732-735.html

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

<HTML>
<HEAD>
<TITLE>Linux Unleashed, Third Edition:Network Security</TITLE>
<SCRIPT>
<!--
function displayWindow(url, width, height) {
        var Win = window.open(url,"displayWindow",'width=' + width +
',height=' + height + ',resizable=1,scrollbars=yes');
}
//-->
</SCRIPT>
</HEAD>

 -->


<!--ISBN=0672313723//-->
<!--TITLE=Linux Unleashed, Third Edition//-->
<!--AUTHOR=Tim Parker//-->
<!--PUBLISHER=Macmillan Computer Publishing//-->
<!--IMPRINT=Sams//-->
<!--CHAPTER=42//-->
<!--PAGES=732-735//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="729-732.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="735-736.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H4 ALIGN="LEFT"><A NAME="Heading7"></A><FONT COLOR="#000077">How a Modem Handles a Call</FONT></H4>
<P>In order for a user to gain access to Linux through a modem line, the system uses the <TT>getty</TT> process. The <TT>getty</TT> process itself is spawned by the <TT>init</TT> process for each serial line. The <TT>getty</TT> program is responsible for getting user names, setting communications parameters (baud rate and terminal mode, for example), and controlling time-outs. With Linux, the serial and multiport board ports are controlled by the <TT>/etc/ttys</TT> file.</P>
<P>Some Linux systems allow a dialup password system to be implemented. This forces a user calling on a modem to enter a second password that validates access through the modem. If it is supported on your system, dialup passwords are usually set in a file called <TT>/etc/dialups</TT>.</P>
<P>The Linux system uses the file <TT>/etc/dialups</TT> to supply a list of ports that offer dialup passwords, while a second file (such as <TT>/etc/d_passwd</TT>) has the passwords for the modem lines. Access is determined by the type of shell utilized by the user. The same procedure can be applied to <TT>UUCP</TT> access.</P>
<H3><A NAME="Heading8"></A><FONT COLOR="#000077">UUCP</FONT></H3>
<P>The UUCP program was designed with good security in mind. However, it was designed many years ago, and security requirements have changed considerably since then. A number of security problems have been found over the years with UUCP, many of which have been addressed with changes and patches to the system. Still, UUCP requires some system administration attention to ensure it is working properly and securely.
</P>
<P>If you don&#146;t plan to use <TT>UUCP</TT>, remove the <TT>uucp</TT> user entirely from the <TT>/etc/password</TT>file or provide a strong password that can&#146;t be guessed (putting an asterisk as the first character of the password field in <TT>/etc/passwd</TT> effectively disables the login). Removing <TT>uucp</TT> from the <TT>/etc/passwd</TT> file doesn&#146;t affect anything else on the Linux system.</P>
<P>You should set permissions to be as restrictive as possible in all <TT>UUCP</TT> directories (usually <TT>/usr/lib/uucp</TT>, <TT>/usr/spool/uucp</TT>, and <TT>/usr/spool/uucppublic</TT>). Permissions for these directories tend to be lax with most systems, so use <TT>chown</TT>, <TT>chmod</TT>, and <TT>chgrp</TT> to restrict access only to the <TT>uucp</TT> login. The group and username for all files should be set to <TT>uucp</TT>. Check the file permissions regularly.</P>
<TT>UUCP</TT> uses several files to control who is allowed in. These files (<TT>/usr/lib/uucp/Systems</TT> and <TT>/usr/lib/uucp/Permissions</TT>, for example) should be owned and accessible only by the <TT>uucp</TT> login. This prevents modification by an intruder with another login name.
<P>The <TT>/usr/spool/uucppublic</TT> directory can be a common target for break-ins because it requires read-and-write access by all systems accessing it. To safeguard this directory, create two subdirectories: one for receiving files and another for sending. Further sub-directories can be created for each system that is on the valid user list, if you want to go that far.</P>
<H3><A NAME="Heading9"></A><FONT COLOR="#000077">Local Area Network Access</FONT></H3>
<P>Most LANs are not thought of as a security problem, but they tend to be one of the easiest methods of getting into a system. If any of the machines on the network has a weak access point, all of the machines on the network can be accessed through that machine&#146;s network services. PCs and Macintoshes usually have little security, especially over call-in modems, so they can be used in a similar manner to access the network services. A basic rule about LANs is that it&#146;s impossible to have a secure machine on the same network as nonsecure machines. Therefore, any solution for one machine must be implemented for all machines on the network.
</P>
<P>The ideal LAN security system forces proper authentication of any connection, including the machine name and the username. A few software problems contribute to authentication difficulties. The concept of a <I>trusted host</I>, which is implemented in Linux, allows a machine to connect without hassle, assuming its name is in a file on the host (Linux) machine. A password isn&#146;t even required in most cases! All an intruder has to do is determine the name of a trusted host and then connect with that name. Carefully check the <TT>/etc/hosts.equiv</TT>, <TT>/etc/hosts</TT>, and <TT>.rhosts</TT> files for entries that might cause problems.</P>
<P>One network authentication solution that is now widely used is <I>Kerberos</I>, a method originally developed at MIT. Kerberos uses a &#147;very secure&#148; host, which acts as an authentication server. Using encryption in the messages between machines to prevent intruders from examining headers, Kerberos authenticates all messages over the network.</P>
<P>Because of the nature of most networks, most Linux systems are vulnerable to a knowledgeable intruder. There are literally hundreds of known problems with utilities in the TCP/IP family. A good first step to securing a system is to disable the TCP/IP services you don&#146;t ever use because other people can use them to access your system.</P>
<H3><A NAME="Heading10"></A><FONT COLOR="#000077">Tracking Intruders</FONT></H3>
<P>Many intruders are curious about your system but don&#146;t want to do any damage. They might get on your system with some regularity, snoop around, play a few games, and leave without changing anything. This makes it hard to know that you are being broken into, and it leaves you at the intruder&#146;s mercy should he decide to cause damage or use your system to springboard to another.
</P>
<P>You can track users of your system quite easily by invoking <I>auditing</I>, a process that logs every time a user connects and disconnects from your system. Not all Linux versions support auditing, so consult your man pages and system documentation for more information.</P>
<P>If you do rely on auditing, you should scan the logs often. It might be worthwhile to write a quick summary script program that totals the amount of time each user is on the system so that you can watch for anomalies and numbers that don&#146;t mesh with your personal knowledge of the user&#146;s connect times. A simple shell script to analyze the log can be written in <TT>gawk</TT>. In addition, some audit reporting systems are available in the public domain.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="729-732.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="735-736.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


</td>
</tr>
</table>
<!-- begin footer information -->



</body></html>