This article is about computer security hackers. For other types of computer hackers, see Hacker (computing). For other uses, see Hacker.
In common usage, a hacker is a person who breaks into computers, usually by gaining access to administrative controls.[1] The subculture that has evolved around hackers is often referred to as the computer underground. Proponents claim to be motivated by artistic and political ends, and are often unconcerned about the use of illegal means to achieve them.[2]
Other uses of the word hacker exist that are not related to computer security (computer programmer and home computer hobbyists), but these are rarely used by the mainstream media. Some would argue that the people that are now considered hackers are not hackers, as before the media described the person who breaks into computers as a hacker there was a hacker community. This community was a community of people who had a large interest in computer programming, often sharing, without restrictions, the source code for the software they wrote. These people now refer to the cyber-criminal hackers as "crackers"
computer security (learn first)
computer security
This article is about computer security hackers. For other types of computer hackers, see Hacker (computing). For other uses, see Hacker.
In common usage, a hacker is a person who breaks into computers, usually by gaining access to administrative controls.[1] The subculture that has evolved around hackers is often referred to as the computer underground. Proponents claim to be motivated by artistic and political ends, and are often unconcerned about the use of illegal means to achieve them.[2]
Other uses of the word hacker exist that are not related to computer security (computer programmer and home computer hobbyists), but these are rarely used by the mainstream media. Some would argue that the people that are now considered hackers are not hackers, as before the media described the person who breaks into computers as a hacker there was a hacker community. This community was a community of people who had a large interest in computer programming, often sharing, without restrictions, the source code for the software they wrote. These people now refer to the cyber-criminal hackers as "crackers"
Top 13 Security/Hacking Tools & Utilities
1. Nmap
I think everyone has heard of this one, recently evolved into the 4.x series.
Nmap (“Network Mapper”) is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available. Nmap is free and open source.
Can be used by beginners (-sT) or by pros alike (–packet_trace). A very versatile tool, once you fully understand the results.
Get Nmap Here
2. Nessus Remote Security Scanner
Recently went closed source, but is still essentially free. Works with a client-server framework.
Nessus is the world’s most popular vulnerability scanner used in over 75,000 organizations world-wide. Many of the world’s largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications.
Get Nessus here
3. John the Ripper
Get New Realese JTR
John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.
4. Nikto
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).
Nikto is a good CGI scanner, there are some other tools that go well with Nikto (focus on http fingerprinting or Google hacking/info gathering etc, another article for just those).
Get Here
5. SuperScan
Powerful TCP port scanner, pinger, resolver. SuperScan 4 is an update of the highly popular Windows port scanning tool, SuperScan.
If you need an alternative for nmap on Windows with a decent interface, I suggest you check this out, it’s pretty nice
Get superscan Here
6. p0f
P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify the operating system on:
– machines that connect to your box (SYN mode),
– machines you connect to (SYN+ACK mode),
– machine you cannot connect to (RST+ mode),
– machines whose communications you can observe.
Basically it can fingerprint anything, just by listening, it doesn’t make ANY active connections to the target machine.
Get p0f here
7. Wireshark (Formely Ethereal)
Wireshark is a GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and to give Wireshark features that are missing from closed-source sniffers.
Works great on both Linux and Windows (with a GUI), easy to use and can reconstruct TCP/IP Streams! Will do a tutorial on Wireshark later.
Get Here
8. Yersinia
Yersinia is a network tool designed to take advantage of some weakeness in different Layer 2 protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems. Currently, the following network protocols are implemented: Spanning Tree Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), Dynamic Host Configuration Protocol (DHCP), Hot Standby Router Protocol (HSRP), IEEE 802.1q, Inter-Switch Link Protocol (ISL), VLAN Trunking Protocol (VTP).
The best Layer 2 kit there is.
Get Yersinia here
9. Eraser
Eraser is an advanced security tool (for Windows), which allows you to completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns. Works with Windows 95, 98, ME, NT, 2000, XP and DOS. Eraser is Free software and its source code is released under GNU General Public License.
An excellent tool for keeping your data really safe, if you’ve deleted it..make sure it’s really gone, you don’t want it hanging around to bite you in the ass.
get here
10. LCP
Main purpose of LCP program is user account passwords auditing and recovery in Windows NT/2000/XP/2003. Accounts information import, Passwords recovery, Brute force session distribution, Hashes computing.
A good free alternative to L0phtcrack.
LCP was briefly mentioned in our well read Rainbow Tables and RainbowCrack article.
Get here LCP
11. Kismet
Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.
A good wireless tool as long as your card supports rfmon (look for an orinocco gold).
Get kismet here
12. NetStumbler
Yes a decent wireless tool for Windows! Sadly not as powerful as it’s Linux counterparts, but it’s easy to use and has a nice interface, good for the basics of war-driving.
NetStumbler is a tool for Windows that allows you to detect Wireless Local Area Networks (WLANs) using 802.11b, 802.11a and 802.11g. It has many uses:
Verify that your network is set up the way you intended.
Find locations with poor coverage in your WLAN.
Detect other networks that may be causing interference on your network.
Detect unauthorized “rogue” access points in your workplace.
Help aim directional antennas for long-haul WLAN links.
Use it recreationally for WarDriving
Get here
13. hping
To finish off, something a little more advanced if you want to test your TCP/IP packet monkey skills.
hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.
hping
Scanner with Nikto2
Download: Version 2.1.1 .gz or .bz2
Thanks to Edgeos & CIRT.net for sponsoring Nikto!
Deploy your branded security services quickly and easily, including a full web-based portal for your customers, unlimited external and internal vulnerability assessments, automated professional reporting, and centralized management. The Edgeos platform is your company's security services, for your customers, and completely private labeled for your business!
Edgeos - Target Your Customers' Security
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6100 potentially dangerous files/CGIs, checks for outdated versions of over 950 servers, and version specific problems on over 260 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.
Nikto is not designed as an overly stealthy tool. It will test a web server in the quickest time possible, and is fairly obvious in log files. However, there is support for LibWhisker's anti-IDS methods in case you want to give it a try (or test your IDS system).
Not every check is a security problem, though most are. There are some items that are "info only" type checks that look for things that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.
Here are some of the major features of Nikto. See the documentation for a full list of features and how to use them.
SSL Support (Unix with OpenSSL or maybe Windows with ActiveState's
Perl/NetSSL)
Full HTTP proxy support
Checks for outdated server components
Save reports in plain text, XML, HTML or CSV
Template engine to easily customize reports
Scan multiple ports on a server, or multiple servers via input file (including nmap output)
LibWhisker's IDS evasion techniques
Easily updates via command line
Identifies installed software via headers, favicons and files
Host authentication with Basic and NTLM
Subdomain guessing
Apache and cgiwrap username enumeration
Mutation techniques to "fish" for content on web servers
Scan tuning to include or exclude entire classes of vulnerability
checks
Guess credentials for authorization realms (including many default id/pw combos)
Authorization guessing handles any directory, not just the root
directory
Enhanced false positive reduction via multiple methods: headers,
page content, and content hashing
A "single" scan mode that allows you to craft an HTTP request by
hand
Reports "unusual" headers seen
Thorough documentation
Exploit (computer security)
An exploit (from the same word in the French language, meaning "achievement", or "accomplishment") is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerised). This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial of service attack.
Classification
There are several methods of classifying exploits. The most common is by how the exploit contacts the vulnerable software. A 'remote exploit' works over a network and exploits the security vulnerability without any prior access to the vulnerable system. A 'local exploit' requires prior access to the vulnerable system and usually increases the privileges of the person running the exploit past those granted by the system administrator. Exploits against client applications also exist, usually consisting of modified servers that send an exploit if accessed with client application. Exploits against client applications may also require some interaction with the user and thus may be used in combination with social engineering method. This is the hacker way of getting into computers and stealing data.
Another classification is by the action against vulnerable system: unauthorized data access, arbitrary code execution, denial of service.
Many exploits are designed to provide superuser-level access to a computer system. However, it is also possible to use several exploits, first to gain low-level access, then to escalate privileges repeatedly until one reaches root.
Normally a single exploit can only take advantage of a specific software vulnerability. Often, when an exploit is published, the vulnerability is fixed through a patch and the exploit becomes obsolete for newer versions of the software. This is the reason why some blackhat hackers do not publish their exploits but keep them private to themselves or other crackers. Such exploits are referred to as 'zero day exploits' and to obtain access to such exploits is the primary desire of unskilled attackers, often nicknamed script kiddies
Types
Exploits are commonly categorized and named by these criteria:
The type of vulnerability they exploit (See the article on vulnerabilities for a list)
Whether they need to be run on the same machine as the program that has the vulnerability (local) or can be run on one machine to attack a program running on another machine (remote).
The result of running the exploit (EoP, DoS, Spoofing, etc...)
