DOCSLIB.ORG

Securing Debian Manual

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Securing Debian Manual Javier Fernández-Sanguino Peña <[email protected]> ‘Authors’ on this page Version: 3.13, Sun, 30 Jan 2011 19:58:16 +0000 Abstract This document describes security in the Debian project and in the Debian operating system. Starting with the process of securing and hardening the default Debian GNU/Linux distribu- tion installation, it also covers some of the common tasks to set up a secure network environ- ment using Debian GNU/Linux, gives additional information on the security tools available and talks about how security is enforced in Debian by the security and audit team. Copyright Notice Copyright © 2002-2007 Javier Fernández-Sanguino Peña Copyright © 2001 Alexander Reelsen, Javier Fernández-Sanguino Peña Copyright © 2000 Alexander Reelsen Some sections are copyright © their respective authors, for details please refer to ‘Credits and thanks!’ on page 28. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 (http://www.gnu.org/licenses/ old-licenses/gpl-2.0.html) or any later version (http://www.gnu.org/copyleft/ gpl.html) published by the Free Software Foundation. It is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY. Permission is granted to make and distribute verbatim copies of this document provided the copyright notice and this permission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this document under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this document into another lan- guage, under the above conditions for modified versions, except that this permission notice may be included in translations approved by the Free Software Foundation instead of in the original English. i Contents 1 Introduction 1 1.1 Authors...........................................1 1.2 Where to get the manual (and available formats)...................2 1.3 Organizational notes/feedback.............................3 1.4 Prior knowledge......................................3 1.5 Things that need to be written (FIXME/TODO)....................3 1.6 Changelog/History....................................6 1.6.1 Version 3.15 (December 2010)..........................6 1.6.2 Version 3.14 (March 2009)............................7 1.6.3 Version 3.13 (Februrary 2008)..........................7 1.6.4 Version 3.12 (August 2007)...........................7 1.6.5 Version 3.11 (January 2007)...........................7 1.6.6 Version 3.10 (November 2006)..........................9 1.6.7 Version 3.9 (October 2006)............................9 1.6.8 Version 3.8 (July 2006)..............................9 1.6.9 Version 3.7 (April 2006)............................. 10 1.6.10 Version 3.6 (March 2006)............................. 10 1.6.11 Version 3.5 (November 2005).......................... 11 1.6.12 Version 3.4 (August-September 2005)..................... 11 1.6.13 Version 3.3 (June 2005).............................. 11 1.6.14 Version 3.2 (March 2005)............................. 12 1.6.15 Version 3.1 (January 2005)............................ 12 1.6.16 Version 3.0 (December 2004)........................... 13 CONTENTS ii 1.6.17 Version 2.99 (March 2004)............................ 13 1.6.18 Version 2.98 (December 2003).......................... 14 1.6.19 Version 2.97 (September 2003).......................... 14 1.6.20 Version 2.96 (August 2003)........................... 14 1.6.21 Version 2.95 (June 2003)............................. 14 1.6.22 Version 2.94 (April 2003)............................. 15 1.6.23 Version 2.93 (March 2003)............................ 15 1.6.24 Version 2.92 (February 2003).......................... 15 1.6.25 Version 2.91 (January/February 2003)..................... 16 1.6.26 Version 2.9 (December 2002)........................... 16 1.6.27 Version 2.8 (November 2002).......................... 16 1.6.28 Version 2.7 (October 2002)............................ 17 1.6.29 Version 2.6 (September 2002).......................... 17 1.6.30 Version 2.5 (September 2002).......................... 17 1.6.31 Version 2.5 (August 2002)............................ 17 1.6.32 Version 2.4..................................... 21 1.6.33 Version 2.3..................................... 21 1.6.34 Version 2.3..................................... 21 1.6.35 Version 2.2..................................... 22 1.6.36 Version 2.1..................................... 22 1.6.37 Version 2.0..................................... 22 1.6.38 Version 1.99.................................... 24 1.6.39 Version 1.98.................................... 24 1.6.40 Version 1.97.................................... 24 1.6.41 Version 1.96.................................... 