荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: georgehill (终生勤奋便成天才), 信区: Linux
标 题: UNIX十大开放源代码安全软件工具
发信站: BBS 荔园晨风站 (Mon Jan 3 12:23:10 2000), 转信
原文见于: http://www.performancecomputing.com/features/9907f1.shtml
=================开始==============================================
FEATURES - JULY 1999
Top Open-Source Security Tools For UNIX
The price of protection is always less than the cost of lax security.
Especially now.
Nalneesh Gaur
UNIX servers are the de facto choice for availability, reliability,
and scalability. These servers provide a robust yet flexible service
source to today's enterprise. The preference for UNIX servers is
apparent in the areas of high-end database and Web servers. Top
Open-Source Security Tools For UNIX Increased deployment of UNIX
servers makes the interesting (though ever-changing) arena of host
security a priority.
In the Internet age, open-source software (nee freeware) has carved a
niche for itself. UNIX systems out of the box may not be secure on
their own. The use of open-source host-security software can make them
more secure. Today, many choices are available to assist in
strengthening the host security of UNIX servers. This article
identifies and summarizes some popular and uscussed here are complex.
Therefore, serious
users must refer to the documentation accompanying the software
distribution in order to assess the full capability of the software.
The Utilities
Tripwire
The Tripwire tool is used to detect unautpermissions, and a creation date
for the specified file set. Once the
Tripwire database is initialized, the command itself can be run
manually or at regular intervals via the UNIX cron(1M) utility. The
tool reports any inconsistencies between the database and the current
attributes of a file. These include file deletions, additions,
modifications, and any changes in access permissions. It is important
that the information database itself be secured on a read-only medium
to prevent unauthorized changes. Listing 1 shows a sample Tripwire
output.
Sudo
The Sudo (superuser do) utility lets the administrator delegate root
authority to users without sharing the root password. Sudo gives
authorized users access to a subset of conetwork. A centrally configurable
file controls all configurations
for the sudo command. The idea is to share the Sudo configuration file
between different machines on a network. The configuration file simply
defines aliases for users, hosts, and commands and denotes who has
access to what commands on which hosts. With Sudo, the system
administrator can permit access to only a small set of commands based
on the role performed by a user. For example, a non-administrator can
be authorized to add, delete, or modify users.
Requiring a password for each user controls access to the restricted
system resources. The password itself may be cached by the system for
a limited time for flexibility and ease of use. The time-limited and
cached password can prevent abuse of the root shell on an unattended
terminal. In addition, all use of the sudo command is logged. Listing
2 shows a sample sudoers file. By default, Sudo uses the /etc/sudoers
configuration file. This can be changed at the setup and installation
time. The sample sudoers file describes (through embedded comments)
the granularity in controlling access.
ssh
Secure shell is the preferred tool for remote access to system
resources by many system administr side to ssh. Once ssh is configured
properly on the server,
telnet and other remote-shell utilities run by the inetd daemon can be
disabled. By default, ssh authenticates user passwords through their
UNIX passwords database, and pass phrases. The secure-shell
configuration file (/etc/sshd_config) controls access to the system.
The configuration file provides many options that can tighten up the
access security on the system, including controlling root access,
requiring a pass phrase for authentication, and turning off port
forwarding on the server side.
The Secure Shell client can perform both local and remote IP
forwarding. The local-forwarding feature lets the local ssh client
machine forward IP packets to another destination. Local forwarding
can be limited to connections originating from the client machine
only. The remote IP forwarding feature requires a connecting remote
ssh server that permits remote IP forwarding. The client negotiates
remote IP forwarding when requesting a connection with the remote ssh
server. This feature must be used cautiously because it opens the
network where the ssh client connection originated.
Access to the ssh server is controlled through different files,
including the The script generates a
report containing any possible problems that were found. The tiger
scripts label all output with one of the five error
classifications-ALERT, FAIL, WARN, INFO, and ERROR. An error
identifier ID follows the error classifications. The tigexp script can
be used to obtain an explanation for the error identifier or obtain an
explanation report for the security report.
The TAMU package contains many similarities with the COPS package
written by Dan Farmer. Proponents of the package identify ease-of-use,
better design structures, and a more thorough examination of
system-configuration files. However, TAMU lacks the kuang expert
systems checker present in the COPS package.
TCP Wrappers
This utility provides for tighter access control when users try to
access services on a server. The TCP Wrapper utility monitors and
filters incoming requests for network services that are usually
offered under the inetd configuration file such as telnet and ftpo
launch the daemon.
Access control can be based on service, hosts, users, or a combination
of these. In addition, the wrapper provides the ability to run other
programs when an incoming request arrives. The wrapper program also
checks for name and address consistency. This check entails performing
a reverse name lookup from the authoritative DNS servers for the
requesting client. A compile-time option denies access to a service if
a name/address inconsistency exists. By default, the wrappers program
performs a username lookup only when the access control requires one.
Access control is controlled by default via the /etc/hosts.allow and
the /etc/hosts.deny files. All matching entries in hosts.allow are
granted access, while those in hosts.deny are denied, otherwise access
is granted. In addition to the checks listed here, Wrappers checks
against host-address spoofing and TCP sequence-number guessing. TCP
Wrappers logs all incoming connections using the syslog daemon.
Wrappers logs to the location as specified for the sendmail daemon by
default. Editing the Makefile before compiling the wrapper program can
change this behavior.