Penetration test
A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution. The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered. It is a component of a full security audit.
Black box vs. White box
Penetration tests can be conducted in several ways. The most common difference is the amount of knowledge of the implementation details of the system being tested that are available to the testers. Black box testing assumes no prior knowledge of the infrastructure to be tested. The testers must first determine the location and extent of the systems before commencing their analysis. At the other end of the spectrum, white box testing provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, source code, and IP addressing information. There are also several variations in between, often known as grey box tests. Penetration tests may also be described as "full disclosure", "partial disclosure" or "blind" tests based on the amount of information provided to the testing party.
The relative merits of these approaches are debated. Black box testing simulates an attack from someone who is unfamiliar with the system. White box testing simulates what might happen during an "inside job" or after a "leak" of sensitive information, where the attacker has access to source code, network layouts, and possibly even some passwords.
The services offered by penetration testing firms span a similar range, from a simple scan of an organization's IP address space for open ports and identification banners to a full audit of source code for an application.
Methodologies
The Open Source Security Testing Methodology Manual is a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.
The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. OSSTMM is also known for its Rules of Engagement which define for both the tester and the client how the test needs to properly run starting from denying false advertising from testers to how the client can expect to receive the report. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated.
The National Institute of Standards and Technology (NIST) discusses penetration testing in SP800-115[1][2]. NIST's methodology is less comprehensive than the OSSTMM; however, it is more likely to be accepted by regulatory agencies. For this reason NIST refers to the OSSTMM.
The Information Systems Security Assessment Framework (ISSAF) is a peer reviewed structured framework from the Open Information Systems Security Group that categorizes information system security assessment into various domains and details specific evaluation or testing criteria for each of these domains. It aims to provide field inputs on security assessment that reflect real life scenarios. The ISSAF should primarily be used to fulfill an organization's security assessment requirements and may additionally be used as a reference for meeting other information security needs. It includes the crucial facet of security processes and, their assessment and hardening to get a complete picture of the vulnerabilities that might exist. The ISSAF however is still in its infancy.
Linux 2.6.30 exploit posted
Title says it all, exploit is at:
http://grsecurity.net/~spender/cheddar_bay.tgz
Everything is described and explained in the exploit.c file.
I exploit a bug that by looking at the source is unexploitable;
I defeat the null ptr dereference protection in the kernel on
both systems with SELinux and those without.
I proceed to disable SELinux/AppArmor/LSM/auditing
Exploit works on both 32bit and 64bit kernels.
Links to videos of the exploit in action are present in the exploit
code.
How To Reset Linux Root Forgotten Passwords Get Retrieve Root Password
he other day, i inherited a server which was admin by another company. Now i am expected to login into the linux server and make some changes and update some stuff, but the problem is that the previous admin person did not give me the root password for the server. So today, i found a way on how to retrieve the root password from a linus server.
DISCLAIMER: By you continuing to read this how to guide, you are in agreement that you have permission to access your linux server. Use this information at your own risk, I take no liability for any contents of this post. this information should only be used to recover passwords from machines you have legal access to. If you use this informationt obreak or hack into someone else's systems, then I am not responsible for it. Also, you are advised to make any backups of your system before continuiing.
please note that you cannot perform this remotely, you must be physically at the machine.
1. the first step is to reboot server.
2. Since the server i inherit has GRUB, wait until the grub splash screen comes on and hit the letter 'e' on your keyboard. this will stop grub.
3. hit 'e' again and this will take you to another screen
4. you should see one of the choices has "kernel" select the one with "kernel
5. hit 'e' on your keyboard
6. type ' single' (make sure to include a space before "single") and hit enter. then enter 'b' to boot.
7. your system should boot up in single mode as root
8. now that you are logged in single mode you can chage the root password by sending this command:
passwd
9. after you have changed the root password, reboot server and you should be able to login with the new password.
DONE
LILO ----------------------------
1. If you have LILO, its different, fist reboot server and when you see the LILO: prompt type "linux single" and hit enter. this will log you in as root in single user mode.
2. Once booting is complete, you can change your password with this command:
Code:
passwd
and reboot server.
DONE
Read more >>>
Cracking WPA/WPA2 on Linux
this article and all of my others can also be found at http://www.secusoft.be
I recently noticed a strange thing on this forum, everyone likes WEP-cracking tutorials a lot,
but it seems like a lot of people have questions about WPA/WPA2 cracking too. After these findings,
I noticed that there weren't any tutorials yet on HF.net, or I didn't check very well, that would be
option two :D.
Knowledge
If you look at the attacks closely, you'd think WPA was very easy to crack. Well, some people say it is,
some don't agree. The fact is, that if the password is in some sort of dictionary, the password can be cracked.
Just for the record: when it comes to cracking WPA(2), they are cracked the same way ;-).
you'll need a 4-way handshake from a client connecting to an AP.
The 4way handshake holds an encrypted algorithm which can be cracked by dictionary attack.
you'll need a huge list and some luck that the password is in the list,
or you can make a personal list created with a password tool of your choice (like john),
which will not be discussed in this tutorial ;-).For this tutorial, of course I'll be using the Aircrack-ng suite.
!Optional: "lazyness"
sudo su
you might need root access to run these applications. For example, if you are using Ubuntu and you
don't want to type "sudo" in front of every line, you could use this optional command.
Knowing what interface to use
first of all, you'll have to know what the name of your wireless interface is, thats why you type:
Code:
iwconfig
In my case, the interface was wlan0, as you can see that's the only one that can connect to anything..
Identifying your victim
Code:
airmon-ng start INTERFACE
you'd get a small message saying:
(monitor mode enabled on SPOOFEDINTERFACE ) //In my case, interface was "mon0"..
Code:
airodump-ng SPOOFEDINTERFACE
The next step would be choosing your victim. Obviously we would be looking for someone with wpa encryption now.
since you want to crack someone with wpa.
write down his BSSID and his CHANNEL.
rebooting the network card to fit in the right Channel
Code:
airmon-ng stop SPOOFEDINTERFACE
Code:
airmon-ng start INTERFACE CHANNEL
Start the dumping of the file
Code:
airodump-ng -c CHANNEL --bssid BSSID -w psk SPOOFEDINTERFACE
This will start airodump-ng on your specific channel (-c). It will search handshakes
of the specifief bssid and will write this all to a capture file named psk (-w).
Notice! You might ask yourself, but how do I know when I captured a handshake?
-> Well, aircrack thought of that, if you managed to capture a handshake, a message appears in the upper
right corner.
[Image: handshake.jpg]
!Optional, but very helpful when speeding up the process
So you need to capture a handshake, but the people who are connected of course won't be giving out the
handshake, since this event only takes place during authentication. If we could just boot them for a small second
off their network, so they could reconnect, that would be perfect!
Code:
aireplay-ng -0 10 -a BSSID -c CLIENTBSSID SPOOFEDINTERFACE
This would do 10 "deauthentication" attacks (-0) with the AP being BSSID and client being booted CLIENTBSSID.
You can check if a client is connected by looking at your Airodump-ng screen again. If you see on the bottom of that
screen that someone is connected to the ESSID of your victim, simply use the STATION BSSID as CLIENTBSSID in this example.
Code:
aircrack-ng -w /pentest/wordlist.lst -b BSSID psk*.cap
This would crack the actual capture file that was being created by airodump-ng.
notice! You can only try to crack when a handshake actually took place.
Don't forget, -w needs the path to your wordlist, so remember where you saved it!
[Image: aircrack-ng.jpg]
-> Aircrack-ng while attempting to crack a password
!Optional: "security"
As a scriptkiddy, you might want to remain a bit anonymous, so here's how you would change your mac..
Try to implement it yourself ;-)
Code:
sudo ifconfig SPOOFEDINTERFACE down && sudo macchanger -r INTERFACE && sudo macchanger -r SPOOFEDINTERFACE && ifconfig SPOOFEDINTERFACE up
Wordlists
If you ever needed some good wordlists, I suggest checking here first:
wordlists
Bye
thx for your time guys ;-)
this tutorial was also hosted here
[Image: logo%20header.png]
Read more >>>
Shell script
A shell script is a script written for the shell, or command line interpreter, of an operating system. It is often considered a simple domain-specific programming language. Typical operations performed by shell scripts include file manipulation, program execution, and printing text.
Many shell script interpreters double as command line interface, such as the various Unix shells, Windows PowerShell or the MS-DOS COMMAND.COM. Others, such as AppleScript or the graphical Windows Script Host (WScript.exe), add scripting capability to computing environments without requiring a command line interface. Other examples of programming languages primarily intended for shell scripting include DCL and JCL.
Shortcuts
In their most basic form, a shell script can provide a convenient variation of a system command where special environment settings, command options, or postprocessing is applied automatically, but in a way that allows the new script to still act as a fully normal Unix command.
