This is a really good question. System Security is a big challenge to any administrator ( that's why we put it in a separate section ). A few things to do may be:
netstat -tua or netstat -tnua to
see what services are running on your system. /etc/inetd.conf file, commenting
out all the services you do not need.killall -HUP inetd)/etc/rc.d scripts and remove the rest
of daemons, which are running standalone. man find(1) for details, since parameters may
vary) and decide whether you really need all of them. (if not remove
setuids: chmod ug-s /path/to/filename).The general rule of keeping your box secure:
(submitted by Don Thompson - donthomp@skull.cs.unm.edu)
Avoid laziness/overwork in the security area. Securing machines will never be 100% automated. Most breakins are the result of the admins not putting in enough time securing the box and/or not spending enough time later on looking for signs of possible breakins.
For more details on Linux Security you may want to check out https://www.seifried.org/lasg/ Linux System Administrator Security Guide.
head -c 6 /dev/random | mmencode
The mkpasswd is also present on some systems for this purpose.
NOTE: There have been several studies to show that random passwords are less secure than non-random passwords, as users tend to write them down so users can remember them.
A UNIX system is only as secure as the administrator makes it. The more services you add, the more chances of introducing a security hole. Operating systems like SCO and others may actually be more prone to security breaches because they offer more services that are an integral part of how they operate, (in order to be more 'user friendly'). Linux itself is very stable and secure, but it in itself is distributed in many flavours. In one of the ongoing comparisons between RedHat and Slackware people have argued over which is more secure. When installing Linux, one should tend to install with the minimum, and then add only the ESSENTIAL items, reducing chances of an 'application' of having a security weakness. Linux is the most SECURE if properly implemented. If a weakness is apparent in the system, there are thousands of volunteers to point it out immediately, along with a fix. In a larger organization, such as some of the commercial products, they have a limited size of team members working on it, it is not always in their best interests to publicize any discoveries too loudly, and sometimes it takes a while before fixes trickle down the pipes into the releases or upgrades. Yes, they soon become available as patches, but most administrators of commercial products tend to use the tools available with the distribution only, with a false sense of comfort in that they have more professionally designed software. Mistakes can happen in programming at any level, but when you have 10's of thousand of people with the source code available to them, these mistakes are often discovered faster in an open source code environment. Of course, with 10's of thousands of people meddling with the source code, and what? 7 million copies of Linux out there now.. there is a much better chance that someone will open a security hole too.
by Michael - The Web Administrator (wwwadmin@wizard.ca)
Since many people are suffering from SPAM flooding the Internet nowdays, we decided to cover in short, this subject. We consider this more as security issue, than anything else, that's why we put this into Security section.
Here is a simple example of spam tracing. Contributed by D.J.Vanecek
(djv@bedford.net).
This nasty spam arrived at the time suggested in the headers. Since it does not appear to involve forgeries, it is fairly easy to track.
First, the spam itself, with comments. [Original material is set of with a "| " in the left margin.]
| From sales@canus.net Sat Jun 27 02:42:41 1998
| Return-Path: <sales@canus.net>
| Received: XXXXXXXXXXXXXXXXXXXXX CENSORED XXXXXXXXXXXXXXXXXXX
| From: sales@canus.net
| Received: from CENSORED XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
| by castor.loco.net (fetchmail-4.3.8 POP3)
| for <djv/castor.loco.net> (single-drop); Sat, 27 Jun 1998 02:42:41 EDT
| Received: from server ([199.174.152.215]) by XXXXXXXXXXXXXXXXXXXXXXXXXXXX
| with SMTP (IPAD 1.52/64) id 4950800 ; Sat, 27 Jun 1998 02:39:13 EST
This header is the germane one. It is my ISP receiving the mail from the spammer or a relay being used by the spammer. At this point we cannot conclude what it is. Notice that the ISP's timezone is wrong, reporting the correct time for EDT (verified by my clock), but calling it EST.
