Unix Security (original) (raw)

Versión en castellano Versió en català

[Unix System Programming] [Cryptology] [Humour] [HOME]

"The bad reputation Unix has gotten is totally undeserved, laid on by people who don't understand, who have not gotten in there and tried anything."

Jim Joyce, owner of Jim Joyce's Unix Bookstore

PAPERS * Dennis M. Ritchie: On the Security of Unix.
Maybe the first paper about Unix security, written by one of its designers. Here he comments some of the most basics sides of system security: setuid and setgid bits, internal DoS, etc. DOWNLOAD. * Walter Belgers: UNIX Password Security.
In this article they analize the significance of an acceptable password for all the system's security; also they talk about the Unix cipher mechanism, and also it's described how an attacker can "discover" a password. DOWNLOAD. * Robert Morris, Ken Thompson: Password Security: A Case History.
Morris and Thompson (two of the most important names on Unix history) describe here the design the password crypt() mechanism, its first faults, its improvements...DOWNLOAD. * David Feldmeier, Philip Karn: UNIX Password Security: Ten Years Later.
Ten years after the publication of the last paper (this was from 1979) they reexamine the vulnerabilities at the authentication mechanism of every Unix system. Times have changed and with new technology faster attacks can be done. So here they present some solutions to this vulnerabilitie.DOWNLOAD. * Barton P. Miller, Lars Fredriksen, Bryan So: An Empirical Study of the Realiability of Unix Utilities.
A study about fiability and estability of some common Unix tools. Authors arrive to surprising conclusions: the third part of tested tools failed. Fortunately, it has rained a lot since then (1989), and nowadays most Unices can be considered stable.DOWNLOAD. * Barton P. Miller, David Koski, Cjin Pheow Lee, Vivekananda Maganty, Ravi Murthy, Ajitkumar Natarajan, Jeff Steidl: Fuzz Revisited: A Re-examination of the Reliability of Unix Utilities and Services.
On 1995, Barton P. Miller, one of the authors of the previous paper, re-examine the reliability of Unix tools with another group of researchers. A large improvement has been done, but the most strange result is this: the most reliable Unix system is Linux Slackware, a free Unix clone that runs on some platforms (i386 and SPARC between them), and which has been developed by programmers from all around the world, without a big company with them, and with Linus Torvalds as their leader. DOWNLOAD. * Nathan P. Smith: Stack Smashing Vulnerabilities in the Unix Operating System.
Here they present and analize the vulnerabilities of Unix OS based upon the posibility of executing stack code (on Intel x86 and compatibles). This is one of the most importants Unix security faults, because an error on the source code of a process that runs with root privileges becomes on the posibility of a privileged access. DOWNLOAD. * Matt Bishop: Race Conditions, Files and Security Flaws; or the Tortoise and the Hare Redux.
In this paper Matt Bishop studies other of the most common Unix attacks: race conditions. This study is done from real examples (passwd, binmail...), and finally some solutions are proposed. DOWNLOAD. * Matt Bishop, Michael Dilger: Checking for Race Conditions in File Accesses.
Continuing with race conditions attacks on the Unix OS, in this paper they study mechanisms that allow the detection of these failures when accessing files. DOWNLOAD. * Eugen Mate Bacic: UNIX & Security.
In this paper they discuss the usual Unix security measures: passwords, DAC (Discretionary Access Controls), auditing tools... Also they speak about the classification of some Unix systems by the Orange Book, from USA Dod, and the characteristics of these systems. DOWNLOAD. * Robert T. Morris: A Weakness in the 4.2BSD Unix TCP/IP Software.
Maybe the first paper where the well known IP Spoofing attack is described. They speak about the mechanism which allows an untrusted host to appear like a trusted one, and access this way to certain restricted services. DOWNLOAD. * Matt Bishop: How to write a SetUID program.
Matt Bishop analices in this paper the problems derived from the existence of setuid programs in Unix systems. He shows the potential attacks to these programs, and also the basic rules to write some of them.DOWNLOAD. * David A. Curry: Improving the Security of your Unix System.
One of the classical articles when talking about Unix Security. Here the author makes an exhaustive analysis of the threads to the system, the protection mechanisms offered by Unix, the rules when offering network services, etc.DOWNLOAD. * Geoff Morrison: UNIX Security Tools.
Here the author analizes the most common Unix security tools. He classifies them into three different groups: system tools (to prevent internal attacks), network tools (to prevent external ones) and, at last, other group of tools.DOWNLOAD. * Robert B. Reinhardt: An Architectural Overview of Unix Network Security.
In this article its author presents a model of security architecture in Unix, based upon the Network connection model (ISO/OSI layer structure).DOWNLOAD. * Bill Cheswick: An Evening with Berferd, in which a Cracker is Lured, Endured and Studied.
In this classical by B. Cheswick (a revisited version appears in Firewalls and Internet Security, by Cheswick and Bellovin), the author describes the real history of a cracker knocking at AT&T; gateway in 1991. He analizes the cracker's activities, methods and failures when trying to access the gateway. DOWNLOAD. * Matt Bishop: A Taxonomy of Unix System and Network Vulnerabilities.
Matt Bishop describes here some Unix weakneses, how to detect them at our machine to prevent crackers, and, of course, how to erradicate those failures in the system. He analizes, between others, the Thompson's trojan for the_login_ program, some race conditions, network daemons failures, IP Spoofing, etc. DOWNLOAD. * Landwehr, Bull, McDermott, Choi: A Taxonomy of Computer Program Security Flaws, with Examples.
One of the bests papers (and most complete) between all of those which try to establish a taxonomy of system vulnerabilities. In this article's appendix they present, classified by its system, some examples of insecurities and its classification into this taxonomy. The Unix section is excellent.DOWNLOAD. * Steven M. Bellovin: There Be Dragons.
This article, a real classical, shows the attacks to the AT&T; gateway by crackers from all around the world. Tools used to attack, detected attacks, tools used to defend the system... DOWNLOAD. * Matt Blaze, John Ioannidis: The Architecture and Implementation of Network-Layer Security under Unix.
In this paper the authors shows the design, philosophy and functionality of swIPe, an IP layer security protocol. swIPe is fully compatible with the current protocol, but it offers authentication, integrity and confidentiality for IP datagrams.DOWNLOAD. * Fuat Baran, Howard Kaye, Margarita Suarez: Security Breaches: Five Recent Incidents at Columbia University.
In 1990, Columbia University (USA) suffered various attacks on its Unix machines. In this paper they are described (some of them against password files from some machines), as well as the security measures token. DOWNLOAD. * Dan Farmer, Wietse Venema: Improving the Security of your site by breaking into it.
In this Unix security classical, Dan Farmer and Wietse Venema show the potential activities of an intruder in our Unix system. Here is where first appeared the uebercracker term, so used since then.DOWNLOAD. * Matt Bishop: Proactive Password Checking.
In this chapter the author analizes the suitable passwords Unix problem, and some possible solution with programs like npasswd or passwd+. Both of them (see the Software section) are analized and compared to see how they solve the weak passwords problem.DOWNLOAD. * Steven M. Bellovin, Michael Merritt: Limitations of the Kerberos Authentication System.
Here Bellovin and Merrit analize and give solution to some weaknesses seen on the Kerberos authentication system (MIT, Athena Project).DOWNLOAD. * Steve Simmons: Life Without Root.
In this article the author studies the problem of doing certain administration activities as root. The accesses as administrator to the system have to be reduced, because of security, and here it's described how to make some tasks without the need of total privileges, but with the use of dedicated system users. DOWNLOAD. * Bob Vickers: Guide to Safe X.
Tipically the graphical Unix system, X Window, has been considerated unsecure. In this paper that insecurity is studied, as well as how to prevent it by using access controls on the X server side. DOWNLOAD. * Dave Wreski: Linux Security Administrator's Guide.
A very good handbook to improve the security of our Linux system. Dave Wreski explains here the filesystem security mechanisms, passwords, Cryptography...DOWNLOAD. * Eugene Spafford: Unix and Security: The influence of History.
In spite that usually Unix has been considered an insecure OS, or at least a very dificult to protect one, Spafford shows here that that's not true, giving ideas to increase the security of the system from errors made along the history of Unix and its development. DOWNLOAD. * Daniel V. Klein: "Foiling the cracker": A survey of, and improvements to, password security.
In this classical paper, it's shown the brute-force attack to password files by using dictionaries, and how a weak password can compromise the entire system. As a solution, the use of a proactive password checker is proposed. DOWNLOAD.

