<LI>

<A HREF="#I56">Where to Go from Here?</A></LI></UL></UL></UL>



<H1 ALIGN="CENTER">

<CENTER><A ID="I1" NAME="I1">

<BR>

<FONT SIZE=5><A ID="I2" NAME="I2"></A><B>44 &#151; UNIX System Security</B>

<BR></FONT></A></CENTER></H1>

<H5 ALIGN="CENTER">

<CENTER><A ID="I3" NAME="I3">

<FONT SIZE=3><B>By Jeff Smith</B>

<BR></FONT></A></CENTER></H5>

<P>How secure is your UNIX system? Consider this: In the three years 1991 through 1993, the Computer Emergency Response Team Coordination Center (CERT/CC) issued more than 60 advisories describing UNIX insecurities and ongoing cracking incidents. That's 
almost two per month for the last three years. Many of these advisories described serious security flaws that allowed unprivileged users to gain superuser access, or worse, allowed unauthorized users access to the computer. If you haven't done anything to 

improve the security of your UNIX system, it's probably vulnerable.

<BR></P>

<P>The original developers of UNIX used it in a friendly, collegial environment that required only basic security features. Computer networks were a future dream. Since then UNIX has become one of the most popular operating systems in the world, installed 

on hundreds of thousands of networked computers. As it has evolved, security features have been added, but so have new facilities that have brought new security threats.

<BR></P>

<P>Why would someone break in to your computer? It boils down to access to services and information. Computers provide a variety of attractive services, such as access to networks and other computers, computing time, and disk storage. Most people use 
computers to store and organize valuable information. This information has potential value to those who don't have it, and unscrupulous people will do whatever it takes to get it.

<BR></P>

<P>Does your computer system contain information that someone else can use? Your company's trade secrets? A description of an academic research project or a grant proposal that you want to keep secret until it's in the mail? Most people can answer yes to 
these or similar questions&#151;after all, you wouldn't be storing information on a computer if you didn't have something worth saving.

<BR></P>

<P>This chapter can't tell you everything you need to know about UNIX system security. That would take an entire book, and there are references to several &quot;nuts and bolts&quot; security books in the section &quot;Finding More Information&quot; later 
in this chapter. This chapter does give you a broad overview of UNIX security concerns, help you evaluate your security needs, tell you about tools you can use to improve your system's security, and tell you how to get more information. It may also help 
keep your hair from turning various shades of gray.

<BR></P>

<H3 ALIGN="CENTER">

<CENTER><A ID="I4" NAME="I4">

<FONT SIZE=4><B>Kinds of Attacks and Their Consequences</B>

<BR></FONT></A></CENTER></H3>

<P>Although it may seem like a naive question, you should ask yourself why you care whether your system is attacked. What are the consequences if someone breaks in? If a cracker breaks in to your system, he may do the following:

<BR></P>

<UL>

<LI>Use system resources (disk space, CPU cycles, network bandwidth) you want for you or other users

<BR>

<BR></LI>

<LI>Deny services to you or other users, either maliciously or because he's using the resources himself

<BR>

<BR></LI>

<LI>Steal valuable information

<BR>

<BR></LI>

<LI>Destroy files, either maliciously or to cover his tracks

<BR>

<BR></LI>

<LI>Use your computers to break in to other sites

<BR>

<BR></LI>

<LI>Cause you to lose staff time (read: money) in tracking him down and putting compromised systems back in order

<BR>

<BR></LI></UL>

<P>You must analyze your own situation and decide how important these consequences are to you. You may have CPU cycles and disk space to spare, no information to protect. You may not really care if other system administrators spit on the ground when they 
hear your name, and therefore decide to run a completely open system. On the other hand, you might lose your job if your company loses a contract because of industrial espionage. Most security needs fall somewhere between these two extremes, but you can 
see that security is a continuum, and you're in the best position to decide your own security requirements.