Alas, the ISP runs a DOG box (IPAD), so we cannot assure anyone we complain to of the exact time of receipt (IMPORTANT). /My/ clocks are synched to the national standard, but I know that the ISP's clocks are not. If I were going to make a big deal of this spam, I would find out how far the ISP's clocks are from the NIST, and report that in the complaint.
| Date: Sat, 27 Jun 1998 01:00:59
This Date may be bogus. It may not. It may have no relationship at all to the tracking of the spam. It probably comes from the spammer's own machine, and has no validity.
| Subject: Need A Loan?
| Message-Id: <199806270639.4950800@XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX>
| Apparently-To: XXXXXXXXXXXXXXXXXXXXXXX (me, correct email was here)
| Status: RO
|
| Are You in Debt?
|
| If you are then we can help!
| Qualifying is now at your fingertips and there are no
| long distance calls to make or travel plans to arrange.
|
| We are American Capital Corporation, and as you may have seen in our ad,
We note the name. I have also received paper mail spam from these creeps. It is a questionable mortgage scheme, but that is irrelevant to our discussion.
| you can be loaned up to 125% of the value of your home
| even if you have NO equity in your home!
| There are NO up-front or advanced fees of any kind!
| You can be approved WITHIN 24 hours and
| have your cash in one weeks time!
|
| We will provide you with a FREE loan evaluation, without obligation.
| All you need do is go to our website and answer a short questionnaire.
| One of our registered lenders will assess your information and give you
| a personal call within 48 hours telling you how we can help you!
|
| You are never under any obligation to use our services, but they are
| there for you!
|
| For complete information, please visit our website at:
| http://www.canus.net/amcap/129.html
We gird our loins for trouble, and go to this website later.
|
| Our business is helping people. May we help you?
Pinging that number didn't work. Nslookup gives:
[djv@castor djv]$ fg -
nslookup
199.174.152.215
Server: localhost
Address: 127.0.0.1
Name: dd35-215.dub.compuserve.com
Address: 199.174.152.215
So the spammer looks like he is working through a compuserve "throwaway" account. This looks like dynamic IP dialin. Traceroute didn't reach it, but the spammer has probably gone away. Traceroute to a similar site, 199.174.152.1, gives:
[djv@castor djv]$ traceroute 199.174.152.1
traceroute to 199.174.152.1 (199.174.152.1), 30 hops max, 40 byte packets
3 bordercore4-hssi5-0-24.NorthRoyalton.mci.net (166.48.232.97) 159.816 ms 658.176 ms 730.623 ms
4 core2.WillowSprings.mci.net (204.70.4.177) 159.222 ms 158.668 ms 149.832 ms
5 borderx1-fddi-1.WillowSprings.mci.net (204.70.104.52) 239.834 ms 298.712 ms 330.386 ms
6 compuserve.WillowSprings.mci.net (204.70.104.102) 169.325 ms 148.648 ms 149.875 ms
7 core-fddi0.chi.compuserve.net (205.156.223.161) 239.890 ms 158.549 ms 149.933 ms
8 atm1-06-core.dub.compuserve.net (205.156.223.113) 159.801 ms 148.613 ms 149.868 ms
9 fddi0-ppp-2.dub.compuserve.net (205.156.223.72) 149.805 ms 148.702 ms 149.804 ms
10 dub-dial-10.compuserve.net (206.175.65.25) 149.789 ms 148.658 ms 149.977 ms
11 dd10-001.dub.compuserve.com (199.174.152.1) 399.829 ms 478.724 ms 400.485 ms
[djv@castor djv]$
This confirms the belief that this spammer spammed from a compuserve account. So abuse@compuserve.com should be the prime recipient of the complaint.
But what of the spammer's other identities?
Well, who is "canus.net"? SHould we gripe to them, too?
Traceroute to "canus.net" gives:
| 3 bordercore4-hssi5-0-24.NorthRoyalton.mci.net (166.48.232.97) 169.821 ms 138.943 ms 149.408 ms
| 4 core3.Atlanta.mci.net (204.70.4.9) 279.872 ms 358.830 ms 369.607 ms
| 5 ast-uunet-nap.Atlanta.mci.net (206.157.77.114) 159.785 ms 138.895 ms 159.844 ms
| 6 104.ATM2-0-0.XR1.ATL1.ALTER.NET (146.188.232.50) 139.872 ms 158.687 ms 139.946 ms
| 7 195.ATM5-0-0.GW1.MIA1.ALTER.NET (146.188.232.137) 179.745 ms 188.757 ms 199.900 ms
| 8 bs-miami-gw.customer.alter.net (157.130.65.222) 199.871 ms 208.626 ms 199.989 ms
| 9 207.203.0.160 (207.203.0.160) 199.758 ms 188.954 ms 209.890 ms
| 10 172.25.80.90 (172.25.80.90) 199.859 ms 199.436 ms 199.321 ms
| 11 205.152.190.251 (205.152.190.251) 189.876 ms 218.826 ms 229.904 ms
These last lines are from hosts lacking reverse DNS entries, i.e. one cannot map from IPA to name. The last is the IPA of canus.net.
