The diversity of today's networks exposes your system to a wide variety of possible security-related incidents. In order to protect your systems, you must be aware of these exploits in order to protect yourself from them. While previous sections explained the types of people to protect against, and the reasons they attack, this section attempts to explain the types of exploits that are typically performed to break into a computer system.
There are several exploits that won't be mentioned here, such as Macro Code Attacks and Virus Infections, of which Linux and Unix itself in general is not susceptible. However, any Windows-based systems that connect to it will be suseptible, via shared filesystems, electronic mail, etc.
There are now several programs available to check your system for the most common exploits. The rootshell site, http://www.rootshell.com has several of these programs, and there is also the following available ftp://ftp.fu-berlin.de/unix/security/chkexploit/
Worms are problems which replicate themselves, but unlink viruses they do not modify other programs and are not triggered by user actions. Worms are self-contained programs that attack systems or other programs without changing them in any way, and that typically use networks to accomplish this. The Internet Worm, which reportedly gained access to more than 6,000 Unix systems, flooded the Internet with so many access requests that it became unusable. These are no where near as common as they once were.
A trojan horse is a program that is an unauthorized, self-contained program that is not self-replicating. It is often hidden or given a misleading name to deter suspicion.
A Trojan Horse is named after the fabled ploy in Homer's great literary work. The idea is that you put up a program or binary that sounds great, and get other people to download it and run it as root. Then, you can compromise their system while they are not paying attention. While they think the binary they just pulled down does one thing (and it might very well), it also compromises their security.
You should take care of what programs you install on your machine. Red Hat provides MD5 checksums, and PGP signs RPM files so you can verify you are installing the real thing. Other distributions have similar methods. You should never run any binary you don't have the source for or a well known binary as root! Few attackers are willing to release source code to public scrutiny.
Although it can be complex, make sure you are getting the source for some program from it's real distribution site. If the program is going to run as root make sure either you or someone you trust has looked over the source and verified it.
Cracking attacks are attacks perpetrated by network intruders, or crackers (formally known as hackers). These attacks take the form of network intrusions, which are break-ins into remote systems, or the use of the services they provide, without authorization. The number of cracker attacks is proliferating more rapidly than any other type of incident, in large part because the Internet provides broad connectivity without intrinsic security mechanisms.
Information security professionals have long accepted the premise that more incidents are caused by insiders (e.g., company employees and contractors) than by outsiders. Many feel this trend is now reversing, and news of organizations' incurring major financial losses as the result of network intrusions is becoming commonplace.
Obviously, neither type of exploit should be taken lightly.
Users often log on to workstations and then leave them unattended for long periods of time. This allows unauthorized individuals physical access to the workstations and to the organization's systems. An attacker can enter the office and use the workstation to attack numerous systems at a commercial site.
Attacks involving direct physical access can be extremely costly, because the attacker is often an insider who knows exactly where valuable data and applications reside on the system.
See the section on physical security for more information on how to protect your system.
Spoofing is a complex technical attack that is made up of several components. It is a security exploit that works by tricking computers in a trust-relationship that you are someone that you really aren't. Spoofing of network connections involves forging an IP source address to trick the destination into thinking you are someone you really aren't. Spoofing of network services involves using poorly configured (or misconfigured) applications, typically SMTP, to trick the client, server, or receipient into thinking you are someone you are not.
Using the most recent implementations of the available service can help to protect against this ``masquerading''. Preventing internal IP addresses from seemingly entering your firewall from the outside is something that should be a mandatory addition to your rulebase. There is some information on preventing DNS spoofing available at http://www.sunworld.com/swol-11-1997/swol-11-bind.html
A general guide to securing DNS is available at http://www.psionic.com/papers/dns-linux.html
A great reference of spoofing information is available at http://www.unitedcouncil.org/text.html including the excellent article published in Volume Seven, Issue Forty-Eight of Phrack, available here http://www.unitedcouncil.org/spoof/IPSpoofing.txt This paper will help you understand the low-level TCP details.
A Denial of Service (DoS) attack is one where the attacker prevents legimitate users from accessing a service. Denial of service attacks either try to make some resource too busy to answer legitimate service requests, or to deny legitimate users access to a machine.
Also of significant concern is a denial of service attack that is really intended to keep the victim busy while really the intruder is impersonating the host, preventing it from replying. These are typically referred to as ``man in the middle'' attacks.
Denial of service attacks have increased greatly in recent years. Some of the more popular and recent ones are listed below. Note that new ones show up all the time, so this is just a few examples.
If you are ever under a ping flood attack, use a tool like tcpdump available at ftp://ftp.ee.lbl.gov/tcpdump.tar.Z (although it should be part of your Linux vendor's distribution) and is used to determine where the packets are coming from (or appear to be coming from), then contact your provider with this information. Ping floods can most easily be stopped at the router level or by using a firewall.
Someone has put together a further discussion of the Ping 'o Death attack, and is available at http://www.sophist.demon.co.uk/ping/
Much work is being done in this area by some very capable people to proactively catch these problems before further exploits are discovered. The Linux Security Audit Group is working on auditing many of the stock packages that vendors ship with their distributions. You can follow their efforts, or even help evaluate programs by joining the security audit list, [email protected] and using ``subscribe'' in the body of the message. You can find the mailing list archives at http://www.nas.nasa.gov/Pubs/Mail/archive/linux-security-audit/ This is strictly an auditing list. It does not discuss issues regarding configuring your system to be more secure, reporting an exploit, etc. Do not expect to find information here about steps to perform an exploit.
Be sure to keep your subscription information, as it is very distracting to see unsubscribe requests being sent to the list. You can unsubscribe from the list by sending ``unsubscribe security-audit'' in the body of the message to [email protected]
Chris Evans is doing a fine job of maintaining the mailing list, as well as a list of outstanding security issues, specifically, those in Red Hat 5.1. You can find this list at http://www-jcr.lmh.ox.ac.uk/~chris/rhbugs.txt
Some of the types of exploits performed on flaws in programming consist of at least the following:
See the Web Links section for URLs to the most common Linux vendor security updates, and the Mail Links section for addresses for notification from most security vendors. Additionally, there are several user-contributed programs that will monitor particular ftp sites for changes, and either notify you when they change, or update automatically.
/tmp
are typically used for temporary files, such as are
created by the line printer daemon, X11, accounting programs, etc. A
potential for guessing the names of the files written to this
directory exists. As a result, poorly coded programs may have the
potential for being exploited by writing into a prexisting file. For a
more complete explanation, see the Writing Secure Code
section.
Misconfigured, or unnecessary services pose a significant threat to both host and network security. Exportable filesystems, inherently insecure services, too lenient configuration of a service, can all lead to a compromise.
Be sure to turn off any service that is not being used, and remove any executables that are not used. See the Network Security and Host Security for further information.
There is certainly nothing easier than gathering the latest exploits from http://www.rootshell.com and trying them out on a list of machines.
Typically by the time the exploits are available on the Internet, the vendor has distributed a patched version of the susecptible program. Be sure to install these updated versions, or at the least disable the service until you can do so. See the Contacts section of this document for the locations of vendors' updates.
Please see the WWW Security FAQ http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html for more information.
You can also find information on further securing Apache at http://www.apache.org/docs/misc/security_tips.html