[-Previous Page-]

TROJAN HORSES AND VIRUSES

Trojans are programs that appear to do one thing, but secretly have a hidden and usually malicious intent. It follows the myth of the Trojan Horse, where the Trojans accepted the gift from the Greeks, and it became the cause of their defeat. Trojan have unpredictable results, ranging from creating a backdoor to your system, to destroying your entire system. A cracker who breaks in to your system will most likely leave a trojan behind. An example of one would be to replace ls with a tainted ls trojan:

#!/bin/sh
# tainted ls program
rm -rf /

Do not run this program unless you want to re-install Linux. What it will do is basically delete everything when you run ls. As you can see, trojans are hard to spot. A tainted ps program may only show you what the cracker wants you to see, thus leaving them completely hidden. Your best bet to avoid running a trojan is to never accept files from any untrusted source [TRANSLATION: Trust no one]. Linux allows you to compile source code before installing them, and that is what you should do before running binary files. If you can, read the source code to make sure it is safe [TRANSLATION: Check the blueprints for the program and look for suspicious code. This can be difficult if you do now know how to program, or if the blueprint is very long]. The best way to detect trojans is to install Tripwire. Tripwire checks the integrity of your system with its database and if it finds an altered file, it will notify you so that you can check it out [TRANSLATION: Tripwire will have a database of your system when you first installed Tripwire and continuously monitor your system from then on. If a new program is installed, or if an existing program is changed, Tripwire will alert you]. Tripwire is available at http://www.tripwiresecurity.com.

Viruses are programs that attach themselves to other executables and eventually infect your entire system [TRANSLATION: When you run a program infected with a virus, it will infect other programs]. They can be very destructive, or simply print annoying messages to your screen. Fortunately, Linux is almost immune to viruses because of the way each file is given permissions [TRANSLATION: Linux is secure enough to fend off viruses because users are restricted to handling files belonging only to them and not to other users]. Of course it never hurts to have a defense for viruses. AntiVir can be downloaded from http://www.hbedv.com/.

PORT SCANNING
Port scanning is the method of checking what ports are currently opened in a given system [TRANSLATION: Think of a port as a door where information goes in and out of. Port scanning is the method of checking what doors are open for breaking into]. These ports are sometimes vulnerable against exploits, especially if they are not updated. So the next thing to do is to check what ports you have open. Generally, if you've disabled your finger daemon, you've disabled your finger port. Of course, there are other ports and that is what you want to check for. You will want to download the port scanner Nmap for this. Nmap is available at http://www.insecure.org/nmap/index.html. One feature it contains is the ability to "fingerprint" the operating system it scans, so it will tell you what operating system is being scanned. The less ports Nmap detects, the more secure your system is.

FILE PERMISSIONS
File permissions are very important. If you should have others using your Linux system, you will want to give them user accounts and restrict their access to certain files. Make sure that important files are readable and writable only to root. Do not change the permissions for /etc/passwd! It is important that /etc/passwd is world readable for certain programs to work. If you do not know how to change permissions, do a man chmod for help. Learn how to use umask. umask will ensure that newly created files will have the permissions you desire. For example, if you have a umask of 077, newly created files will have permissions of -rw-------. Add it to your startup script like ~/.bash_profile so you can be sure that newly created files are for your eyes only.

SUID (Set-User-ID) and SGID (Set-Group-ID) programs are dangerous, because when executed, the user executing them gains the privileges of the user who set the permissions [TRANSLATION: This means that if root makes a program SUID, a normal user who runs that program, will temporarily become root while the program is in session]. Here is an example: As root, do:

root# cp /bin/bash /bin/root_shell
root# chmod 4755 /bin/root_shell

Now log in as a normal user, and run /bin/root_shell. You will notice that your prompt has changed to '#'. Then do the following:

root# whoami
root

root# find / -type f \(-perm -04000 -o -perm -02000 \)

Make sure that you run this as root. Otherwise you may not be able to find SUID and SGID programs in directories you do not have permissions in. Be aware that some programs need to be SUID root in order to work! Programs like passwd, which allow users to change their password, needs to be SUID root as it writes to the /etc/passwd file, which is only writable by root. To give a program SUID permissions, do a chmod 4755 The 4 gives the SUID permission. The remaining three numbers follow the normal user-group-world permissions. For SGID, the permissions is chmod 2755. 2 gives the SGID, and as with SUID, the remaining numbers are user-group-world.