whois canus.net now gives:
| Registrant:
| CanUS Net (CANUS2-DOM)
| 1 First ST West
| Gander, NFL D3K J7P
| CA
But their business is morgtages in the USA. Why do they locate in a remote part of Canada? This is not proof, of course, that they have ever even set foot in Canada. It will be clear later that the personal identities of the spammers are well-hidden. Registering a domain is simply a matter of paying for it; the identities are not proof of who the person is.
|
| Domain Name: CANUS.NET
|
| Administrative Contact:
| Franklin, Bob (BF3584) dehal@USA.NET
| 360-695-3850
| Technical Contact, Zone Contact:
| Franklin, Bob (BF3585) dontcomplaintome@USA.NET
| 360-695-3850
| Billing Contact:
| Franklin, Bob (BF3584) dehal@USA.NET
| 360-695-3850
He is a spammer. He is not to be talked to, mailed to, or otherwise contacted. He has lamely indulged in typical spammer behavior:
|
| Record last updated on 19-Jun-98.
| Record created on 19-Jun-98.
| Database last updated on 26-Jun-98 04:01:02 EDT.
|
| Domain servers in listed order:
|
| NS1.NAMESERVER1.NET 205.152.190.208
| NS2.NAMESERVER1.NET 205.152.190.209
|
| The InterNIC Registration Services database contains ONLY
| non-military and non-US Government Domains and contacts.
| Other associated whois servers:
| American Registry for Internet Numbers - whois.arin.net
| European IP Address Allocations - whois.ripe.net
| Asia Pacific IP Address Allocations - whois.apnic.net
| US Military - whois.nic.mil
| US Government - whois.nic.gov
Well, who is giving this spammer DNS? We do a whois query on the partial IPA network:
whois 205.152.190.
| [No name] (MORR-HST) MORRISON.PHICOM.NET 205.152.190.130
| [No name] (DRAKE4-HST) DRAKE.PHICOM.NET 205.152.190.131
| [No name] (NS19481-HST) NS.DCSOUTHFLORIDA.COM 205.152.190.2
| [No name] (NS41802-HST) NS1.NAMESERVER1.NET 205.152.190.208
| [No name] (NS42268-HST) NS2.NAMESERVER1.NET 205.152.190.209
|
| To single out one record, look it up with "!xxx", where xxx is the
| handle, shown in parenthesis following the name, which comes first.
|
| The InterNIC Registration Services database contains ONLY
| non-military and non-US Government Domains and contacts.
| Other associated whois servers:
| American Registry for Internet Numbers - whois.arin.net
| European IP Address Allocations - whois.ripe.net
| Asia Pacific IP Address Allocations - whois.apnic.net
| US Military - whois.nic.mil
| US Government - whois.nic.gov
|
whois phicom.net
| Registrant:
| Phicom, Inc (PHICOM-DOM)
| 1370 W. Flagler St Suite C
| Miami, Florida 33135
|
| Domain Name: PHICOM.NET
|
| Administrative Contact, Technical Contact, Zone Contact:
| Dominguez, Alvio (AD1820) Alvio124@PHICOM.NET
| 305-642-2638 (FAX) 305-541-0608
| Billing Contact:
| Baptista, Daniel (DB5797) Daniel34@PHICOM.NET
| 305-642-2638 (FAX) 305-541-0608
|
| Record last updated on 30-Apr-97.
| Record created on 02-Apr-97.
| Database last updated on 26-Jun-98 04:01:02 EDT.
|
| Domain servers in listed order:
|
| MORRISON.PHICOM.NET 205.152.190.130
| DRAKE.PHICOM.NET 205.152.190.131
|
|
| The InterNIC Registration Services database contains ONLY
| non-military and non-US Government Domains and contacts.
| Other associated whois servers:
| American Registry for Internet Numbers - whois.arin.net
| European IP Address Allocations - whois.ripe.net
| Asia Pacific IP Address Allocations - whois.apnic.net
| US Military - whois.nic.mil
| US Government - whois.nic.gov
|
| [INLINE] 1380 W. Flagler St. Miami, FL 33135 1(888) 642-2NET (305)
| 642-2638
|
| You are the [INLINE] visitor to our site.
