Linux and UNIX Overview 1 Linux and UNIX Overview

Linux and UNIX Overview 2 Linux and UNIX  Linux and UNIX OSs are… o Often targets for attacks o Often used for launching attacks  So we need to understand basics

Linux and UNIX Overview 3 UNIX  A “beautiful but strange beast” o Developed as research project by AT&T o More than 35 years old o Internet was built on UNIX o Recently, popular for desktops, etc.

Linux and UNIX Overview 4 UNIX  It’s beautiful because… o It’s powerful  Millions of people have worked on it o Huge numbers of useful tools o “Been around the block” more than once o Closely associated with open source o Admins can find lots of useful tools

Linux and UNIX Overview 5 UNIX  Strange because so many UNIX OSs  Popular variants include o Solaris by Sun o MacOS by Apple o HP-UX by HP o IRIX by sgi o AIX by IBM o FreeBSD, free open source o OpenBSD, “the #1 most secure” OS

Linux and UNIX Overview 6 UNIX  Differences between UNIX variants o File systems organization o System calls, commands, command options, etc.  Two main “lines” of UNIX o AT&T and BSD  But some UNIXs are combinations

Linux and UNIX Overview 7 Linux  Developed by Linus Torvalds o Technically, not a variant of UNIX o Created without using any of the underlying UNIX code o A “UNIX-like environment” o Strictly speaking, “Linux” is just the kernel o Many Linux “distros”: Debian, Gentoo, Mandrake, Red Hat, Slackware, SuSE, etc.

Linux and UNIX Overview 8 UNIX  Here, generic UNIX/Linux concepts o Things that apply to most UNIX/Linux  UNIX also strange because o Not designed for ease of use o Think command line, not GUI o Ironically, much simpler than Windows…  If you think Windows is easier, you don’t know Linux…  …and you don’t know Windows

Linux and UNIX Overview 9 UNIX  Here, we focus on generic “UNIX” o Things that apply to most variants  Book use “UNIX”, “Linux” interchangeably  Here, we only scratch the surface  For more info o Linux Administration Handbook, by Nemeth o Man pages

Linux and UNIX Overview 10 Architecture  File system o Like traveling thru a city… o Directories are like signs leading you to “buildings” (files)  Many things treated as files o Devices, elements of processes, files

Linux and UNIX Overview 11 File System  Top is root directory: / == “slash” o “cd /” takes you to root o For example: /home/fred/hack.txt  File hack.txt in directory /home/fred

Linux and UNIX Overview 12 Important Directories  / == root (top level), called “slash”  /bin, /sbin == critical system exe’s  /dev == devices, terminal, CD, etc.  /etc == system config files o Accounts, pwds, network addresses, etc.  /home == user directories

Linux and UNIX Overview 13 Important Directories  /lib == shared libraries for programs  /mnt == exported file systems temporarily mounted, removable devices (e.g., USB)  /proc == images/data of current processes o Not on hard drive---can see what kernel is doing  /tmp == temporary files  /usr == critical system files (utilities, man pages, …)  /var == stores various types of files, often for administration (log files)

Linux and UNIX Overview 14 Important Directories  “.” is current directory  “..” is parent directory o One level up  “ls” lists all files in directory  “ls -a” lists “.” and “..” too

Linux and UNIX Overview 15 Kernel  UNIX and Linux are modular  The core is the kernel o Heart and brains of OS o Deals with critical system functions o E.g., hardware interactions, resource allocation, … o Programs call on kernel for these things

Linux and UNIX Overview 16 Processes  For program, kernel starts a process o Process is like a “bubble that contains the guts of a running program” o Kernel creates bubble, inflates it and tries to keep bubbles from popping each other  User programs, admin tools, services (e.g., Web, ) are processes o May be 100s to 1000s of active processes o Kernel juggles these into CPU, manages memory

Linux and UNIX Overview 17 Processes  High level view of architecture

Linux and UNIX Overview 18 Processes  Many processes run in background  Perform system-critical functions o Printing, network activity, etc.  Known as “daemons” o Pronounced “day-muns” or “dee-muns” o Named based on their function o E.g., SSH daemon is sshd

Linux and UNIX Overview 19 Automatic Processes  Booting: kernel starts init daemon o Finishes boot process  Init starts many network processes o Httpd --- Web server, for http/https o Sshd --- SSH service o Sendmail --- common UNIX server o NFS --- Network File System for sharing files between UNIX systems

Linux and UNIX Overview 20 Network Services  Network service listens to network o Web server listens on TCP port 80 o server listens on TCP port 25  Wait for incoming traffic  Lots of /Web traffic, so they listen constantly  What about, say, FTP?

Linux and UNIX Overview 21 Network Services  To improve efficiency…  “Internet daemon” listens for uncommon services o inetd (“I-Net-D”) or xinetd  When traffic arrives, inetd activates appropriate service  Uncommon services: echo, chargen, ftpd, telnetd, rsh, rlogin, TFTP, …

Linux and UNIX Overview 22 inetd  File /etc/inetd.conf tells inted what services to listen for: must specify o Service name --- e.g., telnet (defined in /etc/services) o Socket type --- type of connection? o Protocol --- usually tcp or udp o Wait status --- process handles multiple connection or not o User Name --- name services should run as o Server program and arguments  inetd.conf is target of attacks

Linux and UNIX Overview 23 inetd  Relationship between inetd and other daemons

Linux and UNIX Overview 24 cron  Cron daemon o Schedule programs to run at predetermined times o For example, backup files at 3am  Attackers also like cron o E.g., shut down critical service at a particular time as part of back door

Linux and UNIX Overview 25 Processes  Can also start processes manually  “path” is searched for command  To see path: echo $path o Dangerous to have “.” in path o Why?