One example would be to create a version of ls, the command to list files, giving it a shorter command name of l, which would be normal saved in a user's bin directory as /home/username/bin/l, and a default set of command options pre-supplied.
#!/bin/sh
LC_COLLATE=C ls -FCas "$@"
Here, The first line indicates what interpreter should be used to execute the rest of the script, and the second line makes a listing with options for file format indicators, columns, all files (none omitted), and a size in blocks. The LC_COLLATE=C set the default collation order to not fold upper and lower case together, and the "$@" causes any parameters given to l to be passed through as parameters to ls, so that all of the normal options and other syntax known to ls can still be used.
The user would then be able to simply use l for the most commonly used short listing.
Batch jobs
Shell scripts allow several commands that would be entered manually at a command line interface to be executed automatically, and without having to wait for a user to trigger each stage of the sequence. For example, in a directory with three C source code files, rather than manually running the four commands required to build the final program from them, one could instead create a C shell script, here named build and kept in the directory with them, which would compile them automatically:
#!/bin/csh
echo compiling...
cc -c foo.c
cc -c bar.c
cc -c qux.c
cc -o myprog foo.o bar.o qux.o
echo done.
The script would allow a user to save the file being edited, pause the editor, and then just run ./build to create the updated program, test it, and then return to the editor. Since the 1980s or so, however, scripts of this type have been replaced with utilities like make which are specialized for building programs.
Read more >>>
Wildcards
Consider the problem of writing a routine that prints out all the elements in a collection.
Here’s how you might write it in an older version of the language:
void printCollection(Collection c) {
Iterator i = c.iterator();
for (k = 0; k < c.size(); k++) {
System.out.println(i.next());
}}
And here is a naive attempt at writing it using generics (and the new for loop syntax):
void printCollection(Collection< Object > c) {
for (Object e : c) {
System.out.println(e);
}}
The problem is that this new version is much less useful than the old one. Whereas
the old code could be called with any kind of collection as a parameter, the new code
only takes Collection< Object >, which, as we’ve just demonstrated, is not a supertype
of all kinds of collections!
So what is the supertype of all kinds of collections? It’s written Collection
(pronounced “collection of unknown”) , that is, a collection whose element type matches
anything. It’s called a wildcard type for obvious reasons. We can write:
void printCollection(Collection c) {
for (Object e : c) {
System.out.println(e);
}}
and now, we can call it with any type of collection. Notice that inside printCollection(),
we can still read elements from c and give them type Object. This is always
safe, since whatever the actual type of the collection, it does contain objects. It isn’t
safe to add arbitrary objects to it however:
Collection c = new ArrayList
c.add(new Object()); // compile time error
Since we don’t know what the element type of c stands for, we cannot add objects
to it. The add() method takes arguments of type E, the element type of the collection.
When the actual type parameter is ?, it stands for some unknown type. Any parameter
we pass to add would have to be a subtype of this unknown type. Since we don’t know
what type that is, we cannot pass anything in. The sole exception is null, which is a
member of every type.
On the other hand, given a List, we can call get() and make use of the result.
The result type is an unknown type, but we always know that it is an object. It is
therefore safe to assign the result of get() to a variable of type Object or pass it as a
parameter where the type Object is expected.
Generics and Subtyping
Let’s test our understanding of generics. Is the following code snippet legal?
Listls = new ArrayList (); //1
List< Object > lo = ls; //2
Line 1 is certainly legal. The trickier part of the question is line 2. This boils down
to the question: is a List of String a List of Object. Most people’s instinct is to answer:
“sure!”.
Well, take a look at the next few lines:
lo.add(new Object()); // 3
String s = ls.get(0); // 4: attempts to assign an Object to a String!
Here we’ve aliased ls and lo. Accessing ls, a list of String, through the alias lo, we
can insert arbitrary objects into it. As a result ls does not hold just Strings anymore,
and when we try and get something out of it, we get a rude surprise.
The Java compiler will prevent this from happening of course. Line 2 will cause a
compile time error.
In general, if Foo is a subtype (subclass or subinterface) of Bar, and G is some
generic type declaration, it is not the case that G
This is probably the hardest thing you need to learn about generics, because it goes
against our deeply held intuitions.
The problem with that intuition is that it assumes that collections don’t change.
Our instinct takes these things to be immutable.
For example, if the department of motor vehicles supplies a list of drivers to the census
bureau, this seems reasonable. We think that a List
assuming that Driver is a subtype of Person. In fact, what is being passed is a copy
of the registry of drivers. Otherwise, the census bureau could add new people who are
not drivers into the list, corrupting the DMV’s records.
In order to cope with this sort of situation, it’s useful to consider more flexible
generic types. The rules we’ve seen so far are quite restrictive.
Defining Simple Generics
Here is a small excerpt from the definitions of the interfaces List and Iterator in package
java.util:
public interface List
void add(E x);
Iterator
}
public interface Iterator
E next();
boolean hasNext();
}
This should all be familiar, except for the stuff in angle brackets. Those are the
declarations of the formal type parameters of the interfaces List and Iterator.
Type parameters can be used throughout the generic declaration, pretty much where
you would use ordinary types (though there are some important restrictions; see section
7).
In the introduction, we saw invocations of the generic type declaration List, such
as List
of the formal type parameter (E in this case) are replaced by the actual type
argument (in this case, Integer).
You might imagine that List
been uniformly replaced by Integer:
public interface IntegerList {
void add(Integer x)
Iterator
}
This intuition can be helpful, but it’s also misleading.
It is helpful, because the parameterized type List
methods that look just like this expansion.
It is misleading, because the declaration of a generic is never actually expanded in
this way. There aren’t multiple copies of the code: not in source, not in binary, not on
disk and not in memory. If you are a C++ programmer, you’ll understand that this is
very different than a C++ template.
A generic type declaration is compiled once and for all, and turned into a single
class file, just like an ordinary class or interface declaration.
Type parameters are analogous to the ordinary parameters used in methods or constructors.
Much like a method has formal value parameters that describe the kinds of
values it operates on, a generic declaration has formal type parameters. When a method
is invoked, actual arguments are substituted for the formal parameters, and the method
body is evaluated. When a generic declaration is invoked, the actual type arguments
are substituted for the formal type parameters.
A note on naming conventions. We recommend that you use pithy (single character
if possible) yet evocative names for formal type parameters. It’s best to avoid lower
case characters in those names, making it easy to distinguish formal type parameters
from ordinary classes and interfaces. Many container types use E, for element, as in
the examples above. We’ll see some additional conventions in later examples.
Security
just see the link artikel this.. (:
Top 13 Security/Hacking Tools & Utilities
Programming All language
This is a List language Program..
Java
Java Programming
Defining Simple Generics
Generics and Subtyping
Wildcards
Programing Java
Introduction
JDK 1.5 introduces several extensions to the Java programming language. One of these
is the introduction of generics.
This tutorial is aimed at introducing you to generics. You may be familiar with
similar constructs from other languages, most notably C++ templates. If so, you’ll soon
see that there are both similarities and important differences. If you are not familiar
with look-a-alike constructs from elsewhere, all the better; you can start afresh, without
unlearning any misconceptions.
Generics allow you to abstract over types. The most common examples are container
types, such as those in the Collection hierarchy.
Here is a typical usage of that sort:
Generics allow you to abstract over types. The most common examples are container
types, such as those in the Collection hierarchy.
Here is a typical usage of that sort:
List myIntList = new LinkedList(); // 1
myIntList.add(new Integer(0)); // 2
Integer x = (Integer) myIntList.iterator().next(); // 3
The cast on line 3 is slightly annoying. Typically, the programmer knows what
kind of data has been placed into a particular list. However, the cast is essential. The
compiler can only guarantee that an Object will be returned by the iterator. To ensure
the assignment to a variable of type Integer is type safe, the cast is required.
Of course, the cast not only introduces clutter. It also introduces the possibility of
a run time error, since the programmer might be mistaken.
What if programmers could actually express their intent, and mark a list as being
restricted to contain a particular data type? This is the core idea behind generics. Here
is a version of the program fragment given above using generics:
List
myIntList.add(new Integer(0)); //2’
Integer x = myIntList.iterator().next(); // 3’
Notice the type declaration for the variable myIntList. It specifies that this is not
just an arbitrary List, but a List of Integer, written List
a generic interface that takes a type parameter - in this case, Integer. We also specify
a type parameter when creating the list object.
The other thing to pay attention to is that the cast is gone on line 3’.
Now, you might think that all we’ve accomplished is to move the clutter around.
Instead of a cast to Integer on line 3, we have Integer as a type parameter on line 1’.
However, there is a very big difference here. The compiler can now check the type
correctness of the program at compile-time. When we say that myIntList is declared
with type List
holds true wherever and whenever it is used, and the compiler will guarantee it. In
contrast, the cast tells us something the programmer thinks is true at a single point in
the code.