|
| * World Wide Internet/Access * U.S. Robotics X 2 technology * Local /
| Wide / Global Area Networks * Hardware / Software Sales * Web Site
| Hosting & Construction * Service Repair Center * IBM Business Partner
| * Hewlett Packard Warranty Service Center
|
|
|
Ok that looks like a legitimate ISP. They seem to be in the hardware business as well. If they're actually IBM and HP affiliates, they're probably not a spamming domain, and don't make their money from spamming. So we'll complain to them, too. ``You supply DNS service to a spammer.''
What about the web page mentioned in the spam????
It is given as http://www.canus.net/amcap/129.html
We go there:
| [INLINE]
| Mortgage Services
|
|
|
| Are you in debt?
|
| If you are then we can help. Qualifying is now at your fingertips and
| there are no long distance calls to make or travel plans to arrange.
|
| As you may have seen in our ad you can be loaned up to 125% of the
| value of your home or $100,000.00 even if you have NO equity in your
| home. There are no up-front or advanced fees of any kind. You can be
| approved within 24 hours and have your cash in one weeks time.
|
| In order for us to provide you with a FREE loan evaluation we must ask
| for the following so that a representative can contact you via the
| telephone within 24-48 hours.
| * indicates required fields
| *Name ____________________
| *Address ____________________
| ____________________
| *City ____________________ *State ___ *Zip __________
| *Home Phone ____________________
| Work Phone ____________________
| *Email Address ____________________
| Best Time to Call ____________________
| Type of Home [None Selected......]
| Estimated Value of Home ____________________
| Current Debt Against
| Home(Loan Balance): ____________________
| Type of Loan Requested [None Selected.....]
| Amt. of Loan Requested ____________________
| Total Household Income ____________________
| Credit Rating [None Selected]
|
| To send this information to American Capital, press the Submit button;
| To clear this form and start again, press the Reset button.
|
| SubmitReset
|
| About our company:
|
| We are a FREE national referral service for homeowners seeking to
| consolidate their bills. We have a network of affiliated companies
| that are regarded as the best and most respected mortgage banking
| companies in the country. You can rest assured that you are in good
| hands and will receive extraordinary service with our affiliated
| companies, for we only allow in our association and work with the
| absolute best companies in the nation.
|
| You may reach us at:
|
| American Capital Mortgage Services
| 1-212-796-6549
|
|
| We do not promote SPAM or UBE.
| Please be assured that we are doing everything we can
| to ensure that our users do not abuse this policy.
|
OK, so who supplies ISP services to their sucker-trap web site??
[djv@castor djv]$ traceroute www.canus.net
traceroute to www.canus.net (205.152.190.251), 30 hops max, 40 byte packets
4 core3.Atlanta.mci.net (204.70.4.9) 209.895 ms 158.635 ms 199.880 ms
5 ast-uunet-nap.Atlanta.mci.net (206.157.77.114) 199.820 ms 148.672 ms 139.873 ms
6 104.ATM2-0-0.XR1.ATL1.ALTER.NET (146.188.232.50) 189.844 ms 168.612 ms 149.935 ms
7 195.ATM5-0-0.GW1.MIA1.ALTER.NET (146.188.232.137) 209.791 ms 198.624 ms 199.881 ms
8 bs-miami-gw.customer.alter.net (157.130.65.222) 199.831 ms 198.651 ms 199.884 ms
9 207.203.0.160 (207.203.0.160) 209.834 ms 160.053 ms 199.343 ms
10 172.25.80.90 (172.25.80.90) 209.514 ms 209.896 ms 179.381 ms
11 205.152.190.251 (205.152.190.251) 209.781 ms 168.693 ms 199.847 ms
[djv@castor djv]$
We notice that 205.152.190.251 is part of the netblock issued to phicom.net, so besides DNS, this ISP is also providing connectivity.
OK, all done. We could look up 172.25... but I think we've hit enough pay dirt. (Hmm, isn't 172.25... an RFC-1918 domain?)
SOOOO:
We have a spammer pretty much nailed down. He's engaged in a [possibly fraudulent] mortgage scheme. He has maildrops at usa.net, and probably a paper mail drop in Canada, to avoid US law enforcement.