NEWSGROUPS * comp.security.unix * comp.unix.admin * comp.admin.policy * comp.protocols.kerberos * comp.protocols.tcp-ip * alt.security

SOFTWARE AND TOOLS

[NOTE]: Most of the links presented here to get the software mentioned, point directly to the main distribution server or some mirror, but not to our server. In this way, we try to guarantee that the version accessed will be always the latest (apart from saving space in our hard disks :-)) * TCP Wrappers
Without any doubt this is the most used Unix security tool. TCP Wrapper allows us to monitor and filter connexions to different network services (served by_inetd_, like telnet, ssh, ftp or sendmail), so we can in this way deny the access to some addresses or to some machines than don't match an specific condition.DOWNLOAD. * Portmapper
This is a tool very similar to the previous one, but to manage services offerend by portmapper (such as NFS or Yellow Pages). It gives also access control, like TCP Wrappers, but its use is not so common because it has been displaced by standard Unix portmappers, which include now more security measures than this tool does. DOWNLOAD. * Crack
Crack is one of the tools whose appearing generated more controversy in Unix security world. It's a powerful password guessing program that allows every administrator verify that his/her users' passwords are good, by examining the /etc/passwd file of a Unix system and by using dictionaries as a guide to break poor passwords (click here to get some dictionaries).DOWNLOAD. * lsof (List Open Files)
lsof is a program that will allow us to improve the security of our system by looking for open file descriptors; in this way we will be able to locate listening sockets, processes that write into a file, files opened by a process (very important while trying to detect sniffers), etc.DOWNLOAD. * TCFS (Transparent Cryptographic File System)
TCFS is a file system which includes data encryption. In a way very similar to NFS, it offers the posibility of maintaining encrypted files in a unit, and also increases the security in the network communication between clients and the file server: all data goes encrypted, which makes TCFS very advisable for distributed systems. TCFS works at kernel layer, so it's supposed to be more secure and faster than Matt Blaze's CFS, which is presented now: DOWNLOAD. * CFS (Cryptographic File System)
CFS is an encrypted file system which works at user layer. It works as an interface to many standard Unix file systems, including NFS (data NEVER goes through the network or is stored at disk in clear text).DOWNLOAD LOCAL. * SANTA (Secure Analysis Network Tool for Administrators)
SANTA is a security scanner for networked Unix systems which generates databases with the bugs found. In spite that it maybe is nowadays a bit outdated, depending out of the version and Unix clone we are managing it can be useful. This is another one of the tools whose publication caused a big problem in people that still defend the Security through Obscurity_philosophy, which has been proved unuseful many years ago but which still has a lot of fans.DOWNLOAD. * Tripwire
Tripwire is an integrity tool for files and directories, very useful to prevent the trojan injection between our system's executable files. It uses a digital signature algorithm (usually with MD5 and Snefru hash functions) to do that. If we execute Tripwire in our system, it's VERY advisable to keep the executable file and the generated logs in a read-only file system, to prevent the modification of both of them (because that will make unuseful ALL the logs generated by Tripwire).DOWNLOAD. * Strobe
This program is a port scanner that works on most Unix systems. It can be very useful to verify which network services do we have listening and accepting connections in our system, and so we can reduce this number to the minimal required. DOWNLOAD. * SSH (Secure Shell)
SSH is an application that allow us to connect to a remote host, to execute commands remotely, or to do a file transfer between systems, all by using secure communications and cryptographical authentication. We can serve it just like an independant daemon or by tcpd, so we can filter the requests to its port by using TCP Wrappers. DOWNLOAD. * COPS (Computer Oracle and Password System)
COPS is a large collection of Unix security tools (maybe a bit outdated, but sometimes useful) that allows us to automatice task usually done manually (just as verifying acceptable passwords, restricting NFS file systems, looking for "+" in /etc/host.equiv...). Potential weaknesses of our systems are logged and stored on disks, or e-mailed, but NEVER corrected: that's not COPS' goal, but other programs' one that every system administrator has to know. DOWNLOAD. * TCPdump
TCPdump is a tool to analize our network's traffic. It prints the headers of packets that go through a network interface and that are compliant with some characteristics (like a protocol, packets to some address, to some port...).DOWNLOAD. * TIGER
This is a tool composed by some programs that allows us to audit the security of our system (mainly those bugs that can compromise root security, such as a daemon bug). It also uses digital signature systems to detect the unauthorized modification of binary files.DOWNLOAD. * Sniffit & TOD
Sniffit is a network monitoring tool and a sniffer that works on some Unix systems. It offers the system administrator detailed information about all the traffic that goes through his/her system, and also the possibility to stop this traffic by using TOD (Touch of Dead), that is, to close the connections that go through his/her machine.DOWNLOAD. * SSL (Secure Socket Layer)
