.E.4. ld UNDER SOLARIS/X86
--------------------------

Under Solaris 2.4/X86 ld dumps core if given with the -s option.


.F. HOW DO I PROTECT A SYSTEM AGAINST DENIAL OF SERVICE ATTACKS?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.F.1. BASIC SECURITY PROTECTION
-------------------------------

.F.1.1. INTRODUCTION
--------------------

You can not make your system totally secured against denial of service
attacks but for attacks from the outside you can do a lot. I put this
work list together and hope that it can be of some use. 

.F.1.2. SECURITY PATCHES
------------------------

Always install the proper security patches. As for patch numbers
I don't want to put them out, but that doesn't matter because you
anyway want to check that you have all security patches installed,
so get a list and check! Also note that patches change over time and
that a solution suggested in security bulletins (i.e. CERT) often
is somewhat temporary.

.F.1.3. PORT SCANNING
---------------------

Check which services you have. Don't check with the manual
or some configuration file, instead scan the ports with sprobe
or some other port scanner. Actual you should do this regualy to see
that anyone don't have installed a service that you don't want on
the system (could for example be service used for a pirate site).

Disable every service that you don't need, could for example be rexd,
fingerd, systat, netstat, rusersd, sprayd, pop3, uucpd, echo, chargen,
tftp, exec, ufs, daytime, time... Any combination of echo, time, daytime
and chargen is possible to get to loop. There is however no need
to turn discard off. The discard service will just read a packet
and discard it, so if you turn off it you will get more sensitive to
denial of service and not the opposite.

Actual can services be found on many systems that can be used for
denial of service and brute force hacking without any logging. For
example Stock rexec never logs anything. Most popd:s also don't log 
anything

.F.1.4. CHECK THE OUTSIDE ATTACKS DESCRIBED IN THIS PAPER
---------------------------------------------------------

Check that attacks described in this paper and look at the
solution. Some attacks you should perform yourself to see if they
apply to your system, for example:

	- Freezing up X-Windows.
	- Malicious use of telnet.
	- How to disable services.
	- SunOS kernel panic.
	- Attacking with lynx clients.
	- Crashing systems with ping from Windows 95 machines.
	
That is stress test your system with several services and look at
the effect.

Note that Solaris 2.4 and later have a limit on the number of ICMP
error messages (1 per 500 ms I think) that can cause problems then
you test your system for some of the holes described in this paper.
But you can easy solve this problem by executing this line:

$ /usr/sbin/ndd -set /dev/ip ip_icmp_err_interval 0
                                                            
.F.1.5. CHECK THE INSIDE ATTACKS DESCRIBED IN THIS PAPER
--------------------------------------------------------

Check the inside attacks, although it is always possibly to crash
the system from the inside you don't want it to be to easy. Also
have several of the attacks applications besides denial of service,
for example:

	- Crashing the X-Server: 	If stickybit is not set in /tmp
					a number of attacks to gain
					access can be performed.

	- Using resolv_host_conf:	Could be used to expose
					confidential data like
					/etc/shadow.

	- Core dumped under wuftpd:	Could be used to extract
					password-strings.

If I don't have put out a solution I might have recommended son other paper.
If not I don't know of a paper with a solution I feel that I can recommend.
You should in these causes check with your company.

.F.1.6. EXTRA SECURITY SYSTEMS
------------------------------

Also think about if you should install some extra security systems.
The basic that you always should install is a logdaemon  and a wrapper.
A firewall could also be very good, but expensive. Free tools that can
be found on the Internet is for example:

TYPE:		NAME:		URL:

LOGDAEMON	NETLOG		ftp://net.tamu.edu/pub/security/TAMU
WRAPPER		TCP WRAPPERS	ftp://cert.org/pub/tools/tcp_wrappers
FIREWALL	TIS 		ftp://ftp.tis.com/pub/firewalls/toolkit

Note that you should be very careful if building your own firewall with
TIS or you might open up new and very bad security holes, but it is a very
good security packer if you have some basic knowledge.

It is also very good to replace services that you need, for example telnet,
rlogin, rsh or whatever, with a tool like ssh. Ssh is free and can be
found at URL: 

	ftp://ftp.cs.hut.fi/pub/ssh

The addresses I have put out are the central sites for distributing
and I don't think that you should use any other except for CERT.

For a long list on free general security tools I recommend:
"FAQ: Computer Security Frequently Asked Questions".

.F.1.7. MONITORING SECURITY
---------------------------

Also monitor security regular, for example through examining system log
files, history files... Even in a system without any extra security systems
could several tools be found for monitoring, for example: 

	- uptime
	- showmount
	- ps
	- netstat
	- finger

(see the man text for more information).

.F.1.8. KEEPING UP TO DATE
--------------------------

It is very important to keep up to date with security problems. Also 
understand that then, for example CERT, warns for something it has often
been dark-side public for sometime, so don't wait. The following resources
that helps you keeping up to date can for example be found on the Internet:

	- CERT mailing list. Send an e-mail to cert@cert.org to be placed
	on the list.
	
	- Bugtraq mailing list. Send an e-mail to bugtraq-request@fc.net.

	- WWW-security mailing list. Send an e-mail to 
	www-security@ns2.rutgers.edu.

.F.1.9. READ SOMETHING BIGGER AND BETTER
----------------------------------------

Let's start with papers on the Internet. I am sorry to say that it is not
very many good free papers that can be found, but here is a small collection
and I am sorry if have have over looked a paper.

(1) The Rainbow books is a long series of free books on computer security.
US citizens can get the books from:

	INFOSEC AWARENESS OFFICE
	National Computer Security Center
	9800 Savage Road
	Fort George G. Meader, MD 20755-600

We other just have to read the papers on the World Wide Web. Every
paper can not however be found on the Internet.

