At a given time it was superseded by the Linux Security Knowledge Base
. This
documentation is also provided in Debian through the lskb
package.
Now it's back as the Lasg again.
A very good example of this kind of attacks using /tmp is detailed in The
mysteriously persistently exploitable program (contest)
and The
mysteriously persistently exploitable program explained
(Notice that
the incident is Debian-related) It is basicly an attack in which a local user
stashes away a vulnerable setuid application by making a hard link to
it, effectively avoiding any updates (or removal) of the binary itself made by
the system administrator. Dpkg was recently fixed to prevent this (see
225692
) but other
setuid binaries (not controlled by the package manager) are at risk if
partitions are not setup correctly.
For example, in Debian woody it is around 40Mbs, try this:
$ size=0 $ for i in `grep -A 1 -B 1 "^Section: base" /var/lib/dpkg/available | grep -A 2 "^Priority: required" |grep "^Installed-Size" |cut -d : -f 2 `; do size=$(($size+$i)); done $ echo $size 34234
Many intrusions are made just to get access to resources to do illegitimate activity (denial of service attacks, spam, rogue ftp servers, dns pollution...) rather than to obtain confidential data from the compromised system.
You can make (on another system) a dummy package with equivs
The /etc/securetty
is a configuration file that belongs to the
login
package.
Or ttyvX in GNU/FreeBSD, and ttyE0 in GNU/KNetBSD.
Or comX in GNU/Hurd, cuaaX in GNU/FreeBSD, and ttyXX in GNU/KNetBSD.
The default configuration in woody includes 12 local tty and vc consoles, as well as the console device but does not allow remote logins. In sarge the default configuration provides 64 consoles for tty and vc consoles. You can safely remove this if you are not using that many consoles.
Look for the getty calls.
Some of this includes the package manager dpkg
since the
installation (post,pre) and removal (post,pre) scripts are at
/var/lib/dpkg/
and Smartlist
This dependancy is not fixed, however, in the Debian 3.0 package. Please see
Bug #112965
.
Libpam-chroot
has not been yet thoroughly tested, it does work for
login
but it might not be easy to set up the environment for other
programs
Without the append-only flag users would be able to empty the contents of the
history file running >.bash_history
Ttys are spawned for local logins and remote logins through ssh and telnte
Chpasswd
cannot handle MD5 password generation so it needs to be
given the password in encrypted form before using it, with the -e
option.
Try apt-cache search wordlist
for a list of available packages
which might provide wordlists. You can also retrieve wordlists from many ftp
sites over the Internet. See ftp://ftp.ox.ac.uk/pub/wordlists
or ftp://ftp.cerias.purdue.edu/pub/dict
.
be sure to use uppercase here since spawn will not work
there's a very good article on it written by Lance Spitzner
Notice that, depending on the 2.4 kernel source package you use you might encounter some issues patching the kernel sources. If this is your case you might need to use the stock vanilla kernel. You can do this with the following steps:
# apt-get install kernel-source-2.4.22 kernel-patch-debian-2.4.22 # tar xjf /usr/src/kernel-source-2.4.22.tar.bz2 # cd kernel-source-2.4.22 # /usr/src/kernel-patches/all/2.4.22/unpatch/debian
For more information see #194225
, #199519
, #206458
, #203759
, #204424
, #210762
, #211213
, and the discussion
at debian-devel
So common, in fact, that they have been the basis of 20% of the reported
security vulnerabilities every year, as determined by statistics from ICAT's
vulnerability database
In Debian the kernel-image
package installs the sources under
/usr/src/kernel-souce-2.X.X
, just substitute linux to
whatever kernel is installed
To reproduce this (example provided by Felix von Leitner on the bugtraq mailing list):
host a (eth0 connected to eth0 of host b): ifconfig eth0 10.0.0.1 ifconfig eth1 23.0.0.1 tcpserver -RHl localhost 23.0.0.1 8000 echo fnord host b: ifconfig eth0 10.0.0.2 route add 23.0.0.1 gw 10.0.0.1 telnet 23.0.0.1 8000
It seems, however, not to work with services bound to 127.0.0.1, you might need to write the tests using raw sockets.
The fact that this behaviour can be changed through routing was described by Matthew G. Marsh in the bugtraq thread:
eth0 = 1.1.1.1/24 eth1 = 2.2.2.2/24 ip rule add from 1.1.1.1/32 dev lo table 1 prio 15000 ip rule add from 2.2.2.2/32 dev lo table 2 prio 16000 ip route add default dev eth0 table 1 ip route add default dev eth1 table 2
There are some patches available for this behaviour as described in bugtraq's
thread at http://www.linuxvirtualserver.org/~julian/#hidden
and http://www.fefe.de/linux-eth-forwarding.diff
.
An attacker might have many problems pulling the access through after configuring the IP-address binding if he is not on the same broadcast domain (same network) as the attacked host. If the attack goes through a router it might be quite difficult for the answers to return somewhere.
To retrieve the list of mailer daemons available in Debian try:
$ apt-cache search mail-transport-agent
The list will not include qmail
, which is distributed only as
source code in the qmail-src
package.
