+ Point 8: Data Security - Network Security - Account Security

1. Data Security

The prime reasons for data loss are data deletion, modifications made by unauthorized users and systems, and system crashes. There are other aspects of Linux data security, such as filesystem security and kernel security.

Filesystem Security

To secure a filesystem, you need to assign appropriate rights to users. This helps to prevent unauthorized access to files and directories. To implement filesystem security, you should implement the following measures:

• Do not enable end users to run Set User ID (SUID) or Set Group ID (SGID) programs from their home directories. SUID or SGID enables end users to switch to the root mode and perform administrative tasks as root users.

• Be extremely careful when configuring the /etc/exports file if you export filesystems with Network File System (NFS). The exports file contains the files that can be exported and information pertaining to end user permissions.

• Avoid the misuse of umask, which sets the initial file permissions for new files.

• Specify what types of files users are allowed to create. You can prevent users from creating the core files of the Linux system by using Pluggable Authentication Modules (PAM), the /etc/pam.d/limits.conf file, or the /etc/login.defs file.

  Note

  To learn more about PAM, see the Authentication in Linux ReferencePoint.

• Keep in mind that certain files and directories have write permissions for all users and are potential security holes. You can search for these files and directories by executing the command:

  find –perm –2 l –ls
  

  This command lists all the files and directories that have write permissions for all the users. You can remove the write permissions for files and directories that should not be globally writeable.

• Be aware that if files do not have an owner, it might indicate an intrusion. You can search for these files by executing the command:

  find / \ -nouser –o –nogroup \ -print
  

• Check regularly for the presence of the .rhosts file on the system. This file enables access for remote users and should not be present on your computer unless required. You can search for the .rhosts file using the command:

  find /home –name .rhosts –print
  

• Monitor the /var/log/wtmp and /var/run/utmp files because they can lead you to the source of an intrusion. They are log files containing information, such as the time and the location from which the system was accessed. These files should be assigned the 644 permission, which specifies that only the owner or the root user can write to them.

• Use integrity checkers that check the binaries and config files on the system, to detect attacks on systems and networks. Some popular integrity checkers include Tripwire, Aide, and Osiris.

Kernel Security

The kernel is the core of the Linux operating system and acts as an interface for the programs and the system hardware. The kernel also provides the device-file and device-driver interfaces. The Linux kernel is responsible for:

• Central Processing Unit (CPU) resource scheduling

• Process management

• Memory management

• Device control

• Security at the device, process, and user levels

• Accounting services, including CPU usage and disk quotas

• Inter-process communication

Linux comes with the source code of the kernel. The source enables you to customize the kernel according to your requirements. You may need to customize the kernel for:

• Modifying the system hardware

• Optimizing memory usage

• Improving the speed and performance of the system

At times, the ability to modify the kernel can prove to be a security hole. For example, a hacker who accesses a system can easily modify the kernel. Or, you may make some mistakes while customizing the kernel. You can secure the kernel by configuring various options while configuring the kernel. Some of these options are:

• CONFIG_FIREWALL: Select this option during configuration if you intend to use the Linux computer as a firewall. This enables packet filtering of the incoming network traffic. You can filter and block packets based on various criteria, such as the type, the origin, and the destination of the packets.

• CONFIG_IP_FORWARD: Select this option if you need to use the Linux computer as a router. IP forwarding is not secure because the data is directly forwarded from one computer to another. Packet filtering does not take place. If both a firewall and a router are enabled, selecting the CONFIG_IP_FORWARD option subverts the firewall on the network.

• CONFIG_IP_FIREWALL: Enables you to filter packets for the local network. You need to select this option to use IP masquerading, IP packet logging and accounting, and IP transparent proxying.

• CONFIG_IP_TRANSPARENT_PROXY: Enables you to redirect the local network traffic.

• CONFIG_NCPFS_PACKET_SIGNING: Enables you to secure packets.

• CONFIG_IP_FIREWALL_NETLINK: Enables you to use the ipchains tool to copy the packets reaching the Linux firewall to the software for optional user space monitoring. The monitoring software then detects attacks and takes the appropriate action.

• CONFIG_FILTER: Enables programs to attach a filter to a socket. This enables the kernel to determine whether or not it should allow or deny data to pass through the socket.