SSL is a cryptographic librarie that allows us to add cipher system (DES, IDEA, RC4...) to some standard network applications such as telnet, ftp or http. In this way we can increase our system's and communication's security, avoiding an attacker's potential monitoring. From this link you can access both to the libraries and to some applications that include SSL. DOWNLOAD. * ICMPInfo
This is a tool that logs the ICMP packets received by our system so we can log attacks (or tryings) based on some kind of those packets, such as ICMP_ECHO_REQUEST or ICMP_REDIRECT. We have to be careful if we use a very verbose mode, because apart from the fact that this program will generate a long log file, system load will increase fastly because of the logging work.DOWNLOAD. * ARPWatch
ARPWatch is a tool used to verify the correspondence between IP and HW addresses pairs. In case a pair changes (that is, it's listened in our machine network interface), ARPWatch sends a mail to the root, notifying this fact. It's also useful to notify the appearance of new stations or an ARP retransmission from stations that were powered down for a long time; in this way, we can use it to detect some kind of attacks, such as IP Spoofing.DOWNLOAD. * Secure Linux
This packet is formed by a collection of patches that will increase the Linux kernel security. It's very useful to prevent common attacks such as buffer overflow, or certain race conditions based upon the file generation on /tmp. An updated version, for kernels 2.0.X, can be found here:DOWNLOAD. * Argus
Argus is a network analyzer specially designed for networks with a big packets traffic. Its powerful historic (saved information) allows us to detect network problems, new services, blocked traffic by a router, scans from a potentially atacker... in a fast and efective way.DOWNLOAD. * IP Filter
This is a tool to filter packets in Unix stations that are working as routers (a kind of firewall). It allows to filter incoming or outgoing packets, in function of their protocol, destination or source address, etc. DOWNLOAD. * Npasswd
Npasswd is a tool that replaces the passwd command of a usual Unix system. It's advisable for our system because it will make mandatory for our users to pick good passwords (not on dictionaries, not joes, eojs, not very short passwords...). Npasswd can work together with NIS or C2 security level (Shadow Password).DOWNLOAD. * Passwd+
Passwd+ is a very similar tool to the last one. Its main goal (in spite it has many others, see the manuals) is to avoid the users to pick poor passwords. It doesn't work with NIS or in C2 systems.DOWNLOAD. * ISS (Internet Security Scanner)
ISS is a system that allows the scanning of computer networks, looking for different vulnerabilities in the hosts (maybe, today they are outdated). The program, on a specific IP range, looks for security bugs, such as default passwords in different OSes, NFS partitions with public access, the typical_sendmail problems, etc.DOWNLOAD. * Trinux
Trinux is a Linux distribution in two diskettes which runs completely in RAM memory. It has all the tools to analize the network traffic and to detect many problems, so it's very useful and advisable at some situations. DOWNLOAD. * NFSWatch
This program is used to analize NFS packets in our subnetwork. It's useful to determine the NFS traffic kind, machines trying to access a server, users accessing to the file system, etc. DOWNLOAD. * S/KEY
S/Key is a mechanism which implements One Time Password (the most extreme case of Aging Password, where a password can only be used once), avoiding in this way the dangers derived from a password capture by a cracker.DOWNLOAD. * Netlog
Netlog is a TCP and UDP traffic analyzer, very useful to monitor our network's usage (in Real Time, with NetWatch, or generating log files, with tcp/udplogger).DOWNLOAD. * DTK
Deception ToolKit is a powerfull tool that listens requests to our network subsystem and answers them which false information, so the potential intruder may think that our system is full of bugs. In this way, and with help from the monitorization and logs system of DTK, we can get many information about our attackers, as well as gain time if we want to trace the attack.DOWNLOAD. * Linux Audit Daemon
This software increases the power of the usual Linux audit system, which doesn't store some important data. It's formed mainly by a kernel patch and a daemon (/sbin/auditd) which sends to log files all the data to save. HIGHLY advisable. DOWNLOAD. * NMAP
NMAP is a port scanner, that allows us checking the systems that are up in our network and which services are they offering. But also allows remote OS detection using fingerprinting (such as software like CheckOS or QueSO do), stealth scanning, parallel scanning, and a large number of features that other scanners don't have. Specially advisable if you are managing a subnetwork, to check remotely some aspects of your hosts' security. DOWNLOAD. * Titan
A great collection of programs to increase the security of our Unix system (now only SunOS or Solaris, but soon we hope we can use Titan in other Unices) written by well-known security experts (Muffett, Dik, Venema and Safford). Titan is formed by little shellscripts which solve generic security problems, such as the existence of lp accounts with a valid shell. Authors insist on the fact that Titan doesn't replace any security software, but only it solve those generic problems and makes the installation and configuration of Unix systems easier to administrators.DOWNLOAD. * chrootuid
This daemon, designed by Wietse Venema, executes some network services (http, gopher...) with the lowest privilege level, as well as with a restricted access to the filesystem (by using chroot()). This is mandatory to reduce the impact of a potential attack.DOWNLOAD. * SWatch
This is a useful program to monitor our system logs and take actions (just like send a mail to the admin) when suspicious activities are detected.DOWNLOAD.

