By Gabriel Py Ng

Test Logical security of Unix servers.

unix securityThis area covers the technical security assessment of Unix, Linux servers (commands are similar but some are different. Please check with the respective man pages).

Stage 1 scan using Nessus and check for vulnerabilities and Nmap for ports. Highlight the ports and refer to IANA for details. Print report.

Scan using Nessus (ensure latest updates are done).

Stage 2 more etc/passwd and /etc/shadow > to password.txt and shadow.txt in home directory. Check the security of these files, check IDs and /etc/group.

1. This is like the basic security measure that any server MUST take. i.e. IDs and Groups.

2. What to check. More /etc/passwd and /etc/shadow.

3. Look out for normal IDs – are all these active and belongs to users that have resigned ?

4. Lookout for system IDs – active, are they required – they may be powerful

5. Test ID, Developer IDs, Root equivalent IDs – active ? Why ?

6. Intruders often use finger or ruser to discover account names and then try simple passwords. Please let your users know that complex passwords are a must. Simple passwords just make the hacker’s job easier.

7. If intruders can get a password file, they usually move or copy it to another machine and run password guessing programs on it. These programs involve large dictionary searches and run quickly even on slow machines. Most systems that do not put any controls on the types of passwords used probably have at least one password that can be easily guessed.

8. It is a good practice to change all your passwords. For extremely critical servers, passwords should be change everytime root equivalent, developer IDs are used. If this is not practical, perhaps 3 months or 6 months interval.

9. Intruders exploit system default passwords that have not been changed since installation,including accounts with vendor-supplied default passwords. Be sure to change all default passwords when the software is installed. There are software upgrades that can change account passwords to a new default at the background. Review and change passwords after updates are done.

More /etc/passwd > /home/Gabriel/password.csv

More /etc/shadow > /home/Gabriel/shadow.csv

Stage 3 Check world writable files and directories. This is also a must. Imagine your most critical business files are accessible to everybody. Find them and take the necessary steps to control their rights.

find / -type f -perm -22 -exec ls -l > /home/Gabriel/worldfiles.csv ;

find / -type d -perm -22 -exec ls -l > /home/Gabriel/worlddirectory.csv ;

Stage 4 Search for SUID and GUID files

* SUID and GUID can allow normal users to become root equivalent when these programs are owned by Root.

* To mitigate this risk, it will be prudent that these files are not world readable as power users may find ways to run these programs. Or remove them if not necessary

* SUID and GUID are normally found in /bin, /etc, /usr/bin, /usr/ucb, /usr/etc, pay attention if they are found in other directories.

* Look for SUID files (especially SUID root files) everywhere on your system. Intruders often leave SUID copies of /bin/sh around to allow them root access at a later time. The UNIX find program can be used to search for setuid files.

Find / -user root -perm -4000 -exec ls -l > /home/Gabriel_ng/rootsuid.csv ;

Find SUID and GUID on root directory.

Find / -xdev -perm -004000 -exec ls-l {} > /home/Gabriel_ng/suid.csv ;

Find / -xdev -perm -002000 -exec ls-l {} > /home/Gabriel_ng/guid.csv ;

Stage 5 Check for network files – /etc/hosts.equiv, .rhosts, /etc/hosts.allow, hosts.deny

* Important factor in network security is controlling network access. The /etc/hosts.equiv, .rhosts and /etc/passwd control whether access is given to rlogin, rcp, and rsh. The /etc/hosts.equiv contain a list of hosts that can be trusted or considered equivalent to that machine. Some systems uses /etc/hosts.allow and /etc/hosts.deny rather than a single /etc/hosts.equiv. The .rhosts files holds a list of hosts that are permitted access to a specific user.

* Because .rhosts files allow access to the system without using a password it is recommended that users do not create them in their home directories.

Check for /etc/hosts.equiv, .rhosts , /etc/hosts.deny and /etc/hosts.allow

Find /home -name .rhosts -print

Stage 6 Check system monitoring – logs.

Check /etc/sudoers – ability for users to run commands as “root” with sudoers.

More /etc/sudoers > /home/Gabriel/sudoers.csv

Other includes /var/adm/acct, /var/adm/wtmp, var/adm/btmp, var/adm/syslog/syslog.log

Check /var/adm/sulog

1. SU 10/19 14:15 + tty q3 root-test1 – list the date and time, + indicate successful and – failure. If there is repeat failure could be indication that someone is trying to break in using su.

Stage 7 By piping all files in csv or text files, it will be easier to analyze the details and work with the relevant parties to tighten the security.

Gabriel Ng is the author of [] This site is setup to provide information, recommendation on hacking prevention, controls to minimise security threats from viruses, trojans, spywares, hacking based real life experience while conducting security assessment and penetration tests. This video touches a bit on unix security.

[] Enjoy!