Basic Unix Security.

by Larry W. Cashdollar

8/24/99 Rev 2


When I say UNIX I mean a UNIX like system SunOS, BSD/OS, AIX, IRIX and the Linux distros. I am using RedHat as an example.


/etc/inetd.conf Cleaning.


This is what most UNIX system administrators neglect to do when putting a new system on the network they dont check what services they are running and remove those deemed uneeded.  This is the first step in securing a UNIX host. The second is installing every vendor security related patch issued. If you are concerned about computer security then you can take this one step further by installing all of the applicable updates for your linux distribution. Check out updates.redhat.com, check CIAC, CERT, rootshell and other sites for exploits that you can patch your system for.  The less information you give out about your host the less a system cracker has to work with. There are some great security sites out on the internet do a search on one of the many search engines. Search for bugtraq subscribe to it, trust me on this one.

Setting up the TIS ToolKit.

TIS (Trusted Information Systems) distributes a free toolkit for non-commercial use, it can be downloaded here.
Follow the instructions after downloading the TIS package for installation and compilation.  I will document this procedure
in the next few days.

Remove all lines but ftp and telnet, or place a '#' in front of the line to be discarded. Here normal ftp operations are allowed, the inetd.conf file should look something like this:

# begin /etc/inetd.conf 

ftp stream tcp nowait root /usr/sbin/tcpd wu.ftpd
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
# End of inetd.conf.
 

/etc/inetd.conf changes.

In inetd.conf change the following line

from: 

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
to: 
telnet stream tcp nowait root /usr/local/etc/netacl in.telnetd
This is to refer the inetd daemon to execute netacl instead of the normal telnet server. The binary netacl checks the address where the service request originates from, based on the requesting hosts ip address connections are made or denied.
 

/usr/local/etc/netperm-table changes.

The following line allows connections requested from the local host or the bastion host to be passed directly to the normal telnet server executable.
  
netacl-in.telnetd: permit-hosts 127.0.0.1 -exec /usr/sbin/in.telnetd
This line states that anyhost must be passed to the gateway for authentication. 
netacl-in.telnetd: permit-hosts * -exec /usr/local/etc/tn-gw
These are the configuration files for the tn-gw executable, they explain where the message files are found, and what host to allow access to the telnet gateway. 
tn-gw: denial-msg /usr/local/etc/tn-deny.txt
tn-gw: welcome-msg /usr/local/etc/tn-welcome.txt
tn-gw: help-msg /usr/local/etc/tn-help.txt tn-gw: timeout 900
The following line allows the host specified use of the proxy server all others will recieve the tn-deny.txt message and be disconnected.
  
tn-gw: permit-hosts 192.168.0.* -passok -xok
If the following line is uncommented incoming traffic is permitted but authentication is required. 
#tn-gw: permit-hosts * -auth

Configuring FTP gateway.

in /etc/inetd.conf create the line:

ftp stream tcp nowait root /usr/local/etc/ftp-gw ftp-gw

This lets the inetd daemon use ftp-gw instead of the normal ftp server executable.
 

Changes to /usr/local/etc/netperm-table.

These lines setup the message locations for the ftp gateway. 
ftp-gw: denial-msg /usr/local/etc/ftp-deny.txt
ftp-gw: welcome-msg /usr/local/etc/ftp-welcome.txt
ftp-gw: timeout 900
To allow hosts use of the ftp server add them below.
  
ftp-gw: permit-hosts 192.168.0.*
ftp-gw: permit-hosts localhost
To enable all host to have to be authenticated uncomment the line below.
  
ftp-gw: permit-hosts * -authall -log { retr stor }
Service administration 

On SVR4 type systems daemons are started in /etc/rc.d/rcN.d where N is your default run level. Move all services you dont need from SXXservice to KXXservice whereK is for kill S is for start and XX is a number for loading order. Sendmail for example doesnt need to be running if you dont plan to receive mail in order to disable it type the following in /etc/rc.d/rc3.d:

./S88sendmail stop; mv S88sendmail K88sendmail Do this for every service you dont need, if you dont know what it is use man to read about it.

SUID root binaries

If you have the desire to be paranoid and tighten our system down more trim your OS by removing packages that you dont need. In RedHat use rpm -e to remove unwanted packages, unwanted being anything that you dont need to run on your host. To figure this out think what functions you want your host to perform, you might not have the need for a mail reader like pine,elm or mutt so remove them. Dont plan to read news? remove tin etc.. the less you have the better. Now once youhave removed everything you dont need see what programs you have to watch out for namley suid root binaries like sendmail, dip, traceroute (remove dip use pppd)to locate all of these files do a find / -perm -4000 this will list all set userid root binaries. Now pipe this into md5check and store it offline. Just in case you are penetrated someday you have this to check your files against.

Security based links

Some of these links are to black hat or hacker/system cracking sites. I find the best way to keep up on security issues is to watch everyone.