<BR></P>

<P>All attacks depend on gaining initial access to the computer. You should put yourself in the cracker's shoes and think about how you could attack your own system. Is it used by you alone or by many people? Is it accessible via a phone line, or connected 

to a private or public network? If it's connected to a network, is the network physically secure? Are your computers locked up or in a public site? Where are your backup tapes stored? Can a cracker get access to them, thereby gaining access to your files 
without ever breaking into your computer? If you're responsible for administering a multiuser system, how wise are your users? What will they do if they receive a phone call from the &quot;system administrator&quot; asking for their passwords for 
&quot;special maintenance?&quot;

<BR></P>

<P>These questions cover many&#151;but not all&#151;of the approaches a cracker might use to gain access to your computer or data. The attacks fall into four basic categories: physical security attacks; social engineering attacks; Dumpster-diving attacks; 

and network- and phone-based attacks.

<BR></P>

<P>The point of any attack is to gain access to a legitimate user's account, or to exploit bugs in system programs to get a command shell without actually compromising an account.

<BR></P>

<HR ALIGN=CENTER>

<NOTE>

<IMG SRC="note.gif" WIDTH = 35 HEIGHT = 35><B>NOTE:</B> Computer viruses are programs that attach themselves to other programs and replicate when the infected programs are executed. Some viruses are relatively benign, but some malware can erase or damage 
disk files. Viruses are a big problem in the MS-DOS and Macintosh world because personal computers lack the sophisticated memory and file protection mechanisms of mature operating systems like UNIX.

<BR>

<BR>Although a few theoretical UNIX viruses have been presented in academic journals, to date there have been no widespread outbreaks of UNIX viruses. There are plenty of things to worry about regarding the security of your UNIX system, but viruses are not 

one of them.

<BR></NOTE>

<HR ALIGN=CENTER>

<H4 ALIGN="CENTER">

<CENTER><A ID="I5" NAME="I5">

<FONT SIZE=3><B>Physical Security</B>

<BR></FONT></A></CENTER></H4>

<P>If your computer is locked in a room with a guard who checks IDs at the door, and isn't connected to a network or a phone line, you can skip to the next chapter. Unfortunately, computers are pretty useless when they're sitting in locked rooms, and most 

of them aren't. A cracker who gains physical access to your computer or the network to which it's attached may be able to tap the physical network and snoop legitimate users' passwords or data, reboot the computer with a different version of UNIX, or 
modify values in RAM memory to gain privileged access.

<BR></P>

<P>The first type of attack is becoming difficult to prevent. Laptop computers now have pocket-size EtherNet cards that plug into PCMCIA slots, and there is free, public-domain software that captures all packets on an EtherNet and saves them on a 
computer's hard disk. A cracker can unplug one of your computers from the EtherNet, attach his laptop, record packets for a while, and analyze them later to find valid login names and passwords. Even worse, if your users log in to remote systems with ftp, 

telnet, or rlogin, the cracker doesn't need access to the physical network at your site&#151;anyplace between your site and the remote one will do. One-time passwords, Kerberos, and encrypting EtherNet hubs can help solve these problems.

<BR></P>

<P>Many workstations have a ROM-monitor mode that is entered by typing a special key combination. This mode suspends the normal operation of UNIX to allow you low-level access to the computer's hardware. It may allow you to reboot the computer or alter 
memory locations and resume running UNIX. 

<BR></P>

<P>If a cracker can boot an operating system of her choice and masquerade as the legitimate computer, she can do any number of bad things. If your workstations have CD-ROMs, floppy disks, or tape drives and can be booted from those devices, the door may be 

open. A cracker who can boot an operating system of his choice while retaining a computer's identity can trick that computer or others on your network into providing illicit access or services.

<BR></P>

<P>A workstation that allows the user to change system memory while in ROM-monitor mode gives a cracker who has gained access to an unprivileged account the chance to promote it to the superuser account by changing the numeric user ID in RAM to 0.

<BR></P>

<P>Most workstations provide a way to prevent users other than the system administrator from entering ROM-monitor mode such as a password. Check your system administration manual to ensure that you've enabled whatever ROM-monitor security features are 
available, and avoid buying workstations that allow unrestricted access to this mode.