(2) "Improving the security of your Unix system" by Curry  is also very
nice if you need the very basic things. If you don't now anything about
computer security you can't find a better start. 

(3) "The WWW security FAQ" by Stein is although it deal with W3-security
the very best better on the Internet about computer security.

(4) CERT have aklso published several good papers, for example:

	- Anonymous FTP Abuses.
	- Email Bombing and Spamming.
	- Spoofed/Forged Email.
	- Protecting yourself from password file attacks.

I think however that the last paper have overlooked several things.

(5) For a long list on papers I can recommend:
"FAQ: Computer Security Frequently Asked Questions".

(6) Also see section ".G. SUGGESTED READING"

You should also get some big good commercial book, but I don't want
to recommend any.

.F.2. MONITORING PERFORMANCE
----------------------------

.F.2.1. INTRODUCTION
--------------------

There is several commands and services that can be used for
monitoring performance. And at least two good free programs can
be found on Internet.

.F.2.2. COMMANDS AND SERVICES
-----------------------------

For more information read the man text.
 
netstat		Show network status.
nfsstat		Show NFS statistics.
sar		System activity reporter.
vmstat		Report virtual memory statistics.
timex		Time a command, report process data and system
		activity.
time 		Time a simple command.
truss		Trace system calls and signals.
uptime		Show how long the system has been up.

Note that if a public netstat server can be found you might be able
to use netstat from the outside. netstat can also give information
like tcp sequence numbers and much more.

.F.2.3. PROGRAMS
----------------

Proctool: Proctool is a freely available tool for Solaris that monitors
and controls processes.
	ftp://opcom.sun.ca/pub/binaries/
	
Top: Top might be a more simple program than Proctool, but is
good enough.

.F.2.4. ACCOUNTING
------------------

To monitor performance you have to collect information over a long 
period of time. All Unix systems have some sort of accounting logs
to identify how much CPU time, memory each program uses. You should
check your manual to see how to set this up.

You could also invent your own account system by using crontab and
a script with the commands you want to run. Let crontab run the script
every day and compare the information once a week. You could for
example let the script run the following commands:

	- netstat
	- iostat -D
	- vmstat


.G. SUGGESTED READING
~~~~~~~~~~~~~~~~~~~~~

.F.1. INFORMATION FOR DEEPER KNOWLEDGE
-------------------------------------

(1) Hedrick, C. Routing Information Protocol. RFC 1058, 1988.
(2) Mills, D.L. Exterior Gateway Protocol Formal Specification. RFC 904, 1984.
(3) Postel, J. Internet Control Message Protocol. RFC 792, 1981.
(4) Harrenstien, K. NAME/FINGER Protocol, RFC 742, 1977.
(5) Sollins, K.R. The TFTP Protocol, RFC 783, 1981.
(6) Croft, W.J. Bootstrap Protocol, RFC 951, 1985.

Many of the papers in this category was RFC-papers. A RFC-paper
is a paper that describes a protocol. The letters RCS stands for
Request For Comment. Hosts on the Internet are expected to understand
at least the common ones. If you want to learn more about a protocol
it is always good to read the proper RFC. You can find a nice sRFC 
index search form at URL:

	http://pubweb.nexor.co.uk/public/rfc/index/rfc.html

.F.2. KEEPING UP TO DATE INFORMATION
------------------------------------

(1) CERT mailing list. Send an e-mail to cert@cert.org to be placed
on the list.
(2) Bugtraq mailinglist. Send an e-mail to bugtraq-request@fc.net.
(3) WWW-security mailinglist. Send an e-mail to www-security@ns2.rutgers.edu.
(4) Sun Microsystems Security Bulletins.
(5) Various articles from: 		- comp.security.announce
					- comp.security.unix
					- comp.security.firewalls
(6) Varius 40Hex Issues.

.F.3. BASIC INFORMATION
-----------------------

(1) Husman, H. INTRODUKTION TILL DATAS腒ERHET UNDER X-WINDOWS, 1995.
(2) Husman, H. INTRODUKTION TILL IP-SPOOFING, 1995.
(3) The following rainbow books:	- Teal Green Book (Glossary of
					Computer Security Terms).
					- Bright Orange Book( A Guide
					to Understanding Security Testing
					and Test Documentation in Trusted
					Systems).
					- C1 Technical Report-001 
					(Computer Viruses: Preventation,
					Detection, and Treatment).
(4) Ranum, Marcus. Firewalls, 1993.
(5) Sun Microsystems, OpenWindows V3.0.1. User Commands, 1992.
(6) Husman, H. ATT SP臨A ODOKUMENTERADE S腒ERHETSLUCKOR, 1996.
(7) Dark OverLord, Unix Cracking Tips, 1989.
(8) Shooting Shark, Unix Nasties, 1988.
(9) LaDue, Mark.D. Hostile Applets on the Horizone, 1996.
(10) Curry, D.A. Improving the security of your unix system, 1990.
(11) Stein, L.D. The World Wide Web security FAQ, 1995.
(12) Bellovin, S.M. Security Problems in the TCP/IP Protocol, 1989.

.H. COPYRIHT
------------

This paper is Copyright (c) 1996 by Hans Husman.

Permission is hereby granted to give away free copies electronically. You
may distribute, transfer, or spread this paper electronically. You may not
pretend that you wrote it. This copyright notice must be maintained in any
copy made. If you wish to reprint the whole or any part of this paper in any
other medium excluding electronic medium, please ask the author for
permission.

.I. DISCLAIMER
--------------

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.