Linux and UNIX Overview 26 Interacting with Processes  Each process has process ID (PID)  To get info on current processes o “ps -aux” (all running processes) o “lsof” (list of open files)  Can send a signal to a process o TERM to terminate, HUP to “hang up” (often rereads config), kill, killall, etc.

Linux and UNIX Overview 27 Accounts  Need an account to log in  A process runs with permissions of a given account  /etc/passwd file o One line for every account, e.g., o sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false

Linux and UNIX Overview 28 Passwd File  Each line contains o Login name o Hashed/encrypted password o UID number --- number assigned to account, used to determine permissions of processes o Default GID --- default group number o GECOS info --- not used by system, names, etc. o Home directory --- directory after login o Login shell --- sh, bash, csh, ksh, or another program

Linux and UNIX Overview 29 Passwd File  Passwd file is world readable o Attackers like to know hashed passwords o Used for password guessing  Most modern UNIX systems do not include hashed passwords in passwd file o Instead, in “shadow” passwd file, /etc/shadow o Requires super-user privilege to access  So passwd file contains no passwords…

Linux and UNIX Overview 30 Password File  After much searching…  Found my OS X hashed password is o 0x3BBC2A94D59EB1D5D3452EA6FA47399B2A25664C  Where SHA1 hash is used, with salt o 0x8429A223  Extra credit: Find my password!

Linux and UNIX Overview 31 Groups  Group users together  Assign permission to the group  Stored in file /etc/group, format is o Group name o Hashed group password --- never used o GID number --- used by the system instead of group name o Group members --- by login names

Linux and UNIX Overview 32 Root  Root account is all-powerful user  Maximum privilege --- can read, write any file  Root == superuser or “God”  UID == 0 o “root” could be called anything, provided UID is 0 o Can be multiple root accounts

Linux and UNIX Overview 33 Permissions  Every file has an owner and group  Owner (or root) sets permissions o Permissions: owner, group, everybody o For each of the 3, read, write, execute o Use “ls -l” to see permissions -rw-r--r-- 1 markstam markstam 767 Feb 6 19:31 cs286.txt drwxr-xr-x 40 markstam markstam 1360 Jan 25 17:33 docs

Linux and UNIX Overview 34 Permissions

Linux and UNIX Overview 35 Permissions  Change permissions using chmod o “change modes”  Give new permissions in octal o For example: chmod 745 foo o This corresponds to: rwxr--r-x

Linux and UNIX Overview 36 SetUID  Sometimes user needs to access file and they do not have permissions o Example: to change password (assuming hashes stored in shadow file)  SetUID == Set User ID  Use this so program will execute with permission of it’s owner o As opposed to permission of user executing it o Password changing program: SetUID root

Linux and UNIX Overview 37 SetUID  Gives “common” users lots of power o OK if used in controlled way for specific tasks  SetUID permissions appear before 9 standard permission bits o In fact, 3 additional bits o SetUID, SetGID, “sticky bit” o For example: chmod 4745 foo o Shows up in “ls -l” as an s : -r-sr-xr-x 1 root wheel Jan /usr/bin/passwd

Linux and UNIX Overview 38 SetUID  Attackers like SetUID programs o May be possible to exploit flaws in code (buffer overflow) to elevate privilege  New/modified SetUID programs may be evidence of attack

Linux and UNIX Overview 39 Trust Relationships  That is, trust between machines o Can specify which machines to trust Bob trusts Alice

Linux and UNIX Overview 40 Trust Relationships  Unauthenticated access by users from trusted machine o Since trusted machine (presumably) already authenticated the user  If trusted, the r-commands (rlogin, rsh, rcp) require no password o Also, r-commands do not encrypt  How does Bob know trusted Alice is Alice?

Linux and UNIX Overview 41 Logs and Audit  Created by syslog daemon (syslogd)  Typical log files o Secure --- logins, successful and failed o Message --- catch-all system log o Individual app logs --- for specific apps

Linux and UNIX Overview 42 Logs and Audit  Forensic info also logged  Attackers like to cover their tracks  To do so, may need to manipulate… o utmp --- who is logged in o wtmp --- record of all logins and logouts o lastlog --- time and location of each user’s most recent login

Linux and UNIX Overview 43 Common Network Services  Telnet --- command line remote access o No encryption, session can be hijacked, …  FTP --- file transfer o Insecure, like telnet  SSH --- encrypted “tunnel” o Then safe to use unsafe services o SSH version 1 insecure, version 2 is good

Linux and UNIX Overview 44 Common Network Services  HTTP --- Web o Source of many attacks  --- sendmail, several security issues  r-commands --- rlogin, rsh, rcp o Considered very insecure  DNS --- domain names to IP addresses o Critical service, good one for attackers…

Linux and UNIX Overview 45 Common Network Services  NFS --- transparently access files across network o NFS server “exports” directory info o Local machine can “mount” these, so files appear to be locally accessible o Like FTP without all of the trouble of FTP-ing o Of course, exporting too much may be bad  X-Window System --- X11 (or just “X”) o The underlying GUI service in UNIX o X server controls screen, provides service o Must limit who can display/access your screen

Linux and UNIX Overview 46 Conclusion  UNIX/Linux  Popular OSs  More than 30 years old  Fundamental part of Internet  Widely used OSs  Platform of choice for many attackers

Linux and UNIX Overview 47 Summary