2. Network Security

This implies protecting a network from external user attacks. As an administrator, you need to ensure that the servers on the network, the data stored on the computers on the network, and the services offered by the servers are not affected by intrusions. Some network security measures are:

• Maintaining and monitoring logs

• Monitoring the services running on network servers and switching off unnecessary services

• Ensuring authentication and authorization of local and network users

• Using strong encryption on the network

Some techniques for securing networks are firewalls, packet filtering, proxies, and Secure Shell (SSH).

Firewalls

A firewall is a system specially configured to control traffic between two networks. Firewalls can be configured to restrict the information that reaches a network from an external network. It can also be configured to enable only certain kinds of information to go out of the internal network.

A computer on a network can be configured to host a firewall. All the other hosts in the internal network are connected to the computer with the firewall. A firewall can be used by workstations even if they do not belong to a network and are directly connected to the Internet.

You can set up a Linux terminal as a firewall for your network. Linux computers can be easily converted to firewalls by writing firewall code in the 2.0 and higher versions of kernels. In addition, you can use the ipfwadm tool to configure packet filtering based on the kernel, which allows you to specify the type of network traffic to be enabled.

Packet Filtering

A packet filter stops or enables packets to flow between two networks as per predefined rules. During packet filtering, when some packets arrive, their source Internet Protocol (IP) address is matched against a set of rules for filtering packets. Based on these rules, the network servers take appropriate action.

The software used for packet filtering checks the source and destination addresses of the packet and forwards the packet to the network.

An example of a simple packet filter is a router that works on the Network layer of the Open System Interconnection (OSI) model. Routers can be configured as primitive packet filters but have limited or no logging capabilities. Routers often leave critical ports, such as databases, open and have complex rule sets. As a result, it is preferable to use an intelligent, state-based filter or a dedicated host along with the packet filtering software.

Proxies

A proxy is a small and simple program that either enables or disables access to a particular computer in a network. Using proxies, you can control Web servers or File Transfer Protocol (FTP) servers by restricting user’s access to specific services, such as the Web service.

For every service that needs to be controlled, you need a separate proxy instance because the Web server has its own Web proxy and the FTP server has its own FTP proxy.

Proxies also cache commonly used data, such as Web pages. Using caching, the computer picks up the Web page reference from the Web browser’s cache memory. You do not need to type the complete Universal Resource Locator (URL) for frequently browsed sites.

Application proxies or gateways normally provide logging and access control at the Application layer. This affects performance because all the traffic passes through the proxy. The proxy needs to run on a special host. Application proxies also necessitate modification of client programs. Ideally, you should use proxies and filtering simultaneously to maximize security.

A firewall should include redundant security barriers so that a single point of failure cannot compromise the network. The firewall must be as invisible as possible to users who can weaken security.

There are two firewall packages currently used, ipchains and iptables.

ipchains

The kernel uses chains to manage the packets that it receives. A chain is defined as a checklist of rules. ipchains deals with IP packets at the Network layer and the rules defined in it are based on three built-in chains: input, output, and forward.

The packets arriving at a computer running ipchains are compared with the rules defined in the input chain. If these packets are destined for another computer, they are redirected after being compared with the rules in the forward chain. The output chain processes the packets going out of the firewall.

Apart from these three chains, you can have user-defined chains. The rules for each chain define access control based on the source and the destination, the port, the protocol, or other information contained in the IP packet headers. These rules specify what actions have to be taken for packets containing a certain header. The /etc/ipchains.rules file contains ipchain rules.

iptables

iptables is a contribution of the Netfilter project. The main difference between ipchains and iptables is that ipchains performs both packet filtering and Network Address Resolution (NAT) tasks, which include IP masquerading and redirection simultaneously. These tasks are carried out separately in iptables, which is extensible. A number of options along with selection criteria can be included with iptables.

The iptables program is a pure packet-filtering tool. You can use NAT table operations to perform these tasks. NAT operations are implemented using the iptables command with the –nat option.

Note

To learn more about iptables, see the Configuring a Firewall Using iptables/netfilter (Kernel 2.4) ReferencePoint.

IP Masquerading

You can set up a network on Linux workstations where you can have one connection to the Internet, which can be used by several workstations on the network. As a result, many workstations can log on to the Internet using a single IP address. This process is IP masquerading, in which a system masquerades as another system using the IP address of that system.