LINKS * Unix General Security Tools
Unix Security Software, from CIAC (Computer Incident Advisory Capability). * Unix Security Tools
An excellent collection of Unix security tools, classified by application area, from NIST (National Institute of Standards and Technology). * Unix Security Tools
Another large collection of Unix security software. * Unix Security Information.
Software, papers, handbooks... about Unix security. * FIRST Security Papers
FIRST's papers about computer security. * COAST
Without any doubt, COAST (Computer Operations, Audit and Security Tools), is the best reference point when looking for any paper about computer security, or for any took we need to make or system more secure. * Digicrime
Some from the most important people of computer security world made Digicrime Inc., a "company" that sells, always in a funny way, security services for Unix systems and networks. It's the best place to spend a good time and see how they ridiculize the Script Kiddies. * USENIX
Usenix main page, an international organization for system managers, programmers, engineers, computer scientist... related in one or other way to Unix (or, best said, to OSes, languages... in general). In these pages we can find papers, publications, or information about conferences related to computer and Unix security, such as USENIX Security Symposium or USENIX Workshop on Intrusion Detection and Network Monitoring. * Unix Reference Desk
Pages related to general Unix (of course, also to its security). Here we can find from software to books, and also things like text processing usin TeX. * COAST Hotlinks
COAST links page, related to every matter about computer security (of course, a large number of those links are related to Unix). We can find here from very interesting software to WinNT security (?) handbooks, apart from firewalls or Cryptography. * University of Queensland
On these excellent pages from Queensland University, dedicated to Unix security, we can find from links to software, apart from a useful classification of vulnerabilities in function of the Unix clone affected. * Root Shell
Maybe RootShell is the page that every administrator has to watch daily to be informed about potential problems with his/her software or hardware. An excellent reference to find the potential exploits that can work on our system, sometimes BEFORE they are commented on BUGTRAQ (see Mailing Lists). * Linux Security Home Page
Pages dedicated to Linux systems security, with tools, documentation, software updates, etc. * NIH page on Unix Security
Pages dedicated to Unix security, from USA NIH (National Institute of Health). * Lady Sharrow
Pages about general computer security, with an introduction to Unix security. Other topics can be viruses, Cryptography, or other OSes security. * Unix Security
A very good paged fully dedicated to Unix system security. Very interesting, with a large number of papers, tools, handbooks... * Unix Books
A good bibliography about general Unix books (not only about system security). For most of them, there is a link to www.amazon.com, maybe the INet's largest on-line library, where we can buy almost every title that we can't find on a normal library.

