Security

Bill Moss
July 2001

Security is not simply a matter of protecting your own system. If your system is compromised, it may be used to compromise any system to which you have access. These remarks pertain to laptops, desktops, and workstations in public and private labs, dorm rooms, and offices. The information presented here is adapted from [Toxen].

Physical Security

Logoff and lockup. A laptop is vulnerable to being stolen. When it is not locked up, don't let it out of your sight. Between work sessions, either logoff or shutdown. If a cracker comes across an unattended system and you are still logged on, you have left an open invitation for your system to be compromised. This is a good reason to avoid storing passwords on your system. If an application asks you if you want to save a password, just say NO!

Passwords

Consider the following scenario. Your password is a dictionary word or a common name. You use it on all your accounts at the university and on the internet. One of your internet accounts is cracked and the cracker then figures out that you are at Clemson. He tries your username and password on several Clemson systems and gets into one of them. He can now use this access to attack other Clemson systems. Here are some recommendations.

Use different passwords for your Clemson account, your college Sun account, and internet accounts. It may be OK to have a weak password in an internet account if you don't have much to lose, but don't use that same weak password on your Clemson accounts. None of your passwords should match any of the following:

Pick two or even three unrelated words, add in at least two nonalphanumeric characters such as punctuation or control characters, and capitalize one or more letters in the words other than the first letter of each word. For example, "votE\z0rO" is a good password. Note that the default password encryption algorithm on Unix systems (DES) only looks at the first eight characters of the password, so "buffaloe;nAVy" is a poor password and would be cracked in a heartbeat. The following make good passwords:

Your password should be memorized and not written down. A password that is used for a high security application should not also be used as the password for a low-security application nor should it be used in another unrelated high-security application. A high-security application would be where money or very confidential information is handled. A low-security application is where your password might not be protected or might be sniffed, such as registration for an online public information service, chat room, telnet over unsecured lines, or access to a public terminal.

Open Network Ports

Every network service is a potential path into your system for a cracker. Your best bet is to turn off services that you don't need. As root, the command "netstat -atuvp" will list the services that are running and the corresponding open ports. The port scanner "nmap" (which you can load from the Red Hat 7.1 Power Tools disk created when you set up dual boot) can give you this information and more. Nmap is often used by crackers. Use the command "nmap my_ip_address" to see the services and open ports. After setting up dual boot, I loaded nmap and did a scan. I found the service sunrpc listening on tcp port 111 and X listening on tcp port 6000.

To remove sunrpc, you have to remove the portmap service. On most systems the portmap service is used only for NFS. Since I do not plan to use NSF, I turned portmap off. Using the command "ps -e", I also noticed that the daemon nfslockd was running. I turned it off too, again since I do not plan to use NSF. Here are the commands I used as root in a terminal window to kill and remove portmap and nfslock:

/etc/rc.d/init.d/portmap stop
/etc/rc.d/init.d/nfslock stop
chkconfig --del portmap --level 3,4,5
chkconfig --del nfslock --level 3,4,5

The first two commands stop the services and the second two keep them from being started at boot.

You need X running on your laptop to be able to use GNOME or KDE and to be able to run local and remote Xclients. If a remote Xclient displays back on your laptop, port 6000 on your laptop is used. An open port 6000 can be exploited to capture your keystrokes and your screen because this information is not encrypted. A more secure approach is to tell the X not to listen on port 6000 and to tunnel X through ssh. Here are the steps to execute as root

cd /etc/X11/xdm
cp Xservers Xserver_orig
chmod 644 Xservers
Edit Xservers and change ":0 local /usr/X11R6/bin/X" to ":0 local /usr/X11R6/bin/X -nolisten tcp"
chmod 444 Xservers
cd ../gdm
cp gdm.conf gdm_orig.conf
Edit gdm.conf and change "0=/usr/bin/X11/X" to "0=/usr/bin/X11/X -nolisten tcp"

To run a remote Xclient and display on your laptop, ssh to the remote machine and start the Xclient in the background. Ssh will automatically take care of setting the DISPLAY environment variable and X authentication. One caveat, make sure that your login script on the remote machine does not set the DISPLAY environment variable. If it does, you could end up with an unencrypted connection.

Old Software Versions

New Linux vulnerabilities are being found monthly, but are fixed immediately. Red Hat publishes the errata through its Red Hat Network. Follow the instructions in Keeping Your System Up-to-date. It is your job to keep up with the changes on your system. It only takes a few minutes a week in most cases. While you are at it, people with dual boot systems should also update their Norton AntiVirus. New virus definition files are coming out now almost weekly. If you let a hard disk eating virus into your Windows system, it can destroy everything on your hard drive, including Linux.

SSH, SFTP

The dual boot C600 has ssh and sftp clients for both Windows 2000 and Red Hat Linux 7.1. The ssh client is an application for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. The sftp client is an interactive file transfer program similar to ftp, which performs all operations over an encrypted ssh transport. You can now connect to college Sun workstations and hubcap using ssh or sftp. Use rlogin, telnet, or ftp to connect to on or off campus systems only when ssh is not supported and as a last resort.

Firewalls

It is fairly common now to find multiple systems in homes these days. With the newer types of internet connections that are constantly on, home systems are more vulnerable that ever before. A cracked home system is often a pathway into university systems. Consider setting up a home system as a gateway for a home network. A common scenario is to use a PC with both modem and network cards running Red Hat Linux 7.1. Set your gateway up to dial your ISP on boot. Use the gateway network card and a hub to define a private home network and use IP addresses in the range 192.168.0.1 -- 192.168.0.255. Create a firewall using ipchains, with IP masquerading turned on, so that all your home network systems have internet access. Craig Zeller has adapted a firewall script due to Robert Ziegler [Ziegler] which can be found at

http://www.zdi.net/Linux/firewalls.html

Following [Toxen], I have modified the Zeller script so that the IP address assigned by my ISP is set before the firewall is started. At boot the steps are deny all access, dialout and get an IP address, start the firewall. For more details contact Bill Moss (bmoss@clemson.edu).

References

Toxen, Bob, Real World Linux Security, Prentice Hall, 2001.

Ziegler, Robert L., Linux Firewalls, New Riders Publishing, 1999.