The process of IP masquerading is implemented in Linux using the ipchains firewalling tool. Using this tool, you can set up a firewall, which can then be configured to perform IP masquerading.

IP masquerading supports network services such as Web browsing, telnet, gopher, and ping.

SSH

The SSH suite of programs can be used by Linux systems to encrypt transmissions. SSH encrypts the communication between a remote user and a workstation on the network. SSH programs replace tools, such as rcp and rsh, that do not perform encryption and introduce security risks, such as transmitting passwords in clear text. SSH encryption uses two keys, public and private. The public key is freely distributed to other hosts on the network, who then can use it to encrypt data. This encrypted data can only be decrypted with the host’s private key.

Note

To learn more about SSH, see the Introducing SSH ReferencePoint.

Implementing SSH

Using SSH, you can remotely log on from a local client to a remote workstation on the network operating as the SSH server. In addition, using SSH, you can log on from a local site to a remote workstation on the network and send commands to be executed on that workstation.

Port Forwarding

SSH provides a feature, port forwarding, which helps to secure the unsecured part of a connection. This specifies the port at which the unsecured host is to connect with the secure host. This helps set up a direct connection between the local host and the remote host via the unsecured host. In this case, encrypted data is passed immediately.

TCP Wrappers

TCP Wrappers provides services such as access control, restrictions, and requests logging. TCP Wrappers checks the access control list to determine whether or not a connection should be enabled. It also submits a log entry to the daemon, syslogd. To invoke a suitable list if a service is not restricted, you use the daemon, tcpd. The access list determines the restricted services. The invoked daemon authenticates the service and writes an entry in syslogd.

TCP Wrappers implements access control using two files:

• /etc/hosts.allow: Contains the allow list

• /etc/hosts.deny: Contains the deny list

The allow and deny lists in these files determine the set of restrictions imposed on all the services using tcpd. You can use TCP Wrappers for Universal Data Packet (UDP) and TCP services, but these services need to be invoked using a central daemon.

Routing Security

Routers are computers that let packets flow among the source and destination hosts. They refer to a configuration table to decide where the packets should go and identify the destination of the packets by reading the packet headers.

There are various routing packages available for Linux, such as routed and GateD.

routed

The only protocol supported by the routed routing package is Routing Information Protocol (RIP), which is the simplest routing protocol. In RIP, the routers broadcast their routing tables to the neighboring routers. The broadcasting of routing tables results in a routing table that contains entries for each destination on the Internet. This method is insecure and inefficient outside small, secure networks. You can use a firewall for ports 520 and 521 that RIP uses to transfer data, but doing so can result in blocking the routes that you need and the hackers can still spoof the routes.

GateD

You can use the GateD routing package to manage interior and exterior protocols. GateD is a more advanced routing software than routed. GateD supports RIP versions 1 and 2, DCN HELLO, Open Shortest Path First (OSPF) version 2, Exterior Gateway Protocol (EGP) version 2, and Border Gateway Protocol (BGP) versions 2 through 4.

There are two types of routing protocols:

• Interior protocols: Exchange information within an autonomous system

• Exterior protocols: Exchange information among autonomous systems

GateD supports interior protocols such as RIP, OSPF, and ISIS.

Exterior protocols exchange information among autonomous systems. The gateways between two autonomous systems communicate using an exterior routing protocol. GateD supports two exterior protocols:

• Exterior Gateway Protocol (EGP): Exchanges routing information between two gateways in a network of autonomous systems

• Border Gateway Protocol (BGP): Exchanges reachability information among autonomous systems. BGP provides more capabilities than EGP. For example, BGP uses path attributes to select the best possible routes.

MRT

Multithreaded Routing Toolkit (MRT) enables you to build routing daemons, BGP fault-injection tools, and traffic generation packages. MRT provides features such as:

• Parallel lightweight processes

• Multiple processor support

• Shared memory

The MRT software facilitates the adding and prototyping of experimental routing protocols and interdomain policy algorithms. This is possible due to the object-oriented and modular design of the software.

Tools Used for Attacking Networks

Hackers can use various network tools, such as Trinoo and Tribe Flood Network (TFN), to attack the computers on a network. These tools are called distributed-system attack tools.