MAILING LISTS * BUGTRAQ
Without any doubt, the best mailing list about Unix and general computer security. They explain system problems, its solution, its exploiting, etc. Mandatory for every Unix system administrator interested on keep his or her system minimally secured. To subscribe, send an e-mail to
listserv@netspace.org
with subscribe bugtraq on the message's body. * NT BUGTRAQ
A very similar to the last one list, but oriented to the Win* operating system. Yes, it's not Unix, but maybe sometimes it's advisable to keep informed about Win* problems that can also affect Unix. To subscribe, send a mail to
listserv@listserv.ntbugtraq.com
with subscribe ntbugtraq on the message's body. * CERT Advisories
A list were the latest CERT advisories (Computer Emergency Response Team) are mailed. Maybe a bit slow, because they advise about problems treated much before on BUGTRAQ (sometimes, with months difference!). Apart from that, all the_CERT Advisories_ are remailed to BUGTRAQ, so maybe the only possitive thing about this list is that it hasn't much traffic :-). Send an e-mail to
cert-advisory@cert.org
with subscribe on the message's subject. * Linux Security
List about Linux security. It hasn't much traffic, but it's advisable if we manage any Linux system. To subscribe, send an e-mail to
linux-security-request@redhat.com
with subscribe in the message's subject. * Linux Alert
On this list they speak about Linux OS alerts. It hasn't much traffic, because almost all the problems related to Linux go to BUGTRAQ or Linux Security. To subscribe, send a mail to
linux-alert-request@redhat.com
with subscribe on the message's subject. * Seg-L
List about computer security topics, in Castillian. In spite the quality-noise relationship is very low sometimes (of course, in our opinion), some messages can be useful. To subscribe, send a mail to
majordomo@secnet.com
with subscribe seg-l in the message's body.

BOOKS