The net effect, especially in large programs, is improved readability and robustness.
Security Sources Linux
There are a LOT of good sites out there for Unix security in general and Linux security
specifically. It’s very important to subscribe to one (or more) of the security mailing
lists and keep current on security fixes. Most of these lists are very low volume, and
very informative.
LinuxSecurity.com References
The LinuxSecurity.com web site has numerous Linux and open source security references
written by the LinuxSecurity staff and people collectively around the world.
• Linux Advisory Watch95 -- A comprehensive newsletter that outlines the security
vulnerabilities that have been announced throughout the week. It includes pointers
to updated packages and descriptions of each vulnerability.
• Linux Security Week96 -- The purpose of this document is to provide our readers
with a quick summary of each week’s most relevant Linux security headlines.
• Linux Security Discussion List97 -- This mailing list is for general security-related
questions and comments.
• Linux Security Newsletters98 -- Subscription information for all newsletters.
• comp.os.linux.security FAQ99 -- Frequently Asked Questions with answers for the
comp.os.linux.security newsgroup.
• Linux Security Documentation100 -- A great starting point for information pertaining
to Linux and Open Source security.
FTP Sites
CERT is the Computer Emergency Response Team. They often send out alerts of current
attacks and fixes. See ftp://ftp.cert.org for more information.
ZEDZ (formerly Replay) (http://www.zedz.net) has archives of many security programs.
Since they are outside the US, they don’t need to obey US crypto restrictions.
Matt Blaze is the author of CFS and a great security advocate. Matt’s archive is available
at ftp://ftp.research.att.com/pub/mab
tue.nl is a great security FTP site in the Netherlands. ftp.win.tue.nl104
Web Sites
• The Hacker FAQ is a FAQ about hackers: The Hacker FAQ105
• The COAST archive has a large number of Unix security programs and information:
COAST106
• SuSe Security Page: http://www.suse.de/security/
• Rootshell.com is a great site for seeing what exploits are currently being used by
crackers: http://www.rootshell.com/
• BUGTRAQ puts out advisories on security issues: BUGTRAQ archives109
• CERT, the Computer Emergency Response Team, puts out advisories on common
attacks on Unix platforms: CERT home110
• Dan Farmer is the author of SATAN and many other security tools. His home
site has some interesting security survey information, as well as security tools:
http://www.trouble.org
• The Linux security WWW is a good site for Linux security information: Linux Security
WWW112
• Infilsec has a vulnerability engine that can tell you what vulnerabilities affect a
specific platform: http://www.infilsec.com/vulnerabilities/
• CIAC sends out periodic security bulletins on common exploits:
http://ciac.llnl.gov/cgi-bin/index/bulletins
• A good starting point for Linux Pluggable Authentication modules can be found
at http://www.kernel.org/pub/linux/libs/pam/.
• The Debian project has a web page for their security fixes and information. It is at
http://www.debian.com/security/.
• WWW Security FAQ, written by Lincoln Stein, is a great web security reference.
Find it at http://www.w3.org/Security/Faq/www-security-faq.html
Mailing Lists
Bugtraq: To subscribe to bugtraq, send mail to listserv@netspace.org containing the
message body subscribe bugtraq. (see links above for archives).
CIAC: Send e-mail to majordomo@tholia.llnl.gov. In the BODY (not subject) of the
message put (either or both): subscribe ciac-bulletin
Red Hat has a number of mailing lists, the most important of which is the redhatannounce
list. You can read about security (and other) fixes as soon as they come out.
Send email to redhat-announce-list-request@redhat.com with the Subject Subscribe
See https://listman.redhat.com/mailman/listinfo/ for more info and archives.
The Debian project has a security mailing list that covers their security fixes. See
http://www.debian.com/security/ for more information.
Books - Printed Reading Material
There are a number of good security books out there. This section lists a few of them.
In addition to the security specific books, security is covered in a number of other
books on system administration.
• Building Internet Firewalls By D. Brent Chapman & Elizabeth D. Zwicky, 1st Edition
September 1995, ISBN: 1-56592-124-0
• Practical UNIX & Internet Security, 2nd Edition By Simson Garfinkel & Gene Spafford,
2nd Edition April 1996, ISBN: 1-56592-148-8
• Computer Security Basics By Deborah Russell & G.T. Gangemi, Sr., 1st Edition July
1991, ISBN: 0-937175-71-4
• Linux Network Administrator’s Guide By Olaf Kirch, 1st Edition January 1995,
ISBN: 1-56592-087-2
• PGP: Pretty Good Privacy By Simson Garfinkel, 1st Edition December 1994, ISBN:
1-56592-098-8
• Computer Crime A Crimefighter’s Handbook By David Icove, Karl Seger &
William VonStorch (Consulting Editor Eugene H. Spafford), 1st Edition August
1995, ISBN: 1-56592-086-4
• Linux Security By John S. Flowers, New Riders; ISBN: 0735700354, March 1999
• Maximum Linux Security : A Hacker’s Guide to Protecting Your Linux Server and
Network, Anonymous, Paperback - 829 pages, Sams; ISBN: 0672313413, July 1999
• Intrusion Detection By Terry Escamilla, Paperback - 416 pages (September 1998),
John Wiley and Sons; ISBN: 0471290009
• Fighting Computer Crime, Donn Parker, Paperback - 526 pages (September 1998),
John Wiley and Sons; ISBN: 0471163783
Glossary
Included below are several of the most frequently used terms in computer security.
A comprehensive dictionary of computer security terms is available in the LinuxSecurity.
com Dictionary120
• authentication: The process of knowing that the data received is the same as the data
that was sent, and that the claimed sender is in fact the actual sender.
• bastion Host: A computer system that must be highly secured because it is vulnerable
to attack, usually because it is exposed to the Internet and is a main point of
contact for users of internal networks. It gets its name from the highly fortified
projects on the outer walls of medieval castles. Bastions overlook critical areas of
defense, usually having strong walls, room for extra troops, and the occasional
useful tub of boiling hot oil for discouraging attackers.
• buffer overflow: Common coding style is to never allocate large enough buffers, and
to not check for overflows. When such buffers overflow, the executing program
(daemon or set-uid program) can be tricked in doing some other things. Generally
this works by overwriting a function’s return address on the stack to point to
another location.
• denial of service: An attack that consumes the resources on your computer for things
it was not intended to be doing, thus preventing normal use of your network resources
for legitimate purposes.
• dual-homed Host: A general-purpose computer system that has at least two network
interfaces.
• firewall: A component or set of components that restricts access between a protected
network and the Internet, or between other sets of networks.
• host: A computer system attached to a network
• IP spoofing: IP Spoofing is a complex technical attack that is made up of several
components. It is a security exploit that works by tricking computers in a trust
relationship into thinking that you are someone that you really aren’t. There is an
extensive paper written by daemon9, route, and infinity in the Volume Seven, Issue
Forty-Eight issue of Phrack Magazine.
• non-repudiation: The property of a receiver being able to prove that the sender of
some data did in fact send the data even though the sender might later deny ever
having sent it.
• packet: The fundamental unit of communication on the Internet.
• packet filtering: The action a device takes to selectively control the flow of data to
and from a network. Packet filters allow or block packets, usually while routing
them from one network to another (most often from the Internet to an internal network,
and vice-versa). To accomplish packet filtering, you set up rules that specify
what types of packets (those to or from a particular IP address or port) are to be
allowed and what types are to be blocked.
• perimeter network: A network added between a protected network and an external
network, in order to provide an additional layer of security. A perimeter network
is sometimes called a DMZ.
• proxy server:Aprogram that deals with external servers on behalf of internal clients.
Proxy clients talk to proxy servers, which relay approved client requests to real
servers, and relay answers back to clients.
• superuser: An informal name for root.
IP Chains&Netfilter - Linux Kernel 2.2.x Firewalling
Linux IP Firewalling Chains is an update to the 2.0 Linux firewalling code for the 2.2
kernel. It has many more features than previous implementations, including:
• More flexible packet manipulations
• More complex accounting
• Simple policy changes possible atomically
• Fragments can be explicitly blocked, denied, etc.
• Logs suspicious packets.
• Can handle protocols other than ICMP/TCP/UDP.
If you are currently using ipfwadm on your 2.0 kernel, there are scripts available to
convert the ipfwadm command format to the format ipchains uses.
Be sure to read the IP Chains HOWTO for further information. It is available at
http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html
Netfilter - Linux Kernel 2.4.x Firewalling
In yet another set of advancements to the kernel IP packet filtering code, netfilter
allows users to set up, maintain, and inspect the packet filtering rules in the new 2.4
kernel.