Trinoo

This tool is used for Denial of Service (DoS) attacks on remote servers. It is very easy to use, and an attacker using it does not need to be an expert. A computer can instruct Trinoo servers to open a DoS attack against a particular computer. After the attack is opened, the Trinoo master server searches for as many client Trinoos as possible and directs them to send a flood of UDP packets to the target computer.

There are many Trinoo variants available on the Internet. Some are known to implement IP spoofing for Trinoo clients, while others are simple flooding tools. Even without IP spoofing, the attack comes simultaneously from many computers. Trinoo daemons and masters disguise themselves under many names, but the most commonly used names are ns, http, rpc.trinoo, rpc.listen, trinix, rpc.irix, and irix.

TFN

TFN is an advanced DoS attack tool that can initiate coordinated DoS attacks from multiple sources to multiple destinations. A TFN attack supports many methods of attack in addition to the UDP floods supported by Trinoo. TFN also supports Transmission Control Protocol (TCP) SYN floods, Internet Control Message Protocol (ICMP) echo request floods, ICMP-directed broadcast DoS attacks, and spoofing of IP addresses. A TFN network can employ hundreds of TFN clients and masters to initiate an attack against a particular computer. TFN provides a command line interface to send various commands to TFN daemons. TFN masters communicate with TFN daemons by encapsulating the commands within ICMP echo reply packets.

Network Security Tools

Various tools assist you in detecting intrusions on your network. These tools also help to ensure security in the network. Some of these tools are:

• Snort

• SpiderMap

• Firewalk

Snort

This is a network intrusion detection tool developed by Martin Roesch. Snort can notify you about an intrusion attempt. Snort is easy to use and has many command line options. You can configure Snort in three modes:

• Sniffer

• Packet Logger

• Network Intrusion Detection System (NIDS)

Sniffer Mode

In the Sniffer mode, Snort reads the network packets and displays them on the console. This command prints the TCP/IP headers:

./snort -v

This command runs Snort and displays only the IP and TCP/UDP/ICMP headers. To see the application data in transit, execute this command:

./snort -vd

This command displays the packet data and the headers. If you need to obtain more information, such as the Data Link layer headers, execute this command:

./snort -vde

Packet Logger Mode

In the Packet Logger mode, Snort logs the packets to a log file. You need to specify a logging directory to log the packets. Snort automatically switches to the Packet Logger mode. The command is:

./snort –dev –l ./log

This command assumes that you have a directory, log, in the current directory. If the specified directory does not exist, Snort exits with an error message. In this mode, Snort collects and places the packets in a directory hierarchy.

Network Intrusion Detection System Mode

The NIDS mode enables Snort to analyze network traffic for matches against a user-defined rule set and to perform actions. To enable the NIDS mode, execute this command:

./snort –dev –l ./log –h 172.17.1.0/24 –c snort.conf

Here, snort.conf is the name of the rules file. This command applies the rules specified in the snort.conf file to the packets. The rules in the snort.conf file determine the action to be taken on the packets. If an output directory is not specified, the default is taken to be /var/log/snort.

SpiderMap

This is a collection of Perl scripts that provides a set of tools for scanning networks. These tools have scan types for each network that scan the network efficiently.

There are three major components of the SpiderMap toolkit:

• Breakdown: Takes a list of IP addresses as input and prompts the end user for specific information about each network. This enables you to predefine scans for specific tasks.

• Spidermap: Reads a configuration file generated by a breakdown, performs scans, and dumps the raw output to a file for use by the created script.

• Nlogdb: Reads the nmap output from spidermap and copies it to the Nlog file, which is a log file that can be used for various purposes, such as scheduling network analysis and providing input to another set of tools.

Firewalk

This is a network-auditing tool, which determines the transport protocols that a specific gateway will allow. Firewalk sends out TCP or UDP packets with an IP Time-To-Live (TTL), one greater than the targeted gateway. If the gateway allows the traffic, Firewalk forwards the packets to the next hop. The packets expire in the next hop, and the TTL Exceeded in Transit message is sent. If the gateway host does not enable the traffic, the packets will be dropped. You can determine the access list on the gateway by sending and recording packets. Firewalk has two phases:

• Network discovery phase

• Scanning phase

The network discovery phase obtains the IP TTL. To get the correct IP TTL, you need to determine the hop counts. This is done by sending out packets with incremented IP TTLs towards the destination host.