A list of servers/daemons which support these protocols in Debian can be retrieved with:
$ apt-cache search pop3-server $ apt-cache search imap-server
Note that depending on your bind version you might not have the -g option, most notably if you are using woody and installing bind9 (9.2.1-2.woody).
unless you use the instdir option when calling dpkg
but then the chroot jail might be a little more complex
It does try to run them under minimum priviledge which include running daemons with their own users instead of having them run as root
You only probably need it if using NFS (Network File System), NIS (Network Information System) or some other RPC-based service.
Unlike personal firewalls in other operating systems, Debian GNU/Linux does not
(yet) provide firewall generation interfaces that can make rules limiting them
per process or user. However, the iptables code can be configured to do this
(see the owner module in the iptables(8)
manpage)
Translations are available in up to ten different languages
The full capability
questionnaire
is available at CVE
Some operating systems have already been plagued with automatic-updates
problems such as the Mac OS X
Software Update vulnerabity
.
FIXME: probably the Internet Explorer vulnerability handling certificate chains has an impact on security updates on Microsoft Windows.
Some of them are provided when installing the harden-remoteaudit
package.
If you use this last package and are running an official Debian, the database
will not be updated with security updates. You should either use
clamav-freshclam
, clamav-getfiles
to generate new
clamav-data
packages or uptadate from the maintainers location:
deb http://people.debian.org/~zugschlus/clamav-data/ / deb-src http://people.debian.org/~zugschlus/clamav-data/ /
For more examples of how to configure gnupg
check
/usr/share/doc/mutt/examples/gpg.rc
.
You may also want to use the --quiet (-q) option to
reduce the output of apt-get
, which will stop the generation of
any output if no packages are installed.
Note that some packages might not use debconf
and updates
will stall due to packages asking for user input during configuration.
This is a common issue since many users want to maintain a stable system while updating some packages to unstable to gain the latest functionality. This need arises due to some projects evolving faster than the time between Debian's stable releases.
An easy way to do this is using a Live CD, such as Knoppix Std
which includes both
the file integrity tools and the integrity database for your system.
There are over 28 capabilities including: CAP_BSET, CAP_CHOWN, CAP_FOWNER, CAP_FSETID, CAP_FS_MASK, CAP_FULL_SET, CAP_INIT_EFF_SET, CAP_INIT_INH_SET, CAP_IPC_LOCK, CAP_IPC_OWNER, CAP_KILL, CAP_LEASE, CAP_LINUX_IMMUTABLE, CAP_MKNOD, CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_NET_RAW, CAP_SETGID, CAP_SETPCAP, CAP_SETUID, CAP_SYS_ADMIN, CAP_SYS_BOOT, CAP_SYS_CHROOT, CAP_SYS_MODULE, CAP_SYS_NICE, CAP_SYS_PACCT, CAP_SYS_PTRACE, CAP_SYS_RAWIO, CAP_SYS_RESOURCE, CAP_SYS_TIME, and CAP_SYS_TTY_CONFIG. All of them can be de-activated to harden your kernel.
You don't need to install lcap
to do this, but it's easier than
setting /proc/sys/kernel/cap-bound
by hand.
If you are adventurous, you can login to the system and save information on all running processes (you'll get a lot from /proc/nnn/). It is possible to get the whole executable code from memory, even if the attacker has deleted the executable files from disk. Then pull the power cord.
In fact, this is the tool used to build the CDROMs for the Gibraltar
project (a firewall on a
live CDROM based on the Debian distribution).
This is a list of some CERTS, for a full list look at the FIRST Member Team information
(FIRST is the Forum of Incident Response and Security Teams): AusCERT
(Australia), UNAM-CERT
(Mexico) CERT-Funet
(Finland), DFN-CERT
(Germany), RUS-CERT
(Germany), CERT-IT
(Italy), JPCERT/CC
(Japan), UNINETT CERT
(Norway), CERT Polskay
(Poland), RU-CERT
(Russia), Sl-CERT
(Slovenia) IRIS-CERT
(Spain), SWITCH-CERT
(Switzerland),
TWCERT/CC
(Taiwan), and
CERT/CC
(US).
For example, based on the Securityfocus data, it might seem that Windows NT is
more secure than Linux, which is a questionable assertion. After all, Linux
distributions usually provide many more applications compared to Microsoft's
Windows NT. This counting vulnerabilities issues are better described
in Why Open
Source Software / Free Software (OSS/FS)? Look at the Numbers!
by
David A. Wheeler
Without diminishing the fact that some distributions, such as RedHat or Mandrake, are also taking into account security in their standard installations by having the user select security profiles, or using wizards to help with configuration of personal firewalls.
Note that this is 'security by obscurity', and will probably not be worth the effort in the long term.
Notice that there are no SETUID files. This makes it more difficult for remote
users to escape the chroot
environment. However, it also prevents
users from changing their passwords, since the passwd
program
cannot modify the files /etc/passwd
or /etc/shadow
.
Securing Debian Manual
2.99 5 marzo 2004Wed, 3 Mar 2004 09:18:54 +0100jfs@computer.org