UNIX System Administration Handbook - Evi Nemeth [392]
Regular system backups are an essential part of any site security plan. Make sure that all partitions are regularly dumped to tape and that you store some backups off-site. If a significant security incident occurs, you’ll have an uncontaminated checkpoint to restore.
See Chapter 10 for more information about backups.
Backups can also be a security hazard. Since anyone can read the contents of a tape once it’s mounted on a drive, you must keep all backup tapes under lock and key.
Trojan horses
Trojan horses are programs that aren’t what they seem to be. An example of a Trojan horse was a program called turkey that was distributed on Usenet a long time ago. The program said it would draw a picture of a turkey on your terminal screen, but it actually deleted files from your home directory.
Given the number of security-related escapades the UNIX community has seen over the last few decades, it is remarkable how few Trojan horse incidents there have been. In fact, we are not aware of a single documented instance of a program that
• Had some useful purpose,
• Was not distributed as part of an operating system,
• Was supplied in source code form, and
• Was widely available
that contained intentionally malicious code or that intentionally circumvented system security. Don’t misunderstand us: we’re sure it must have happened. But the risk to the average administrator is very low.
Credit for this state of affairs is due largely to the comity of the Internet. Obvious security problems tend to be discovered quickly and widely discussed. Malicious packages don’t stay available for very long on well-known Internet servers.
You can be certain that any software that has been discovered to be malicious will be widely discussed on Usenet. If you want to do a quick check before installing something, search the archives at www.deja.com for the name of the software package.
21.7 SECURITY POWER TOOLS
Some of the nest-avoidance chores mentioned in the previous sections can be automated with freely available tools. Here are a few of the tools you’ll want to look at.
nmap: scan network ports
nmap is a network port scanner. Its main function is to check a set of target hosts to see which TCP and UDP ports have servers listening on them.9
Since most network services are associated with “well-known” port numbers, this information tells you quite a lot about the software a machine is running.
Running nmap is a great way to find out what a system looks like to someone who is trying to break in. For example, here’s a report from a run-of-the-mill, relatively unsecured machine:
% nmap -sT host1.uexample.com
Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on host1.uexample.com (10.10.2.1):
Port State Protocol Service
7 open tcp echo
9 open tcp discard
13 open tcp daytime
19 open tcp chargen
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
...
513 open tcp login
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
The -sT argument asks nmap to try and connect to each TCP port on the target host in the normal way.10
Once a connection has been established, nmap immediately disconnects, which is impolite but not harmful to a properly written network server.
From the example above, we can see that host1.uexample.com is running several servers that have historically been associated with security problems: ftpd (ftp), rlogind (login), and probably sendmail (smtp). Several potential lines of attack have been made clear.
The state column in nmap’s output shows “open” for ports with servers, “unfiltered” for ports without servers, and “filtered” for ports that cannot be probed because of an intervening firewall. Unfiltered ports are the typical case and are normally not shown unless there are relatively few of them. For example, here’s a dump from a more secure commercial web server, www.aexample.com:
% nmap -sT www.aexample.com
Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
(Not showing ports in