The netfilter subsystem is a complete rewrite of previous packet filtering implementations
including ipchains and ipfwadm. Netfilter provides a large number of improvements,
and it has now become an even more mature and robust solution for
protecting corporate networks.
iptables
is the command-line interface used to manipulate the firewall tables within the kernel.
Netfilter provides a raw framework for manipulating packets as they traverse
through various parts of the kernel. Part of this framework includes support for
masquerading, standard packet filtering, and now more complete network address
translation. It even includes improved support for load balancing requests for a
particular service among a group of servers behind the firewall.
The stateful inspection features are especially powerful. Stateful inspection provides
the ability to track and control the flow of communication passing through the filter.
The ability to keep track of state and context information about a session makes rules
simpler and tries to interpret higher-level protocols.
Additionally, small modules can be developed to perform additional specific functions,
such as passing packets to programs in userspace for processing then reinjecting
back into the normal packet flow. The ability to develop these programs in
userspace reduces the level of complexity that was previously associated with having
to make changes directly at the kernel level.
Other IP Tables references include:
• Oskar Andreasson IP Tables Tutorial80 -- Oskar Andreasson speaks with LinuxSecurity.
com about his comprehensive IP Tables tutorial and how this document can be
used to build a robust firewall for your organization.
• Hal Burgiss Introduces Linux Security Quick-Start Guides81 -- Hal Burgiss has written
two authoritative guides on securing Linux, including managing firewalling.
• Netfilter Homepage82 -- The netfilter/iptables homepage.
• Linux Kernel 2.4 Firewalling Matures: netfilter83 -- This LinuxSecurity.com article describes
the basics of packet filtering, how to get started using iptables, and a list of
the new features available in the latest generation of firewalling for Linux.
Firewalls Linux
Firewalls are ameans of controlling what information is allowed into and out of your
local network. Typically the firewall host is connected to the Internet and your local
LAN, and the only access from your LAN to the Internet is through the firewall. This
way the firewall can control what passes back and forth from the Internet and your
LAN.
There are a number of types of firewalls and methods of setting them up. Linux machines
make pretty good firewalls. Firewall code can be built right into 2.0 and higher
kernels. The user-space tools ipfwadm for 2.0 kernels and ipchains for 2.2 kernels,
allows you to change, on the fly, the types of network traffic you allow. You can also
log particular types of network traffic.
Firewalls are a very useful and important technique in securing your network.
However, never think that because you have a firewall, you don’t need to
secure the machines behind it. This is a fatal mistake. Check out the very good
Firewall-HOWTO at your latest metalab archive for more information on firewalls
and Linux. http://metalab.unc.edu/mdw/HOWTO/Firewall-HOWTO.html
More information can also be found in the IP-Masquerade mini-howto:
http://metalab.unc.edu/mdw/HOWTO/mini/IP-Masquerade.html
More information on ipfwadm (the tool that lets you change settings on your firewall,
can be found at it’s home page: http://www.xos.nl/linux/ipfwadm/
If you have no experience with firewalls, and plan to set up one for more than just a
simple security policy, the Firewalls book by O’Reilly and Associates or other online
firewall document is mandatory reading. Check out http://www.ora.com for more
information. The National Institute of Standards and Technology have put together
an excellent document on firewalls. Although dated 1995, it is still quite good. You
can find it at http://csrc.nist.gov/nistpubs/800-10/main.html. Also of interest:
• The Freefire Project -- a list of freely-available firewall tools, available at
http://sites.inka.de/sites/lina/freefire-l/index_en.html
• SunWorld Firewall Design -- written by the authors of the O’Reilly book, this
provides a rough introduction to the different firewall types. It’s available at
http://www.sunworld.com/swol-01-1996/swol-01-firewall.html
• Mason - the automated firewall builder for Linux. This is a firewall script that
learns as you do the things you need to do on your network! More info at:
http://www.pobox.com/~wstearns/mason/
NIS (Network Information Service) (formerly YP).
Network Information service (formerly YP) is a means of distributing information
to a group of machines. The NIS master holds the information tables and converts
them into NIS map files. These maps are then served over the network, allowing NIS
client machines to get login, password, home directory and shell information (all
the information in a standard /etc/passwd file). This allows users to change their
password once and have it take effect on all the machines in the NIS domain.
NIS is not at all secure. It was never meant to be. It was meant to be handy and useful.
Anyone that can guess the name of your NIS domain (anywhere on the net) can get
a copy of your passwd file, and use "crack" and "John the Ripper" against your users’
passwords. Also, it is possible to spoof NIS and do all sorts of nasty tricks. If you
must use NIS, make sure you are aware of the dangers.
There is a much more secure replacement for NIS, called
NIS+. Check out the NIS HOWTO for more information:
http://metalab.unc.edu/mdw/HOWTO/NIS-HOWTO.html
NFS (Network File System) Security.
NFS is a very widely-used file sharing protocol. It allows servers running nfsd and
mountd to "export" entire file systems to other machines using NFS filesystem support
built in to their kernels (or some other client support if they are not Linux machines).
mountd keeps track of mounted file systems in /etc/mtab, and can display them with
showmount.
Many sites use NFS to serve home directories to users, so that no matter what machine
in the cluster they login to, they will have all their home files.
There is some small amount of security allowed in exporting file systems. You can
make your nfsd map the remote root user (uid=0) to the nobody user, denying them
total access to the files exported. However, since individual users have access to their
own (or at least the same uid) files, the remote root user can login or su to their account
and have total access to their files. This is only a small hindrance to an attacker
that has access to mount your remote file systems.
If you must use NFS, make sure you export to only those machines that you really
need to. Never export your entire root directory; export only directories you need to
export.
See the NFS HOWTO for more information on NFS, available at
http://metalab.unc.edu/mdw/HOWTO/NFS-HOWTO.html
Denial of Service Attacks
A "Denial of Service" (DoS) attack is one where the attacker tries to make some resource
too busy to answer legitimate requests, or to deny legitimate users access to
your machine.
Denial of service attacks have increased greatly in recent years. Some of the more
popular and recent ones are listed below. Note that new ones show up all the time,
so this is just a few examples. Read the Linux security lists and the bugtraq list and
archives for more current information.
• SYN Flooding - SYN flooding is a network denial of service attack. It takes advantage
of a "loophole" in the way TCP connections are created. The newer Linux
kernels (2.0.30 and up) have several configurable options to prevent SYN flood
attacks from denying people access to your machine or services. See the Section
called Kernel Security for proper kernel protection options.
• Pentium "F00F" Bug - It was recently discovered that a series of assembly codes
sent to a genuine Intel Pentium processor would reboot the machine. This affects
every machine with a Pentium processor (not clones, not Pentium Pro or PII), no
matter what operating system it’s running. Linux kernels 2.0.32 and up contain a
work around for this bug, preventing it from locking your machine. Kernel 2.0.33
has an improved version of the kernel fix, and is suggested over 2.0.32. If you are
running on a Pentium, you should upgrade now!
• Ping Flooding - Ping flooding is a simple brute-force denial of service attack. The
attacker sends a "flood" of ICMP packets to your machine. If they are doing this
from a host with better bandwidth than yours, your machine will be unable to
send anything on the network. A variation on this attack, called "smurfing", sends
ICMP packets to a host with your machine’s return IP, allowing them to flood
you less detectably. You can find more information about the "smurf" attack at
http://www.quadrunner.com/~chuegen/smurf.txt67
If you are ever under a ping flood attack, use a tool like tcpdump to determine
where the packets are coming from (or appear to be coming from), then contact
your provider with this information. Ping floods can most easily be stopped at the
router level or by using a firewall.
• Ping o’ Death - The Ping o’ Death attack sends ICMP ECHO REQUEST packets that
are too large to fit in the kernel data structures intended to store them. Because
sending a single, large (65,510 bytes) "ping" packet to many systems will cause
them to hang or even crash, this problem was quickly dubbed the "Ping o’ Death."
This one has long been fixed, and is no longer anything to worry about.
• Teardrop / New Tear - One of the most recent exploits involves a bug present in the IP
fragmentation code on Linux and Windows platforms. It is fixed in kernel version
2.0.33, and does not require selecting any kernel compile-time options to utilize the
fix. Linux is apparently not vulnerable to the "newtear" exploit.
You can find code for most exploits, and a more in-depth description of how they
work, at http://www.rootshell.com using their search engine.
Network Security
Network security is becoming more and more important as people spend more and
more time connected. Compromising network security is often much easier than
compromising physical or local security, and is much more common.
There are a number of good tools to assist with network security, and more and more
of them are shipping with Linux distributions.
Packet Sniffers
One of the most common ways intruders gain access to more systems on your network
is by employing a packet sniffer on a already compromised host. This "sniffer"
just listens on the Ethernet port for things like passwd and login and su in the
packet stream and then logs the traffic after that. This way, attackers gain passwords
for systems they are not even attempting to break into. Clear-text passwords are very
vulnerable to this attack.