<BR></P>

<H4 ALIGN="CENTER">

<CENTER><A ID="I6" NAME="I6">

<FONT SIZE=3><B>Social Engineering</B>

<BR></FONT></A></CENTER></H4>

<P>Social engineering is a euphemism for the phenomenon P.T. Barnum had in mind when he said &quot;There's a sucker born every minute.&quot; More kindly, most people are trusting, and that trust can be exploited by system crackers.

<BR></P>

<P>Social engineering might be a seemingly innocuous offer to &quot;help set up your account,&quot; or the gift of a free program that purports to do one thing but does something else (a Trojan horse). Either offer gives the cracker the chance to alter a 
legitimate user's files so he can later gain access to the account. Another popular approach is to send e-mail to naive users, saying that system security has been compromised, and the victim must change her password to one specified by the cracker. 
Calling a legitimate user on the phone, claiming to be the system administrator, and asking for the user's password on a pretext is another example of social engineering. Social engineering approaches shouldn't be taken lightly&#151;they are surprisingly 
effective.

<BR></P>

<P>As you may guess, the best defense against social engineering is user and staff education. Your users should know, for instance, that since you have superuser privileges you never have any reason to ask for their passwords, and that any such request 
should be reported to you immediately. Part of the goal of a security policy (see the section &quot;Security Policies&quot; later in this chapter) is to educate your users.

<BR></P>

<H4 ALIGN="CENTER">

<CENTER><A ID="I7" NAME="I7">

<FONT SIZE=3><B>Dumpster-Diving Attacks</B>

<BR></FONT></A></CENTER></H4>

<P>Rummaging through your company's trash bins may produce good results for a cracker: unlisted modem numbers, lists of valid accounts, passwords, discarded diskettes or tapes, and other helpful information. You may want to review how your organization 
disposes of waste paper, storage media and used computer equipment, and make changes if you feel that crackers can get a helping hand from your discards.

<BR></P>

<H4 ALIGN="CENTER">

<CENTER><A ID="I8" NAME="I8">

<FONT SIZE=3><B>Network- and Phone-Based Attacks</B>

<BR></FONT></A></CENTER></H4>

<P>If your computer system is attached to a network it is both a more attractive target and easier to crack. Physical access to the computer is no longer necessary, since the cracker can connect with a modem or over the network. If you are connected to the 

Internet (network of networks), your system can be attacked from anyplace in the world.

<BR></P>

<P>Physical network-based attacks like those described earlier in this chapter in the section &quot;Physical Security&quot; are a form of network-based attack. However, physical access to the network is not necessary for network or phone-based 
attacks&#151;all you need is (legitimate or illegitimate) access to a computer on the Internet, or a terminal and a modem.

<BR></P>

<P>Attacks of this kind fall into two general categories: breaking into a user or system account by guessing its password, and tricking a network server program into giving you information about the system (for instance, the password file) or into 
executing commands to give you access to the computer.

<BR></P>

<P>You can thwart the first attack by ensuring that all system accounts (for example, the ftp account) have strong passwords or are shut off; and by educating, cajoling, and coercing your users into choosing good passwords, or switching to one of the 
one-time password schemes described in the section &quot;User Authentication&quot; later in this chapter.

<BR></P>

<P>The second attack is harder to stop because it depends on something over which you have little control&#151;the quality of vendor software. Your best defense is to keep abreast of current bugs by joining mailing lists, reading the appropriate USENET 
newsgroups, tracking CERT/CC and other advisories, and taking advantage of any security alerts your vendor may offer. This gives you the information you need to patch problems quickly. The various ways of keeping up with the crackers are explained later in 

this chapter in the section &quot;Finding More Information.&quot;

<BR></P>

<P>You may also want to run public-domain replacements for some vendor software, for instance the public-domain Version 8 sendmail program. (See Chapter 41, &quot;Mail Administration.&quot;) Most public-domain programs come with complete source code, which 

allows you to fix bugs without waiting on the vendor. Further, the authors of public-domain programs are often quicker to fix bugs than vendors.

<BR></P>

<P>Phone-based attacks either attempt to guess passwords, or (if you run it) trick a program like UUCP (UNIX to UNIX File Copy). The first problem is solved by the methods mentioned in the previous paragraph. Dial-back modems help with either attack and