In the scanning phase, Firewalk sends out TCP or UDP packets and sets a timeout. If it receives a response before the timer expires, the port is considered open. If no response is received, the port is considered closed.

3. Account Security

Account security involves securing and maintaining the accounts of various end users on computers and networks. In the Linux environment, accounts are created for different users and groups. Each account has certain access rights and permissions associated with it.

The Linux systems support two types of users, root users and normal users. Root users have all the administrative rights for the system. They are responsible for performing all the administrative tasks, such as creating partitions, installing and upgrading software, and creating user accounts.

Normal users utilize the services provided by the system. Root users assign the required permissions to normal users. These permissions are set in the home directory created for each user. A user cannot access the home directory of another user.

The accounts of high-profile users such as administrators have more access rights than a normal user account. You need to be very careful if you have logged on as a root user. For example, you can accidentally delete some critical system files. Log on as root only when you need to perform root-specific tasks. For performing routine tasks, you need to log on as a normal user.

Password Security

You need to take the following precautions to ensure the security of passwords:

• Passwords should not be easy to guess.

• Users should change the passwords at regular intervals.

• Try to hack the passwords of the hosts on the network to ensure that the passwords are strong.

• Configure the accounts to be disabled after a specified number of unsuccessful log on attempts.

The command, passwd, is the default command to change the passwords in Unix and Linux systems. The passwd command supports minimal checking for user passwords and may not support password aging.

In Linux computers, the /etc/passwd file contains system passwords. To prevent unauthorized end users from breaking into the file, you need to create shadow passwords, which protect system passwords by making the file containing the shadow passwords readable only by the root operator.

Shadow passwords replace the encrypted password in the passwd file with an x. Moving the passwords to the shadow file makes it more difficult to decrypt the encrypted password. This is because only the root user has access to the shadow file.

Execute this command to check if you have shadow passwords enabled on the system:

ls /etc/shadow

If the file has not been created, you receive this message:

ls /etc/shadow: No such file or directory

If you use or are planning to use shadow passwords, you can use the pwconv and pwunconv utilities that are a part of the Shadow suite of tools. The pwconv utility creates the shadow file if it does not exist. If the shadow file exists, pwconv synchronizes it with passwd by adding the passwords that are not there to the shadow file and deleting the passwords that are no longer in the passwd file. The pwconv utility also updates password-aging information. The pwunconv utility enables you to remove shadow passwords and restore passwd to its original state.

Password Suite

On a Linux system, user information and passwords are stored in the /etc/passwd file. Using the hashing technique encrypts the password. The encrypted password and the value using which the password was encrypted are both stored in the /etc/passwd file.

When a user attempts to log on:

1. The password hash is retrieved from the passwd file.

2. The password provided by the user is encrypted.

3. The encrypted form of the password provided by the user is matched with the encrypted password retrieved from the passwd file.

Storing encrypted passwords in the passwd file is not safe. Hackers can use techniques such as dictionary attacks to obtain the passwords. Storing the value used to encrypt the password in the passwd file is also risky because unauthorized users can obtain it once they get access to the passwd file.

One drawback associated with the password suite is that it is not secure. Users have read permission to the passwd file, which could prove to be a security hole. You can solve this problem by using the Shadow suite. The Shadow suite helps to secure passwords more efficiently.

Shadow Suite

The Shadow suite stores the passwords in another file, /etc/shadow. Only the root user has read/write access for the file. Moving the passwords to the /etc/shadow file prevents hackers from accessing the passwords.

The Shadow suite enables you to:

• Set logon defaults using the configuration file, /etc/login.defs

• Manage users and groups

• Manage passwords and accounts

Do not use the Shadow suite in situations where the:

• User accounts are not stored on the computer.

• Computer uses Network Information Services (NIS) to obtain or provide user names and passwords to the other computers on the network.

• Terminal servers use the computer to verify users using Network File System (NFS), NIS, or another method.

• Computer runs other software that validates users and there is no Shadow version available.

A sample output of the passwd file when the Shadow suite is installed is:

root:x:0:0:root,9810541423,9810541423,913091830219:/root:/bin/csh
user1:x:506:506::/home/user1:/bin/bash
john:x:507:507::/home/john:/bin/bash

Notice that the format of the entries in the passwd file is:

[username]:[passwd]:[UID]:[GID]:[full_name]:[directory]:[shell]

In this format,

• [username] is the logon name of the user.