Example: Host A has been compromised. Attacker installs a sniffer. Sniffer picks up
admin logging into Host B from Host C. It gets the admins personal password as
they login to B. Then, the admin does a su to fix a problem. They now have the root
password for Host B. Later the admin lets someone telnet from his account to Host
Z on another site. Now the attacker has a password/login on Host Z.
In this day and age, the attacker doesn’t even need to compromise a system to do
this: they could also bring a laptop or pc into a building and tap into your net.
Using ssh or other encrypted password methods thwarts this attack. Things like
APOP for POP accounts also prevents this attack. (Normal POP logins are very vulnerable
to this, as is anything that sends clear-text passwords over the network.)
System services and tcp_wrappers
Before you put your Linux system on ANY network the first thing to look at is what
services you need to offer. Services that you do not need to offer should be disabled
so that you have one less thing to worry about and attackers have one less place to
look for a hole.
There are a number of ways to disable services under Linux. You can look at your
/etc/inetd.conf file and see what services are being offered by your inetd. Disable
any that you do not need by commenting them out (# at the beginning of the line),
and then sending your inetd process a SIGHUP.
You can also remove (or comment out) services in your /etc/services file. This
will mean that local clients will also be unable to find the service (i.e., if you re
remove
ftp, and try and ftp to a remote site from that machine it will fail with an "unknown
service" message). It’s usually not worth the trouble to remove services from
/etc/services, since it provides no additional security. If a local person wanted to
use ftp even though you had commented it out, they would make their own client
that used the common FTP port and would still work fine.
Some of the services you might want to leave enabled are:
• ftp
• telnet (or ssh)
• mail, such as pop-3 or imap
• identd
If you know you are not going to use some particular package, you can also delete
it entirely. rpm -e packagename under the Red Hat distribution will erase an entire
package. Under Debian dpkg --remove does the same thing.
Additionally, you really want to disable the rsh/rlogin/rcp utilities, including login
(used by rlogin), shell (used by rcp), and exec (used by rsh) from being started in
/etc/inetd.conf. These protocols are extremely insecure and have been the cause
of exploits in the past.
You should check /etc/rc.d/rc[0-9].d (on Red Hat; /etc/rc[0-9].d on
Debian), and see if any of the servers started in those directories are not needed.
The files in those directories are actually symbolic links to files in the directory
/etc/rc.d/init.d (on Red Hat; /etc/init.d on Debian). Renaming the files in
the init.d directory disables all the symbolic links that point to that file. If you only
wish to disable a service for a particular run level, rename the appropriate symbolic
link by replacing the upper-case S with a lower-case s, like this:
root# cd /etc/rc6.d
root# mv S45dhcpd s45dhcpd
If you have BSD-style rc files, you will want to check /etc/rc* for programs you
don’t need.
Most Linux distributions ship with tcp_wrappers "wrapping" all your TCP services.
A tcp_wrapper (tcpd) is invoked from inetd instead of the real server. tcpd then
checks the host that is requesting the service, and either executes the real server, or
denies access from that host. tcpd allows you to restrict access to your TCP services.
You should make a /etc/hosts.allow and add in only those hosts that need to have
access to your machine’s services.
If you are a home dial up user, we suggest you deny ALL. tcpd also logs failed attempts
to access services, so this can alert you if you are under attack. If you add new
services, you should be sure to configure them to use tcp_wrappers if they are TCPbased.
For example, a normal dial-up user can prevent outsiders from connecting to
his machine, yet still have the ability to retrieve mail, and make network connections
to the Internet. To do this, you might add the following to your /etc/hosts.allow:
ALL: 127.
And of course /etc/hosts.deny would contain:
ALL: ALL
which will prevent external connections to your machine, yet still allow you from the
inside to connect to servers on the Internet.
Keep in mind that tcp_wrappers only protects services executed from inetd, and a
select few others. There very well may be other services running on your machine.
You can use netstat -ta to find a list of all the services your machine is offering.
X11, SVGA and display security
X11
It’s important for you to secure your graphical display to prevent attackers from grabbing
your passwords as you type them, reading documents or information you are
reading on your screen, or even using a hole to gain root access. Running remote X
applications over a network also can be fraught with peril, allowing sniffers to see all
your interaction with the remote system.
X has a number of access-control mechanisms. The simplest of them is host-based:
you use xhost to specify the hosts that are allowed access to your display. This is not
very secure at all, because if someone has access to your machine, they can xhost +
their machine and get in easily. Also, if you have to allow access from an untrusted
machine, anyone there can compromise your display.
When using xdm (X Display Manager) to log in, you get a much better access
method: MIT-MAGIC-COOKIE-1. A 128-bit "cookie" is generated and stored in your
.Xauthority file. If you need to allow a remote machine access to your display,
you can use the xauth command and the information in your .Xauthority file
to provide access to only that connection. See the Remote-X-Apps mini-howto,
available at http://metalab.unc.edu/LDP/HOWTO/mini/Remote-X-Apps.html.
You can also use ssh (see the Section called ssh (Secure Shell) and stelnet, above) to
allow secure X connections. This has the advantage of also being transparent to the
end user, and means that no unencrypted data flows across the network.
You can also disable any remote connections to your X server by using the ’-nolisten
tcp’ options to your X server. This will prevent any network connections to your
server over tcp sockets.
Take a look at the Xsecurity man page for more information on X security. The safe
bet is to use xdm to login to your console and then use ssh to go to remote sites on
which you wish to run X programs.
SVGA
SVGAlib programs are typically SUID-root in order to access all your Linux machine’s
video hardware. This makes them very dangerous. If they crash, you typically
need to reboot your machine to get a usable console back. Make sure any SVGA
programs you are running are authentic, and can at least be somewhat trusted. Even
better, don’t run them at all.
GGI (Generic Graphics Interface project)
The Linux GGI project is trying to solve several of the problems with video interfaces
on Linux. GGI will move a small piece of the video code into the Linux kernel, and
then control access to the video system. This means GGI will be able to restore your
console at any time to a known good state. They will also allow a secure attention
key, so you can be sure that there is no Trojan horse login program running on your
console. http://synergy.caltech.edu/~ggi/
"Crack" and "John the Ripper"
If for some reason your passwd program is not enforcing hard-to-guess passwords,
you might want to run a password-cracking program and make sure your users’
passwords are secure.
Password cracking programs work on a simple idea: they try every word in the dictionary,
and then variations on those words, encrypting each one and checking it
against your encrypted password. If they get a match they know what your password
is.
There are a number of programs out there...the two most notable of which are "Crack"
and "John the Ripper" (http://www.openwall.com/john/) . They will take up a lot of
your CPU time, but you should be able to tell if an attacker could get in using them by
running them first yourself and notifying users with weak passwords. Note that an
attacker would have to use some other hole first in order to read your /etc/passwd
file, but such holes are more common than you might think.
Because security is only as strong as the most insecure host, it is worth mentioning
that if you have any Windows machines on your network, you should check
out L0phtCrack, a Crack implementation for Windows. It’s available from
http://www.l0pht.com
CFS - Cryptographic File System and TCFS - Transparent
Cryptographic File System
CFS is a way of encrypting entire directory trees and allowing users to store encrypted
files on them. It uses an NFS server running on the local machine. RPMS
are available at http://www.zedz.net/redhat/, and more information on how it all
works is at ftp://ftp.research.att.com/dist/mab/.
TCFS improves on CFS by adding more integration with the file system, so that
it’s transparent to users that the file system that is encrypted. More information at:
http://www.tcfs.it/.
It also need not be used on entire file systems. It works on directory trees as well.
Cryptographic IP Encapsulation (CIPE)
The primary goal of this software is to provide a facility for secure (against eavesdropping,
including traffic analysis, and faked message injection) subnetwork interconnection
across an insecure packet network such as the Internet.
CIPE encrypts the data at the network level. Packets traveling between hosts on the
network are encrypted. The encryption engine is placed near the driver which sends
and receives packets.
This is unlike SSH, which encrypts the data by connection, at the socket level. A
logical connection between programs running on different hosts is encrypted.
CIPE can be used in tunnelling, in order to create a Virtual Private Network. Lowlevel
encryption has the advantage that it can be made to work transparently between
the two networks connected in the VPN, without any change to application software.
Summarized from the CIPE documentation:
“The IPSEC standards define a set of protocols which can be used (among other
things) to build encrypted VPNs. However, IPSEC is a rather heavyweight and complicated
protocol set with a lot of options, implementations of the full protocol set
are still rarely used and some issues (such as key management) are still not fully resolved.
CIPE uses a simpler approach, in which many things which can be parameterized
(such as the choice of the actual encryption algorithm used) are an install-time
fixed choice. This limits flexibility, but allows for a simple (and therefore efficient,
easy to debug...) implementation.”