On January 21, 1999, the CERT Coordination Center received
confirmation that modified by an intruder and contained a Trojan horse,
(a
program that contains hidden functions that can exploit the privileges
of the user running the program, resulting in a security threat).
Copies downloaded prior to this time are not affectepers, see our
online-exclusive story
"Enhancing System Security With TCP Wrappers")
(URL: www.performancecomputing.com/Linux-IT/features/9905of1.shtml)
Swatch
The purpose of this program is to scan the system log files to report
security-related events or other events of interest. Swatch can be
configured to send alerts to system administrators. The program uses a
resource file to scan for certain events and generate alerts. The
resource file consists of directives that specify patterns, actions to
take when the pattern is found, and the recurrence of the pattern. The
swatch program provides a call_pager Perl utility with the
distribution. As the name implies, this utility sends alert pages to
systems personnel. Listing 3 displays a typical swatch resource file.
By default, the swatch program expects the swatch resource file by
name to be ~/.swatchrc and will monitor the /var/log/syslog file.
These defaults can also be specified via command-line options. Before
using this utility, make sure you understand the syslog configuration
information typically located in /etc/syslog.conf.
npasswd
npasswd is a complete replacement for the UNIX passwd(1M) command. The
npasswd utility enforces strict password rules forcing users to select
passwords that conform to a controlled password standard. The idea is
to force users to select strong passwords that cannot be casually
exchanged. The npasswd utility can force the user to select a password
that:
* has not been used too recently or frequently
* must meet certain minimal lexical characteristics such as minimum
number of characters; use of mixed cases, numbers, and
punctuation; no excessive repeated characters; and no presence of
patterns
* is not related to local characteristics such as city, hostname,
aliases, and so forth
* cannot be guessed against words in various dictionaries
The npasswd program also works with the NIS and NIS+ environments.
Overall, npasswd provides some intelligence in selecting passwords.
When discussing npasswd, it is also important to mention Alec Muffet's
"Crack" program. While npasswd takes a proactive approach to selecting
strong passwords, the crack program is used to enforce strong
passwords on the host. The idea is to detect loose and easily deduced
passwords. The program can be run manually or at regular intervals
(using the cron utility). A configuration file defines the rule sets
used to test the passwords. This program requires a file in the format
of the standard /etc/passwd file with the encrypted password. The
crack program reports all the passwords that were guessed.
Sendmail 8.9.x
Many security issues have been identified in Sendmail over the years.
The current release of Sendmail, v. 8.9.x, fixes most of the
previously discovered vulnerabilities. In addition, Sendmail has many
configuration options that provide protection against spamming. By
default, Sendmail does not permit relay for hosts that do not belong
to the same domain. Relay can be limited to a few domains or hosts by
using the access database. The m4 configuration files control most of
the Sendmail configuration. Many people will find that the m4
configuration files are far easier to debug and troubleshoot than the
traditional sendmail.cf file. Sendmail patches and updates are
frequently released on the Sendmail Web sito spoof DNS,
bypass hostname-based authentication, and redirect Web traffic. BIND
versions prior to 4.9.7 and 8.1.2 were also known for inverse
query-buffer-overflow problems. The current version of BIND is not
subject to these bugs.
Conclusion
It's wise to view all open-source software downloaded from public
domain sites with suspicion. It is important to ensure that the
downloaded software is the intended product. After all, what good does
it do to download tainted security software? Most software provides
MD5 checksums or PGP signatures of the authors or trusted parties.
current BIND version supports efficient DNS zone transfers from the
DNS master servers. The DNS slave master server can be configured to
accept zone transfers from a particular IP address only. The master
servers send a zone transfer notification request to the slave servers
to notify them about zone changes. A spoofed IP address notifying the
slave of a zone transfer only results in the slave sending spurious
SOA queries to the master.
Previously, DNS cache corruption attacks have been noted in BIND
versions 4.9.5 and below. This type of attack was used to spoof DNS,
bypass hostname-based authentication, and redirect Web traffic. BIND
versions prior to 4.9.7 and MD5 checksums or PGP signatures of the
authors or trusted parties.
UNIX that are present if the administrator is running only a minimal
service configuration. Tighter security can be achieved by disabling
the undesirable services that are managed by the inetd daemon, or
those that are started in the standalone mode. The utilities by
themselves do not make a host secure, but they do offer a minimal
security configuration. Every day, new vulnerabilities are discovered
in various security forums. Regular monitoring of newly found host
vulnerabilities, application of security-related patches, physical
security, and other application-related security issues must be given
thorough consideration in securing your hosts. The utilities listed
above are not intended to be a substitute for commercial products. The
criteria used to select a security utility must be based on many
issues such as ease of use, support level, local knowledge base, and
ease of implementation. The choice of the security utilities must be
based with the overall security architecture of the enterprise in
mind.
Nalneesh Gaur is a manager in the eSecurity Solutions practice of
Ernst & Young LLP. He has specialized in UNIX and Windows NT
systemty-tools/swatch/ 2.2, 3.0 beta
npasswd http://www.utexas.edu/cc/unix/software/npasswd/ 2.05
Sendmail http://www.sendmail.org 8.9.3
BIND http://www.isc.org 8.1.2
====================结束==========================
--
书山有路勤为径;
学海无涯苦作舟!
我是来自大富翁的小美!^_^
※ 修改:·georgehill 於 Jan 3 12:26:09 修改本文·[FROM: 192.168.1.115]
※ 来源:·BBS 荔园晨风站 bbs.szu.edu.cn·[FROM: 192.168.1.115]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店