FreeBSD Security Advisories (1)

Transcription

1 Security

2 FreeBSD Security Advisories (1) 2

3 FreeBSD Security Advisories (2) 3

4 FreeBSD Security Advisories (3) freebsd-security-notifications Mailing list 4

5 FreeBSD Security Advisories (4) Example compress 5

6 FreeBSD Security Advisories (5) CVE

7 FreeBSD Security Advisories (6) Example Problem Description 7

8 FreeBSD Security Advisories (7) Example Workaround 8

9 FreeBSD Security Advisories (8) Example Solution 9

10 Common Security Problems Unreliable wetware Phishing site Software bugs FreeBSD security advisor portaudit (ports-mgmt/portaudit) Open doors Accounts password Disk share with the world 10

11 portaudit (1) portaudit Checks installed ports against a list of security vulnerabilities portaudit Fda -F: Fetch the current database from the FreeBSD servers. -d: Print the creation date of the database. -a: Print a vulnerability report for all installed packages. Security Output 11

12 portaudit (2) portaudit -Fda auditfile.tbz 100% of 71 kb 92 kbps New database installed. Database created: Mon Dec 12 02:10:00 CST 2011 Affected package: gnutls Type of problem: gnutls -- client session resumption vulnerability. Reference: Affected package: apache-worker Type of problem: apache -- Range header DoS vulnerability. Reference: 2 problem(s) in your installed packages found. You are advised to update or deinstall the affected package(s) immediately. 12

13 Common trick Tricks ssh scan and hack ssh guard sshit smtp-auth / pop3 / imap Phishing XSS & sql injection Objective Spam Jump gateway File sharing 13

14 Process file system - procfs Procfs A view of the system process table # mount t procfs proc /proc 14

15 Simple SQL injection example User/pass authentication SELECT * FROM usrtable WHERE user = AND pass = ; No input validation SELECT * FROM usrtable WHERE user = test AND pass = a OR a = a 15

16 setuid programs passwd zfs[~] -chiahung- ls -al /usr/bin/passwd -r-sr-xr-x 2 root wheel 8224 Dec 5 22:00 /usr/bin/passwd /etc/master.passwd is of mode 600 (-rw )! setuid executables are especially apt to cause security holes Minimize the number of setuid programs /etc/periodic/security/100.chksetuid Disable the setuid execution on individual filesystems -o nosuid 16

17 rlogin (1) sudo ---s--x--x 2 root wheel Trusted remote host and user name database /etc/hosts.equiv and ~/.rhosts Allow user to execute shell (rsh), login (rlogin) and copy files (rcp) between machines without passwords Format: Simple: hostname [username] Complex: Example bar.com foo +@adm_cs_cc +@adm_cs_cc -@chwong /usr/local/bin/sudo (trust user foo from host bar.com ) (trust all from amd_cs_cc group) 17

18 rlogin (2) Becoming other users A pseudo-user for services, sometimes shared by multiple users sudo u wwwadm s (?) /etc/inetd.conf login stream tcp nowait root /usr/libexec/rlogind rlogind ~wwwadm/.rhosts User_Alias wwwta=pyhsu Runas_Alias WWWADM=wwwadm wwwta ALL=(WWWADM) ALL localhost pyhsu rlogin -l wwwadm localhost Too dirty! 18

19 Security tools nmap john, crack PGP CA Firewall TCP Wrapper 19

20 TCP Wrapper (1) TCP Wrapper Provide support for every server daemon under its control libwrap implements the actual functionality Before: inetd + tcpd with libwrap 20

21 21 TCP Wrapper (2) Now $ ldd `which inetd` /usr/sbin/inetd: libutil.so.8 => /lib/libutil.so.8 (0x ) libwrap.so.6 => /usr/lib/libwrap.so.6 (0x ) libipsec.so.4 => /lib/libipsec.so.4 (0x80086a000) libc.so.7 => /lib/libc.so.7 (0x ) $ ldd `which sshd` /usr/sbin/sshd: libssh.so.5 => /usr/lib/libssh.so.5 (0x ) libutil.so.8 => /lib/libutil.so.8 (0x8007cb000) libz.so.5 => /lib/libz.so.5 (0x8008db000) libwrap.so.6 => /usr/lib/libwrap.so.6 (0x8009f0000) libpam.so.5 => /usr/lib/libpam.so.5 (0x800af9000)...

22 TCP Wrapper (3) libwrap hosts_access(3) In sshd source code 22

23 TCP Wrapper (4) There are something that a firewall will not handle Sending text back to the source TCP wrapper Provide support for every server daemon under its control Logging support Return message Permit a daemon to only accept internal connections Configuration files /etc/hosts.allow, /etc/hosts.deny(optional) 23

24 Super Server inetd To see what daemons are controlled by inetd, see /etc/inetd.conf #ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l #ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l #telnet stream tcp nowait root /usr/libexec/telnetd telnetd #telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd shell stream tcp nowait root /usr/libexec/rshd rshd #shell stream tcp6 nowait root /usr/libexec/rshd rshd login stream tcp nowait root /usr/libexec/rlogind rlogind #login stream tcp6 nowait root /usr/libexec/rlogind rlogind In /etc/rc.conf inetd_enable="yes" 24

25 /etc/hosts.allow (1) In /etc/hosts.allow Format: daemon : address : action daemon is the daemon name which inetd started address can be hostname, IPv4 addr, IPv6 addr, net/prefixlen action can be allow or deny Keyword ALL can be used in daemon and address fields to means everything First rule match semantic Meaning that the configuration file is scanned in ascending order for a matching rule When a match is found, the rule is applied and the search process will stop 25

26 /etc/hosts.allow (2) Example ALL : localhost, : allow ptelnetd @linux_cc_cs : allow ptelnetd pftpd sshd: zeiss, chbsd, sabsd : allow identd : ALL : allow portmap : ALL : allow sendmail : ALL : allow rpc.rstatd : allow rpc.rusersd : allow ALL : ALL : deny 26 TCP wrapper should not be considered a replacement of a good firewall Instead, it should be used in conjunction with a firewall or other security tools Good at rpc based services

27 /etc/hosts.allow (3) Advance configuration External commands (twist option) twist will be called to execute a shell command or script (exec) # The rest of the daemons are protected. telnet : ALL \ : severity auth.info \ : twist /bin/echo "You are not welcome to use %d from %h." External commands (spawn option) spawn is like twist, but it will not send a reply back to the client (fork/exec) # We do not allow connections from example.com: ALL :.example.com \ : spawn (/bin/echo %a from %h attempted to access %d >> \ /var/log/connections.log) \ : deny 27

28 /etc/hosts.allow (4) See Wildcard (PARANOID option) Match any connection that is made from an IP address that differs from its hostname # Block possibly spoofed requests to sendmail: sendmail : PARANOID : deny hosts_access(5) hosts_options(5) 28

29 tcpdmatch In /etc/hosts.allow ALL : localhost [::1] : allow ALL : cshome2 : allow sshd : csduty linuxhome cshome : allow rpc.lockd : / : allow rpc.statd : / : allow rpcbind : / : allow ALL : ALL : deny 29 tcpdmatch(8) example $ tcpdmatch ssh warning: ssh: no such process name in /etc/inetd.conf client: address server: process ssh matched: /etc/hosts.allow line 12 option: deny access: denied

30 When you perform any change. Philosophy of SA Know how things really work Plan it before you do it Make it reversible Make changes incrementally Test before you unleash it 30