Further information can be found at http://www.inka.de/~bigred/devel/cipe.html
As with other forms of cryptography, it is not distributed with the kernel by default
due to export restrictions.
Kerberos
Kerberos is an authentication system developed by the Athena Project at MIT. When
a user logs in, Kerberos authenticates that user (using a password), and provides the
user with a way to prove her identity to other servers and hosts scattered around the
network.
This authentication is then used by programs such as rlogin to allow the user to
login to other hosts without a password (in place of the .rhosts file). This authentication
method can also used by the mail system in order to guarantee that mail is
delivered to the correct person, as well as to guarantee that the sender is who he
claims to be.
Kerberos and the other programs that come with it, prevent users from "spoofing"
the system into believing they are someone else. Unfortunately, installing Kerberos
is very intrusive, requiring the modification or replacement of numerous standard
programs.
You can find more information about kerberos by looking at the kerberos FAQ42, and
the code can be found at http://nii.isi.edu/info/kerberos/.
[From: Stein, Jennifer G., Clifford Neuman, and Jeffrey L. Schiller. "Kerberos: An Authentication
Service for Open Network Systems." USENIX Conference Proceedings,
Dallas, Texas, Winter 1998.]
Kerberos should not be your first step in improving security of your host. It is quite
involved, and not as widely used as, say, SSH.
Shadow Passwords.
Shadow passwords are a means of keeping your encrypted password information
secret from normal users. Recent versions of both Red Hat and Debian Linux use
shadow passwords by default, but on other systems, encrypted passwords are stored
in /etc/passwd file for all to read. Anyone can then run password-guesser programs
on them and attempt to determine what they are. Shadow passwords, by contrast,
are saved in /etc/shadow, which only privileged users can read. In order to use
shadow passwords, you need to make sure all your utilities that need access to password
information are recompiled to support them. PAM (above) also allows you
to just plug in a shadow module; it doesn’t require re-compilation of executables.
You can refer to the Shadow-Password HOWTO for further information if necessary.
It is available at http://metalab.unc.edu/LDP/HOWTO/Shadow-Password-
HOWTO.html It is rather dated now, and will not be required for distributions supporting
PAM.
ssh (Secure Shell) and stelnet
ssh and stelnet are suites of programs that allow you to login to remote systems
and have a encrypted connection.
openssh is a suite of programs used as a secure replacement for rlogin, rsh and rcp.
It uses public-key cryptography to encrypt communications between two hosts, as
well as to authenticate users. It can be used to securely login to a remote host or copy
data between hosts, while preventing man-in-the-middle attacks (session hijacking)
and DNS spoofing. It will perform data compression on your connections, and secure
X11 communications between hosts.
There are several ssh implementiations now. The original commercial
implementation by Data Fellows can be found at The ssh home page can be found
at http://www.datafellows.com.
The excellent Openssh implementation is based on a early version of the datafellows
ssh and has been totally reworked to not include any patented or proprietary pieces.
It is free and under a BSD license. It can be found at: http://www.openssh.com.
There is also a open source project to re-implement ssh from the ground up called
"psst...". For more information see: http://www.net.lut.ac.uk/psst/
You can also use ssh from your Windows workstation to your Linux ssh server.
There are several freely available Windows client implementations, including the
one at http://guardian.htu.tuwien.ac.at/therapy/ssh/ as well as a commercial implementation
from DataFellows, at http://www.datafellows.com.
SSLeay is a free implementation of Netscape’s Secure Sockets Layer protocol, developed
by Eric Young. It includes several applications, such as Secure telnet, a module
for Apache, several databases, as well as several algorithms including DES, IDEA
and Blowfish.
Using this library, a secure telnet replacement has been created that does encryption
over a telnet connection. Unlike SSH, stelnet uses SSL, the Secure Sockets Layer protocol
developed by Netscape. You can find Secure telnet and Secure FTP by starting
with the SSLeay FAQ, available at http://www.psy.uq.oz.au/~ftp/Crypto/.
SRP is another secure telnet/ftp implementation. From their web page:
“"The SRP project is developing secure Internet software for free worldwide use.
Starting with a fully-secure Telnet and FTP distribution, we hope to supplant weak
networked authentication systems with strong replacements that do not sacrifice
user-friendliness for security. Security should be the default, not an option!" ”
For more information, go to http://www-cs-students.stanford.edu/~tjw/srp/
SSL, S-HTTP and S/MIME
Often users ask about the differences between the various security and encryption
protocols, and how to use them. While this isn’t an encryption document, it is a good
idea to explain briefly what each protocol is, and where to find more information.
• SSL: - SSL, or Secure Sockets Layer, is an encryption method developed by
Netscape to provide security over the Internet. It supports several different
encryption protocols, and provides client and server authentication. SSL operates
at the transport layer, creates a secure encrypted channel of data, and thus can
seamlessly encrypt data of many types. This is most commonly seen when going
to a secure site to view a secure online document with Communicator, and serves
as the basis for secure communications with Communicator, as well as many
other Netscape Communications data encryption. More information can be
found at http://www.consensus.com/security/ssl-talk-faq.html. Information
on Netscape’s other security implementations, and a good starting point for
these protocols is available at http://home.netscape.com/info/security-doc.html.
It’s also worth noting that the SSL protocol can be used to pass
many other common protocols, "wrapping" them for security. See
http://www.quiltaholic.com/rickk/sslwrap/
• S-HTTP: - S-HTTP is another protocol that provides security services across the
Internet. It was designed to provide confidentiality, authentication, integrity, and
non-repudiability [cannot be mistaken for someone else] while supporting multiple
key-management mechanisms and cryptographic algorithms via option negotiation
between the parties involved in each transaction. S-HTTP is limited to the
specific software that is implementing it, and encrypts each message individually.
[ From RSA Cryptography FAQ, page 138]
• S/MIME: - S/MIME, or Secure Multipurpose Internet Mail Extension, is an encryption
standard used to encrypt electronic mail and other types of messages
on the Internet. It is an open standard developed by RSA, so it is likely we will
see it on Linux one day soon. More information on S/MIME can be found at
http://home.netscape.com/assist/security/smime/overview.html.
Password Security and Encryption
One of the most important security features used today are passwords. It is important
for both you and all your users to have secure, unguessable passwords. Most of the
more recent Linux distributions include passwd programs that do not allow you to
set a easily guessable password. Make sure your passwd program is up to date and
has these features.
In-depth discussion of encryption is beyond the scope of this document, but an introduction
is in order. Encryption is very useful, possibly even necessary in this day
and age. There are all sorts of methods of encrypting data, each with its own set of
characteristics.
Most Unicies (and Linux is no exception) primarily use a one-way encryption algorithm,
called DES (Data Encryption Standard) to encrypt your passwords. This
encrypted password is then stored in (typically) /etc/passwd (or less commonly)
/etc/shadow. When you attempt to login, the password you type in is encrypted
again and compared with the entry in the file that stores your passwords. If they
match, it must be the same password, and you are allowed access. Although DES is a
two-way encryption algorithm (you can code and then decode a message, given the
right keys), the variant that most Unixes use is one-way. This means that it should
not be possible to reverse the encryption to get the password from the contents of
/etc/passwd (or /etc/shadow).
Brute force attacks, such as "Crack" or "John the Ripper" (see section the Section called
"Crack" and "John the Ripper") can often guess passwords unless your password is
sufficiently random. PAM modules (see below) allow you to use a different encryption
routine with your passwords (MD5 or the like). You can use Crack to your advantage,
as well. Consider periodically running Crack against your own password
database, to find insecure passwords. Then contact the offending user, and instruct
him to change his password.
You can go to http://consult.cern.ch/writeup/security/security_3.html for information
on how to choose a good password.
PGP and Public-Key Cryptography
Public-key cryptography, such as that used for PGP, uses one key for encryption,
and one key for decryption. Traditional cryptography, however, uses the same key
for encryption and decryption; this key must be known to both parties, and thus
somehow transferred from one to the other securely.
To alleviate the need to securely transmit the encryption key, public-key encryption
uses two separate keys: a public key and a private key. Each person’s public key is
available by anyone to do the encryption, while at the same time each person keeps
his or her private key to decrypt messages encrypted with the correct public key.
There are advantages to both public key and private key cryptography, and you can
read about those differences in the RSA Cryptography FAQ19, listed at the end of this
section.
PGP (Pretty Good Privacy) is well-supported on Linux. Versions 2.6.2 and 5.0 are
known to work well. For a good primer on PGP and how to use it, take a look at the
PGP FAQ: http://www.pgp.com/service/export/faq/55faq.cgi
Be sure to use the version that is applicable to your country. Due to export restrictions
by the US Government, strong-encryption is prohibited from being transferred in
electronic form outside the country.
