv)
    int argc;
    char **argv;
    {
    execv("/usr/local/bin/wrapped-script",argv);
    }

    Compile it and set SUID or SGID on the binary program. The script program must be readable by the owner or group, respectively, of the binary program.
• Viruses:
  • Bliss: From 1997. [link broke]

Some security tips:

• Don't run any more daemons than needed, especially those that service the network.
  Methods:
  • To disable daemons in Red Hat's /etc/rc.d/init.d directory
    mv /etc/rc.d/init.d/xxxd /etc/rc.d/init.d/xxxd.is.disabled
  • Comment out unneeded lines in /etc/inetd.conf . Some sources say to comment out lines in /etc/services, but this shouldn't be needed. It also has the disadvantage of disabling the use of the service (eg. ftp) by the local user too.
• Run as few programs as seldom as practical as user "root".
• Have as few programs as practical that run SUID or SGID to "root" ID. These may be located using "find / -perm +6000".
• Keep software as up-to-date as practical in order to have the latest security bug fixes.
• Check security sites and some download sites for "security alerts" and notices of newly fixed software.
• Replace your "locate" command with the "slocate" command so people can't use locate to look for files in directories for which they have no read priviledge. See below.
• Configure /etc/usertty and /etc/securetty after reading about them in the man pages for "login" and "securetty". These control which users may log in from which ports.

How to make a more secure temporary directory from a shell script, by Jim Dennis:

TMPD=/tmp/$0$$$(date +%s)
## get a (hopefully unique) name
## use any reasonable method for this.
OMASK=$(umask)
umask 077 || exit 1
mkdir $TMPD || exit 1
trap 'rm -fr $TMPD; exit' 0
umask $OMASK

End of page.