He's using compuserve.com as his "throwaway" account, and phicom.net as his connectivity and DNS supplier.
We would send complaints to
anticipated action: cancellation of the spammer's account; to do this, compuserve needs to know when the spammer was connected. The spammer may be relaying, too. But C$ should hear about it. If the spammer relayed through C$, C$ will conduct the investigation with the host from which the relay came. But this looks like a dial-in account. C$ disallows relaying, I believe.
*) abuse@phicom.net ``You provide connectivity to a spammer.''
anticipated action: cancellation of services.
Do NOT flame these people, until they tell you that ``there's nothing wrong with spam.'' There are /many/ clueless ISPs, who know nothing about spam, or are as much (or more) a victim than you are. (How would you like to come into work and see 8,000 emails in your in-box, complaining about spam from your domain?)
There's no point in complaining to a spammer, most of the time. Usually spammers themselves respond with streams of obscenity, and maybe a mailbomb. There is a small percentage of spammers, mostly newbies and innocent businesses, that are not aware of what spamming is, and have been misled by Spam Lords who sell them spamming services under false pretences, such as ``These are carefully selected addresses of people who have asked to receive news of products like yours.'' Their offers will be legitimate: ``$1500 computer available for $1200'' or something /believable/. But always beware.
Law enforecement? Don't bother in a case like this; these kinds of spams and frauds are well known already to the FBI, and the US Postal Service. Mostly law enforcement won't be interested except for
Spamming qua spamming is legal in the USA, AFAIK. Many politicians consider it "business", which is sacred.
[Need data for other countries here.]
The Internic? I don't know. I don't think they would take any action, unless the spammer were actually /convicted/ of a crime. The Internic is a blackhole for complaints of any kind, as far as I know.
When writing a complaint, send the /entire spam/, including all the headers and text, attachments, whatever the spammer sent you. I think some people @abuse use checksums and so on to track spam.
Actions other than complaining: I would block any email or connections of any kind from the spammer, and probably phicom.net, until phicom.net assures you that the spammer's website is down.
Doing such everyday activity as reading your mail (even sent to root), browsing the web, going to IRC(!!) as root is generally bad idea. Many clients of this kind were written with lesser security in mind, and thus could could be exploited. (look all those exploits for pine/lynx/IRC, not speaking of X-based envinronment).Of course it's always bad, when bugs allow to execute arbitrary code on your system as usual user, but it is much worse, when you get it executed as root, because it basically means that your system gets compromised.
Basic answer would be : "NO". Regardless of there are several codes which could replicate in certain conditions, but since last Morrison's worm, there are no viable enough code in the Unix world. There're several reasons why:
Back doors. IOW, programs which do more than they were intended to. Some examples are:
If the buffer is allocated on the stack, then an buffer overrun can overwrite the return address. By providing carefully crafted data as input, a user can store some machine code in a buffer, and replace the function's return address with the address of the code. When the function returns, the provided code will be executed with whatever privileges the process has.
Typical code is `shellcode', i.e. something which performs the equivalent of `exec("/bin/sh", ...)'. If the program is setuid root (and hasn't given up its privileges), then the user will be presented with an interactive shell which is running as root.
Programs which have previously suffered from this problem include xterm (the bug itself was in libXt), sperl (the setuid Perl binary), lpr, sendmail and many others. The problem is more serious for networking daemons (e.g. sendmail), as it can allow remote users to obtain the equivalent of a root login.
cmd="cat /www/cookies/$HTTP_COOKIE"
eval $cmd
GET /cgi-bin/bogus-script.sh HTTP/1.0
Cookie: hello ; rm -rf /
This is a contrived example, but it demonstrates the basic concept. More straightforward, although not as serious, is:
cat /www/cookies/$HTTP_COOKIE
Fortunately, the command isn't re-parsed after substituting variables, so you can't construct arbitrary commands (that generally requires re-evaluation), but if the user provides a cookie of the form:
Cookie: ../../etc/passwd
they can read any file which httpd has access to.
They are not crypted, but instead only hash function is generated using either DES or MD5 algorythm. Later on, when user logs in, the login program generates the same hash, and verifies it againist the entry in passwd or shadow file, and lets user in, only if two hashes match.
You can see the source for DES at ftp://security.dsi.unimi.it/pub/security/crypt/code/crypt3.c
Use something like this:
find / -type f -perm +6000 -ls