• [passwd] is the encoded password of the user.

• [UID] is the user ID.

• [GID] is the group ID of the user.

• [full_name] is the full name of the user.

• [directory] is the home directory of the user.

• [shell] is the logon shell of the user.

The sample entries in the /etc/shadow file are:

root:$1$YgmpAbXE$9h3ghaSqjZYOrMt8ZNwBN1:11767:0:99999:7:::
user1: *$9h3ghaSqjZsdYW34OrMtytU8ZNwCPNM:11818:0:99999:7:::
john: AbXE$9hYutopjZYOrMhiAswHJTZNwBNPuR:11821:0:99999:7:::

Notice that the format of the entries in the /etc/shadow file is:

[username]:[passwd]:[last]:[may]:[must]:[warn]:[expire]:[disable]:[reserved]

In this format:

• [username] is the user name.

• [passwd] is the encoded password.

• [last] is the number of days after the password was last changed, since January 1, 1970.

• [may] is the number of days before the password may be changed.

• [must] is the number of days after which the password must be changed.

• [warn] is the number of days before the password is due to expire when the user is warned.

• [expire] is the number of days after the password expires when the account is disabled.

• [disable] is the number of days since January 1, 1970, when the account is disabled.

• [reserved] is a reserved field.

The passwords in the shadow file are encrypted using the crypt encryption function. The crypt function is the password encryption function based on the Data Encryption Standard (DES) algorithm.

passwd

The passwd command updates a user’s authentication token. The syntax of the passwd command is:

passwd [-k] [-l] [-u [-f]] [-d] [-S] [username]

The arguments of the passwd command are:

• -k: Indicates that only expired passwords should be updated

• -l: Used only by a root user to lock a specific account

• -u: Used only by a root user to unlock a specific account

• -d: Disables a password for an account and sets the named account as passwordless

• -S: Displays status information about the password of a specified account to a root user

chage

Root users use the chage command to specify when users must change their passwords. The chage command can be used only by the root user. The syntax of the chage command is:

chage [-m] [-M] [-d] [-I] [-E] [-W] user

The arguments of the chage command are:

• -m: Specifies the minimum number of days after which the password needs to be changed

• -M: Specifies the maximum number of days for which a password is valid

• -d: Sets the value of the last day as the number of days since January 1, 1970, when the password was last changed

• -I: Sets the number of days of inactivity after a password has expired before the account is locked

• -E: Sets the expiry date of the user account

• -W: Sets the number of days of warning before a password change is required

gpasswd

The gpasswd command manages the /etc/group file. The syntax of the gpasswd command is:

gpasswd group
gpasswd -a user group
gpasswd -d user group
gpasswd -R group
gpasswd -r group
gpasswd [-A user,...]  [-M user,...]  group

The arguments of the gpasswd command are:

• -a option: Adds a user to a group

• -d option: Deletes a user from a group

• -r option: Removes the group password

• -A option: Defines group administrators. Only system administrators can use this option.

• -M option: Defines members

pwck

The pwck command verifies the integrity of password files. This command validates the entries in the /etc/passwd and /etc/shadow files.

This command checks whether the entries in these files have the correct number of fields, a unique user name, a valid user and group identifier, a valid logon shell, and a valid home directory. The syntax of this command is:

pwck [-r] [passwd shadow]

The /etc/passwd and /etc/shadow files are the default files to be validated. You can specify other files in the passwd and shadow arguments. The pwck command is interactive and prompts for input if an invalid entry is found. You can make the pwck command non-interactive using the –r option, which causes the command to run in the read-only mode.

grpck

The grpck command verifies the integrity of group files. This command checks the entries in the /etc/group and /etc/gshadow files to ensure that they are in the correct format and have valid data in each field. The command checks each entry for the correct number of fields, a unique group name, and a valid list of users in the group. The syntax for this command is:

grpck [-r] [group shdow]

pwconv and pwunconv

The pwconv and pwunconv commands operate on the normal and shadow password files, /etc/passwd and /etc/shadow, respectively. The pwconv command creates the /etc/shadow file with information from the /etc/passwd file. The data taken from the /etc/passwd file is the user name, the password, and password expiry information.

