[-Previous
Page-]
TROJAN HORSES AND VIRUSES
Trojans are programs that appear to do one thing, but
secretly have a hidden and usually malicious intent. It
follows the myth of the Trojan Horse, where the Trojans
accepted the gift from the Greeks, and it became the cause
of their defeat. Trojan have unpredictable results, ranging
from creating a backdoor to your system, to destroying your
entire system. A cracker who breaks in to your system will
most likely leave a trojan behind. An example of one would
be to replace ls with a tainted ls
trojan:
#!/bin/sh
# tainted ls program
rm -rf /
Do not run this program unless you want to re-install
Linux. What it will do is basically delete everything when
you run ls . As you can see, trojans are hard
to spot. A tainted ps program may only show
you what the cracker wants you to see, thus leaving them
completely hidden. Your best bet to avoid running a trojan
is to never accept files from any untrusted source [TRANSLATION:
Trust no one]. Linux allows you to compile source code before
installing them, and that is what you should do before running
binary files. If you can, read the source code to make sure
it is safe [TRANSLATION: Check the blueprints for
the program and look for suspicious code. This can be difficult
if you do now know how to program, or if the blueprint is
very long]. The best way to detect trojans is to install
Tripwire. Tripwire checks the integrity of your system with
its database and if it finds an altered file, it will notify
you so that you can check it out [TRANSLATION: Tripwire
will have a database of your system when you first installed
Tripwire and continuously monitor your system from then
on. If a new program is installed, or if an existing program
is changed, Tripwire will alert you]. Tripwire is available
at http://www.tripwiresecurity.com.
Viruses are programs that attach themselves to other executables
and eventually infect your entire system [TRANSLATION:
When you run a program infected with a virus, it will infect
other programs]. They can be very destructive, or simply
print annoying messages to your screen. Fortunately, Linux
is almost immune to viruses because of the way each file
is given permissions [TRANSLATION: Linux is secure
enough to fend off viruses because users are restricted
to handling files belonging only to them and not to other
users]. Of course it never hurts to have a defense for viruses.
AntiVir can be downloaded from http://www.hbedv.com/.
PORT SCANNING
Port scanning is the method of checking what ports are currently
opened in a given system [TRANSLATION: Think of a
port as a door where information goes in and out of. Port
scanning is the method of checking what doors are open for
breaking into]. These ports are sometimes vulnerable against
exploits, especially if they are not updated. So the next
thing to do is to check what ports you have open. Generally,
if you've disabled your finger daemon, you've disabled your
finger port. Of course, there are other ports and that is
what you want to check for. You will want to download the
port scanner Nmap for this. Nmap is available at http://www.insecure.org/nmap/index.html. One
feature it contains is the ability to "fingerprint" the
operating system it scans, so it will tell you what operating
system is being scanned. The less ports Nmap detects, the
more secure your system is.
FILE PERMISSIONS
File permissions are very important. If you should have
others using your Linux system, you will want to give them
user accounts and restrict their access to certain files.
Make sure that important files are readable and writable
only to root. Do not change the permissions for /etc/passwd !
It is important that /etc/passwd is world readable
for certain programs to work. If you do not know how to
change permissions, do a man chmod for help.
Learn how to use umask . umask
will ensure that newly created files will have the permissions
you desire. For example, if you have a umask
of 077, newly created files will have permissions of -rw------- .
Add it to your startup script like ~/.bash_profile
so you can be sure that newly created files are for your
eyes only.
SUID (Set-User-ID) and SGID (Set-Group-ID) programs are
dangerous, because when executed, the user executing them
gains the privileges of the user who set the permissions
[TRANSLATION: This means that if root makes a program
SUID, a normal user who runs that program, will temporarily
become root while the program is in session]. Here is an
example: As root, do:
root# cp /bin/bash /bin/root_shell
root# chmod 4755 /bin/root_shell
Now log in as a normal user, and run /bin/root_shell .