US export controls are now managed by EAR (Export Administration Regulations).
They are no longer governed by ITAR.
There is also a step-by-step guide for configuring PGP on Linux available at
http://mercury.chem.pitt.edu/~angel/LinuxFocus/English/November1997/article7.html.
It was written for the international version of PGP, but is easily adaptable to the
United States version. You may also need a patch for some of the latest versions of
Linux; the patch is available at ftp://metalab.unc.edu/pub/Linux/apps/crypto.
There is a project maintaining a free re-implementation of pgp with open source.
GnuPG is a complete and free replacement for PGP. Because it does not use
IDEA or RSA it can be used without any restrictions. GnuPG is in compliance
with OpenPGP23. See the GNU Privacy Guard web page for more information:
http://www.gnupg.org/24.
More information on cryptography can be found in the RSA cryptography FAQ,
available at http://www.rsa.com/rsalabs/newfaq/. Here you will find information
on such terms as "Diffie-Hellman", "public-key cryptography", "digital certificates",
etc.
Files and File system Security
and File system Security
A few minutes of preparation and planning ahead before putting your systems online
can help to protect them and the data stored on them.
• There should never be a reason for users’ home directories to allow SUID/SGID
programs to be run from there. Use the nosuid option in /etc/fstab for partitions
that are writable by others than root. You may also wish to use nodev and noexec
on users’ home partitions, as well as /var, thus prohibiting execution of programs,
and creation of character or block devices, which should never be necessary anyway.
• If you are exporting file-systems using NFS, be sure to configure /etc/exports
with the most restrictive access possible. This means not using wild cards, not allowing
root write access, and exporting read-only wherever possible.
• Configure your users’ file-creation umask to be as restrictive as possible. See the
Section called Umask Settings.
• If you are mounting file systems using a network file system such as NFS, be sure
to configure /etc/exports with suitable restrictions. Typically, using ‘nodev’, ‘nosuid’,
and perhaps ‘noexec’, are desirable.
• Set file system limits instead of allowing unlimited as is the default. You
can control the per-user limits using the resource-limits PAM module and
/etc/pam.d/limits.conf. For example, limits for group users might look like
this:
@users hard core 0
@users hard nproc 50
@users hard rss 5000
This says to prohibit the creation of core files, restrict the number of processes to
50, and restrict memory usage per user to 5M.
You can also use the /etc/login.defs configuration file to set the same limits.
• The /var/log/wtmp and /var/run/utmp files contain the login records for all users
on your system. Their integrity must be maintained because they can be used to
determine when and from where a user (or potential intruder) has entered your
system. These files should also have 644 permissions, without affecting normal
system operation.
• The immutable bit can be used to prevent accidentally deleting or overwriting a
file that must be protected. It also prevents someone from creating a hard link to
the file. See the chattr(1) man page for information on the immutable bit.
• SUID and SGID files on your system are a potential security risk, and should be
monitored closely. Because these programs grant special privileges to the user who
is executing them, it is necessary to ensure that insecure programs are not installed.
A favorite trick of crackers is to exploit SUID-root programs, then leave a SUID
program as a back door to get in the next time, even if the original hole is plugged.
Find all SUID/SGID programs on your system, and keep track of what they are,
so you are aware of any changes which could indicate a potential intruder. Use the
following command to find all SUID/SGID programs on your system:
root# find / -type f \( -perm -04000 -o -perm -02000 \)
The Debian distribution runs a job each night to determine what SUID files exist. It
then compares this to the previous night’s run. You can look in /var/log/setuid*
for this log.
You can remove the SUID or SGID permissions on a suspicious program with
chmod, then restore them back if you absolutely feel it is necessary.
• World-writable files, particularly system files, can be a security hole if a cracker
gains access to your system and modifies them. Additionally, world-writable directories
are dangerous, since they allow a cracker to add or delete files as he wishes.
To locate all world-writable files on your system, use the following command:
root# find / -perm -2 ! -type l -ls
and be sure you know why those files are writable. In the normal course of operation,
several files will be world-writable, including some from /dev, and symbolic
links, thus the ! -type l which excludes these from the previous find command.
•
Unowned files may also be an indication an intruder has accessed your system.
You can locate files on your system that have no owner, or belong to no group with
the command:
root# find / \( -nouser -o -nogroup \) -print
• Finding .rhosts files should be a part of your regular system administration duties,
as these files should not be permitted on your system. Remember, a cracker
only needs one insecure account to potentially gain access to your entire network.
You can locate all .rhosts files on your system with the following command:
root# find /home -name .rhosts -print
•
Finally, before changing permissions on any system files, make sure you understand
what you are doing. Never change permissions on a file because it seems
like the easy way to get things working. Always determine why the file has that
permission before changing it.
Local Security
The next thing to take a look at is the security in your system against attacks from
local users. Did we just say local users? Yes!
Getting access to a local user account is one of the first things that system intruders
attempt while on their way to exploiting the root account. With lax local security,
they can then "upgrade" their normal user access to root access using a variety of
bugs and poorly setup local services. If you make sure your local security is tight,
then the intruder will have another hurdle to jump.
Local users can also cause a lot of havoc with your system even (especially) if they
really are who they say they are. Providing accounts to people you don’t know or for
whom you have no contact information is a very bad idea.
Creating New Accounts
You should make sure you provide user accounts with only the minimal requirements
for the task they need to do. If you provide your son (age 10) with an account,
you might want him to only have access to a word processor or drawing program,
but be unable to delete data that is not his.
Several good rules of thumb when allowing other people legitimate access to your
Linux machine:
• Give them the minimal amount of privileges they need.
• Be aware when/where they login from, or should be logging in from.
• Make sure you remove inactive accounts, which you can determine by using the
’last’ command and/or checking log files for any activity by the user.
• The use of the same userid on all computers and networks is advisable to ease
account maintenance, and permits easier analysis of log data.
• The creation of group user-id’s should be absolutely prohibited. User accounts also
provide accountability, and this is not possible with group accounts.
Many local user accounts that are used in security compromises have not been used
in months or years. Since no one is using them they, provide the ideal attack vehicle.
Root Security
The most sought-after account on your machine is the root (superuser) account. This
account has authority over the entire machine, which may also include authority
over other machines on the network. Remember that you should only use the root
account for very short, specific tasks, and should mostly run as a normal user. Even
small mistakes made while logged in as the root user can cause problems. The less
time you are on with root privileges, the safer you will be.
Several tricks to avoid messing up your own box as root:
• When doing some complex command, try running it first in a non-destructive
way...especially commands that use globing: e.g., if you want to do rm foo*.bak,
first do ls foo*.bak and make sure you are going to delete the files you think you
are. Using echo in place of destructive commands also sometimes works.
• Provide your users with a default alias to the rm command to ask for confirmation
for deletion of files.
• Only become root to do single specific tasks. If you find yourself trying to figure
out how to do something, go back to a normal user shell until you are sure what
needs to be done by root.
• The command path for the root user is very important. The command path (that is,
the PATH environment variable) specifies the directories in which the shell searches
for programs. Try to limit the command path for the root user as much as possible,
and never include . (which means "the current directory") in your PATH. Additionally,
never have writable directories in your search path, as this can allow attackers
to modify or place new binaries in your search path, allowing them to run as root
the next time you run that command.
• Never use the rlogin/rsh/rexec suite of tools (called the r-utilities) as root. They
are subject to many sorts of attacks, and are downright dangerous when run as
root. Never create a .rhosts file for root.
• The /etc/securetty file contains a list of terminals that root can login from. By
default (on Red Hat Linux) this is set to only the local virtual consoles(vtys). Be
very wary of adding anything else to this file. You should be able to login remotely
as your regular user account and then su if you need to (hopefully over the Section
called ssh (Secure Shell) and stelnet or other encrypted channel), so there is no
need to be able to login directly as root.
• Always be slow and deliberate running as root. Your actions could affect a lot of
things. Think before you type!
If you absolutely positively need to allow someone (hopefully very trusted) to have
root access to your machine, there are a few tools that can help. sudo allows users to
use their password to access a limited set of commands as root. This would allow you
to, for instance, let a user be able to eject and mount removable media on your Linux
box, but have no other root privileges. sudo also keeps a log of all successful and
unsuccessful sudo attempts, allowing you to track down who used what command
to do what. For this reason sudo works well even in places where a number of people
have root access, because it helps you keep track of changes made.
Although sudo can be used to give specific users specific privileges for specific tasks,
it does have several shortcomings. It should be used only for a limited set of tasks,
like restarting a server, or adding new users. Any program that offers a shell escape
will give root access to a user invoking it via sudo. This includes most editors, for
example. Also, a program as innocuous as /bin/cat can be used to overwrite files,
which could allow root to be exploited. Consider sudo as a means for accountability,
and don’t expect it to replace the root user and still be secure.