ENCRYPTION
Encryption is the method of using various algorithms which manipulate the bits in a readable file, making it unreadable [TRANSLATION: Encryption jumbles up a readable file so no one can read it]. In the event that your system does get compromised, you will want to have the last laugh when the cracker finds out that your files are encrypted. The best encryption program currently available is Pretty Good Privacy (PGP). There are others as well, but I recommend getting PGP. It is secure and easy to use, and you may get it at http://www.pgpi.com.

BACKUP
Always keep backups of all important files. Whether it be in the form of floppies, or tapes. When your system gets compromised, you want to have a clean copy of your entire system. Use tar to archive and compress your files. If you want to backup your entire system to floppy disks, do the following:

root# tar cvMf /dev/fd0 /

When one floppy is filled up, you will be prompted to enter another floppy. If you are backing up to tapes on a tape drive running from a floppy controller, the command is:

root# tar cvf /dev/rft /

These are just a few ways to backup your system. If you have a separate partition you can back it up there as well. You want to read the manual for tar for further information.

INTRUDER DETECTION
It would be nice if you received a warning of some sort every time someone tried to connect to some port on your computer, or tried to su to another account. Fortunately, it is possible to set up your Linux system to do this! This can be accomplished by configuring your /etc/syslog.conf file. /etc/syslog.conf tells syslogd where to log each kind of event to. For instance, whether the event should be logged into a file of some sort, or printed to the screen. I will not go into depth on the syntax needed to write a syslog.conf file. I think the manual page for it accomplishes that rather nicely. Basically the syntax is:

type_of_warning.level_of_severity    log_file

In order to log any possible attempt to su or to capture incorrect logins, that is, a cracker trying to guess passwords, add the following to your /etc/syslog.conf file:

auth.*    /dev/console
authpriv.*    /dev/console

This is of course assuming that you are the only one using your Linux system. Any attempt at authorization will immediately be printed to /dev/console. If you are using X-Window, this will be printed to xconsole (if you have it running), and if you are using the command line, to your screen. Do this only if you are not planning on having users connecting to your computer. Otherwise, they will see authorization messages being logged to their /dev/console as well. Take the time to study your /etc/syslog.conf file. It shows you where everything is being logged to. Once you have made the modifications, run the following command to reset syslogd:

root# killall -HUP syslogd

With that done, you should now try to su to another account. You should immediately see a warning message pop up on your console telling you that an authorization event is taking place. If you are not expecting anyone logging into your system, the only time this message should pop up is when you are running su. Any other time it runs probably means that someone is attempting to crack into your system.

CONCLUSION?
This article is by no means complete. Covering Linux security to the whole would fill up a big book. This is barely half of that book. You will notice that I left out physical security and lot on network security. New security holes are always being uncovered, and new defenses are always being developed. You will want to keep up to date with what is happening, because the script-kiddies and crackers are. To defeat them, you have to know how they think and work. I have compiled a small list of sites that will be of good help:

• http://www.cert.org
• http://www.rootshell.com
• http://www.insecure.org
• http://www.hideaway.net
• http://www.hackers.com
• http://www.linux-howto.com/LDP/HOWTO/Security-HOWTO.html
• http://www.linux-howto.com/LDP/HOWTO/Shadow-Password-HOWTO.html
• http://www.securityfocus.com

X_console shellscope@yahoo.com

[-Previous Page-]