If the /etc/shadow file already exists, running the pwconv command triggers these tasks:

• The entries in the /etc/passwd file that do not exist in the /etc/shadow file are added to the /etc/shadow file.

• The entries in the /etc/shadow file that are not present in the /etc/passwd file are removed from the /etc/shadow file.

• The password information for the entries that exist in both the files is copied from the /etc/passwd file to the /etc/shadow file.

You can also specify passwords for hardware devices. There are two types of passwords for hardware devices:

• Power on Password (POP)

• Privileged Access Password (PAP)

The POP is configured in the Complementary Metal Oxide Semiconductor (CMOS) of the computer. POP requires the users to specify the configured password before booting the computer.

The PAP password stores passwords in the nonvolatile memory. If hackers are able to break the POP password and boot the computer, they are prompted for the PAP password. Take extra precautions because there is no way to crack the PAP password. If you forget the PAP password, the system or the computer will not be of any use. On the other hand, if you forget the POP password, you can reconfigure it using the PAP password.

Account security can be implemented for three categories of users:

• Root accounts

• Guest accounts

• User accounts

Root Accounts

Root users are the most powerful users in Linux systems. They have the rights to perform all the administrative tasks. You need to be careful while assigning root accounts to users and also when you are logged on as a root user. It is easiest to track changes and security violations when very few people have root access.

Some guidelines for root account security are:

• The passwords to the root accounts need to be very strong. Only trusted users should know the password.

• Log on to the root shell only when it is absolutely necessary. Log out of the root shell as soon as you finish your work.

• Only the root should be assigned User ID (UID), 0.

• Non-root accounts should not have any write permissions in the root directory.

• The temporary files of the root account should be in directories that provide read/write access to other accounts.

You need to log out of the root shell immediately after performing root-specific tasks. Be extremely careful while in the root shell. A small mistake made by root users can be disastrous for the entire system. The less time you remained logged on with root privileges, the safer your system will be.

Some tips to avoid compromising the Linux system when logged on as a root user are:

• When you are unsure about whether using a particular command can damage the system, get complete information about the command from the manual. If possible, run the commands with options that will not damage the system.

• Despite having root user privileges, you need to log on to the root account only when required. For example, you need to perform some administrative tasks. While performing routine tasks, you should log on as a normal user. The su command can be used to temporarily switch to the root account. You need to provide the root logon name and root password while using the su command. The syntax of the su command is:

  /bin/su [option].....[user] [arg]...
  

• Root users must not use the rexec tools, which are the prime targets of hackers. Root users should not create the .rhosts file for themselves.

• The terminals from where root users can log on are listed in the security file. Do not modify the contents of this file.

Guest Accounts

These are created for temporary users and for users who are not regular users of the network. The users should be trusted ones. You need to monitor these accounts regularly. The guest accounts no longer in use need to be deleted. You can also set an expiry period for guest accounts. In addition, you can configure the password of guest accounts to expire after a specified period. The password assigned to a guest account needs to be strong.

User Accounts

You can create various user accounts on a Linux system. Some guidelines for creating user accounts are:

• Do not share user accounts.

• Delete accounts that are no longer in use. In addition, consider disabling logon to well-known accounts. These accounts do not require interactive logon.

• Assign strong passwords to the accounts in the network.

• Create restricted shells for non-regular users, such as guest accounts.

Provide user accounts with the minimum required privileges. These privileges need to be sufficient to enable the user to perform all the required tasks.

Some precautions that need to be taken for user accounts are:

• Assign permissions and rights carefully.

• Identify the time and the place from where the user needs to log on.

• Use a standard pattern for assigning user names in the network. This helps in management tasks.

• Do not create a common user account for several users on the network. This creates problems, such as accountability.

The guidelines for monitoring and ensuring the security of user accounts are:

• Maintain logs of the activities in the system and the network. Perform a periodical analysis of this log.

• Create a backup policy to back up critical data at regular intervals. Store the backup copies at safe locations.

• Maintain the bandwidth of the network for smooth functioning. An unusual drop in bandwidth can be an indication of unauthorized activity in the network.

• Monitor the disk space available on servers and hosts. Some viruses use the free disk spaces, leading to computer crashes.

• Use the intrusion detection tools on your network judiciously.