You will notice that your prompt has changed to '#'. Then
do the following:
root# whoami
root
You have now become root. SGID programs are the same as SUID
programs, except that they affect groups instead of individual
users. To find all SUID and SGID programs, run the following
command:
root# find / -type f \(-perm -04000 -o -perm -02000
\)
Make sure that you run this as root. Otherwise you may
not be able to find SUID and SGID programs in directories
you do not have permissions in. Be aware that some programs
need to be SUID root in order to work! Programs like passwd ,
which allow users to change their password, needs to be
SUID root as it writes to the /etc/passwd file,
which is only writable by root. To give a program SUID permissions,
do a chmod 4755 The 4 gives the
SUID permission. The remaining three numbers follow the
normal user-group-world permissions. For SGID, the permissions
is chmod 2755 . 2 gives the SGID,
and as with SUID, the remaining numbers are user-group-world.
ENCRYPTION
Encryption is the method of using various algorithms which
manipulate the bits in a readable file, making it unreadable
[TRANSLATION: Encryption jumbles up a readable file
so no one can read it]. In the event that your system does
get compromised, you will want to have the last laugh when
the cracker finds out that your files are encrypted. The
best encryption program currently available is Pretty Good
Privacy (PGP). There are others as well, but I recommend
getting PGP. It is secure and easy to use, and you may get
it at http://www.pgpi.com.
BACKUP
Always keep backups of all important files. Whether it be
in the form of floppies, or tapes. When your system gets
compromised, you want to have a clean copy of your entire
system. Use tar to archive and compress your
files. If you want to backup your entire system to floppy
disks, do the following:
root# tar cvMf /dev/fd0 /
When one floppy is filled up, you will be prompted to
enter another floppy. If you are backing up to tapes on
a tape drive running from a floppy controller, the command
is:
root# tar cvf /dev/rft /
These are just a few ways to backup your system. If you
have a separate partition you can back it up there as well.
You want to read the manual for tar for further
information.
INTRUDER DETECTION
It would be nice if you received a warning of some sort
every time someone tried to connect to some port on your
computer, or tried to su to another account.
Fortunately, it is possible to set up your Linux system
to do this! This can be accomplished by configuring your
/etc/syslog.conf file. /etc/syslog.conf
tells syslogd where to log each kind of event
to. For instance, whether the event should be logged into
a file of some sort, or printed to the screen. I will not
go into depth on the syntax needed to write a syslog.conf
file. I think the manual page for it accomplishes that rather
nicely. Basically the syntax is:
type_of_warning.level_of_severity
log_file
In order to log any possible attempt to su
or to capture incorrect logins, that is, a cracker trying
to guess passwords, add the following to your /etc/syslog.conf
file:
auth.* /dev/console
authpriv.* /dev/console
This is of course assuming that you are the only one using
your Linux system. Any attempt at authorization will immediately
be printed to /dev/console . If you are using
X-Window, this will be printed to xconsole
(if you have it running), and if you are using the command
line, to your screen. Do this only if you are not planning
on having users connecting to your computer. Otherwise,
they will see authorization messages being logged to their
/dev/console as well. Take the time to study
your /etc/syslog.conf file. It shows you where
everything is being logged to. Once you have made the modifications,
run the following command to reset syslogd :
root# killall -HUP syslogd
With that done, you should now try to su
to another account. You should immediately see a warning
message pop up on your console telling you that an authorization
event is taking place. If you are not expecting anyone logging
into your system, the only time this message should pop
up is when you are running su . Any other time
it runs probably means that someone is attempting to crack
into your system.
CONCLUSION?
This article is by no means complete. Covering Linux security
to the whole would fill up a big book. This is barely half
of that book. You will notice that I left out physical security
and lot on network security. New security holes are always
being uncovered, and new defenses are always being developed.
You will want to keep up to date with what is happening,
because the script-kiddies and crackers are. To defeat them,
you have to know how they think and work. I have compiled
a small list of sites that will be of good help:
There is so much more to learn and to cover. The information
provided in this article will keep most script-kiddies out,
but only for so long. A determined cracker will find a way
to break in. There is no way to completely secure any system.
You can only make it more difficult to break into.
X_console shellscope@yahoo.com
[-Previous Page-]
|