24 1.6.42 Version 1.95.................................... 25 1.6.43 Version 1.94.................................... 25 1.6.44 Version 1.93.................................... 25 1.6.45 Version 1.92.................................... 25 1.6.46 Version 1.91.................................... 25 1.6.47 Version 1.9..................................... 26 CONTENTS iii 1.6.48 Version 1.8..................................... 26 1.6.49 Version 1.7..................................... 26 1.6.50 Version 1.6..................................... 27 1.6.51 Version 1.5..................................... 27 1.6.52 Version 1.4..................................... 27 1.6.53 Version 1.3..................................... 28 1.6.54 Version 1.2..................................... 28 1.6.55 Version 1.1..................................... 28 1.6.56 Version 1.0..................................... 28 1.7 Credits and thanks!.................................... 28 2 Before you begin 31 2.1 What do you want this system for?........................... 31 2.2 Be aware of general security problems......................... 31 2.3 How does Debian handle security?........................... 34 3 Before and during the installation 35 3.1 Choose a BIOS password................................. 35 3.2 Partitioning the system.................................. 35 3.2.1 Choose an intelligent partition scheme.................... 35 3.3 Do not plug to the Internet until ready......................... 37 3.4 Set a root password.................................... 38 3.5 Activate shadow passwords and MD5 passwords.................. 38 3.6 Run the minimum number of services required.................... 38 3.6.1 Disabling daemon services........................... 39 3.6.2 Disabling inetd or its services......................... 41 3.7 Install the minimum amount of software required.................. 41 3.7.1 Removing Perl.................................. 43 3.8 Read the Debian security mailing lists......................... 45 CONTENTS iv 4 After installation 47 4.1 Subscribe to the Debian Security Announce mailing list............... 47 4.2 Execute a security update................................ 48 4.2.1 Security update of libraries........................... 49 4.2.2 Security update of the kernel.......................... 49 4.3 Change the BIOS (again)................................. 51 4.4 Set a LILO or GRUB password............................. 51 4.5 Disable root prompt on the initramfs.......................... 52 4.6 Remove root prompt on the kernel........................... 52 4.7 Restricting console login access............................. 53 4.8 Restricting system reboots through the console.................... 54 4.9 Mounting partitions the right way........................... 54 4.9.1 Setting /tmp noexec............................... 55 4.9.2 Setting /usr read-only.............................. 56 4.10 Providing secure user access............................... 56 4.10.1 User authentication: PAM............................ 56 4.10.2 Limiting resource usage: the limits.conf file............... 59 4.10.3 User login actions: edit /etc/login.defs ................. 61 4.10.4 Restricting ftp: editing /etc/ftpusers ................... 62 4.10.5 Using su...................................... 63 4.10.6 Using sudo.................................... 63 4.10.7 Disallow remote administrative access..................... 63 4.10.8 Restricting users’s access............................ 63 4.10.9 User auditing................................... 64 4.10.10 Reviewing user profiles............................. 66 4.10.11 Setting users umasks............................... 66 4.10.12 Limiting what users can see/access...................... 67 4.10.13 Generating user passwords........................... 69 4.10.14 Checking user passwords............................ 69 4.10.15 Logging off idle users.............................. 70 4.11 Using tcpwrappers.................................... 70 CONTENTS v 4.12 The importance of logs and alerts............................ 71 4.12.1 Using and customizing logcheck ....................... 72 4.12.2 Configuring where alerts are sent....................... 73 4.12.3 Using a loghost.................................. 73 4.12.4 Log file permissions............................... 74 4.13 Adding kernel patches.................................. 75 4.14 Protecting against buffer overflows........................... 77 4.14.1 Kernel patch protection for buffer overflows................. 77 4.14.2 Testing programs for overflows......................... 78 4.15 Secure
Recommended publications
  • BSD UNIX Toolbox 1000+ Commands for Freebsd, Openbsd