Using Logs

Logs are used to track the activities in your system and on the network. Ensure that logging is enabled on the personal computers, servers, and workstations on the network. The log files are located in the /var and/or /var/log directories. These log files can detect evidence of successful and failed intrusion attempts and track intruders.

In addition, to enable logging, save the copies of important log files to other servers so that smart hackers cannot change the logs to cover their tracks. For devices such as routers and switches that generate large quantities of system log records, keep copies of the logs on the same subnet as the device and periodically forward the copies to a centralized server. This helps experts to spot a series of seemingly unrelated events that, when taken together, identify an attack.

In addition, you can configure /etc/syslog.conf for easier analysis of potential security exposures. You can set it up to send system logging information to specific files or you can restrict access to the log directories and files.

Check the logs periodically and randomly. Refer to the logs when an unexpected event, such as a system reboot, occurs. Use the tail command on log files to check the entries at the end of the file so that you do not have to go through all the entries of the log file. In addition, you may need to write a short script that runs the tail command for each log file and writes all the results to one output file so that you can scan all the latest logs simultaneously. Alternatively, you can use a tool, such as LogSentry from http://www.psionic.com/, to simplify the process of identifying suspected security breaches.

Note

For more information on LogSentry, see the Using PortSentry and LogCheck ReferencePoint.

Pluggable Authentication Modules

Pluggable Authentication Modules (PAM) is a suite of shared libraries that enables you to determine the way in which users will be authenticated.

PAM enables you to switch among different authentication schemes to be used. PAM aims to separate the development of privileges granting software from the development of secure and appropriate authentication schemes. This is possible because PAM provides a library of shared functions that an application can use to authenticate users. This library is configured with the /etc/pam.conf file or the /etc/pam.d directory. The /etc/pam.d directory contains various configuration files for PAM. The modules used to authenticate users are in the /usr/lib/security directory and are loaded dynamically. Linux-PAM support four types of modules:

• Authentication: The module provides two aspects of user authentication. First, it establishes the identity of a user by directing the applications to accept passwords or other identity information from users. Next, the module grants permissions and group membership to users.

• Account: The module performs account management. It can perform tasks such as granting permission for files and directories based on the time and day configured and the maximum number of users allowed to log on at a time.

• Session: The module manages tasks such as maintaining logs and other information after a session is established with a user. The session module works until the session remains active.

• Password: The module updates the authentication token associated with a user.

The configuration file determines the module that PAM calls for an application. The /etc/pam.d/ directory stores the configuration file of an application. The pam.conf file is the configuration file for PAM. The next section discusses the PAM configuration file.

The /etc/pam.conf File

PAM can be configured in the /etc/pam.conf file or the /etc/pam.d directory. An entry in the pam.conf file has this format:

[service-name]   [module-type]   [control-flag]   [module-path]   [arguments]

Using the configuration files in the /etc/pam.d/ directory can configure PAM in another way. The format of the files in the /etc/pam.d/ directory is similar to that of the pam.conf file:

module-type   control-flag   module-path   arguments

The only difference between the structure of the pam.conf file and the files in the /etc/pam.d/ directory is that [service_name] is not present in the /etc/pam.d/ directory. This is because the name of the service is assigned to the configuration file. For example, the /etc/pam.d/login file contains the configuration for the logon service.

This method of configuration has a number of advantages over the single file approach. Some of the advantages are:

• It is easier to maintain.

• Parsing is quicker.

• Read access to the Linux-PAM configuration files can be limited.

• Package management is simpler.

Kerberos

Massachusetts Institute of Technology (MIT) created Kerberos as a solution to authentication problems in networks. It is a network protocol designed to provide authentication using secret-key cryptography. Kerberos provides security from hackers and as well as users within the network who might have malicious intentions. The steps in the Kerberos authentication process are:

1. A client requests a ticket to the Key Distribution Center (KDC).

2. The KDC creates Ticket Granting Tickets (TGTs) for the clients. Using the clients’ passwords, KDC encrypts the TGTs and sends the encrypted TGTs to the clients.

3. After receiving the TGTs, the clients decrypt the TGTs using their passwords. Clients are authenticated if they are able to decrypt the TGTs successfully.

The TGT expires after a specific period. A client can obtain multiple TGTs, which give permissions for various services to the client. The request and grant of tickets is transparent to the user. Kerberos uses the single-sign-on system. As a result, the client needs to supply the password once per session.