    BSD UNIX Toolbox 1000+ Commands for Freebsd, Openbsd

    76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page iii BSD UNIX® TOOLBOX 1000+ Commands for FreeBSD®, OpenBSD, and NetBSD®Power Users Christopher Negus François Caen 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page ii 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page i BSD UNIX® TOOLBOX 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page ii 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page iii BSD UNIX® TOOLBOX 1000+ Commands for FreeBSD®, OpenBSD, and NetBSD®Power Users Christopher Negus François Caen 76034ffirs.qxd:Toolbox 4/2/08 12:50 PM Page iv BSD UNIX® Toolbox: 1000+ Commands for FreeBSD®, OpenBSD, and NetBSD® Power Users Published by Wiley Publishing, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-0-470-37603-4 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 Library of Congress Cataloging-in-Publication Data is available from the publisher. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permis- sion should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions.
  • 9 Caching Proxy Server

    9 Caching Proxy Server

    webXaccelerator: Owner's Guide by Luis Soltero, Ph.D., MCS Revision 1.06 February 10, 2010 (v1.2.3.10-RELEASE) Copyright © 2010 Global Marine Networks, LLC Table of Contents 1 Quick Start..............................................................................................................................................5 2 Introduction.............................................................................................................................................8 3 Initial Installation and Configuration......................................................................................................9 3.1 Connections.....................................................................................................................................9 3.2 Power-up..........................................................................................................................................9 3.3 Power-down...................................................................................................................................10 3.4 Web Administrator........................................................................................................................10 3.5 LAN Setup.....................................................................................................................................10 3.6 WAN Setup....................................................................................................................................11 3.7 WAN2 (Backup WAN) Setup........................................................................................................13
  • Configuracion De Un Servidor Proxy Para Filtrado De Contenidos Web En Ubuntu Linux

    Configuracion De Un Servidor Proxy Para Filtrado De Contenidos Web En Ubuntu Linux

    Configuracion de un Servidor Proxy para Filtrado de Contenidos Web en Ubuntu Linux ¿Qué es un Proxy? «Proxy» tiene un significado muy general y al mismo tiempo ambiguo, sinónimo del concepto de «Intermediario». Se suele traducir como delegado o apoderado. Un Servidor Intermediario (Proxy) se define como una computadora o dispositivo que ofrece un servicio de red que consiste en permitir a los clientes realizar conexiones de red indirectas hacia otros servicios de red. Durante el proceso ocurre lo siguiente: -Cliente se conecta hacia un Servidor Intermediario (Proxy). -Cliente solicita una conexión, fichero u otro recurso disponible en un servidor distinto. -Servidor Intermediario (Proxy) proporciona el recurso ya sea conectándose hacia el servidor especificado o sirviendo éste desde un caché. -En algunos casos el Servidor Intermediario (Proxy) puede alterar la solicitud del cliente o bien la respuesta del servidor para diversos propósitos. Los Servidores Intermediarios (Proxies) generalmente se hacen trabajar simultáneamente como muro cortafuegos operando en el Nivel de Red, actuando como filtro de paquetes, como en el caso de IPTABLES, o bien operando en el Nivel de Aplicación, controlando diversos servicios, como es el caso de TCP Wrapper. Dependiendo del contexto, el muro cortafuegos también se conoce como BPD o Border Protection Device o simplemente filtro de paquetes. Tipos de Proxy ● Proxy de web / Proxy cache de web ● Proxies transparentes ● Reverse Proxy ● Proxy NAT (Network Address Translation) / Enmascaramiento ● Proxy Abierto ¿Que es Squid? Squid es un programa de software libre que implementa un servidor proxy y un demonio para caché de páginas web. Está especialmente diseñado para ejecutarse bajo entornos tipo Unix.
  • 6.4.0-0 Release of SIMP, Which Is Compatible with Centos and Red Hat Enterprise Linux (RHEL)

    6.4.0-0 Release of SIMP, Which Is Compatible with Centos and Red Hat Enterprise Linux (RHEL)

    SIMP Documentation THE SIMP TEAM Sep 16, 2020 Contents 1 Level of Knowledge 3 1.1 Quick Start................................................4 1.2 Changelogs................................................4 1.3 SIMP Getting Started Guide....................................... 64 1.4 SIMP User Guide............................................ 81 1.5 Contributing to SIMP.......................................... 228 1.6 SIMP Security Concepts......................................... 263 1.7 SIMP Security Control Mapping..................................... 282 1.8 Vulnerability Supplement........................................ 642 1.9 Help................................................... 644 1.10 License.................................................. 652 1.11 Contact.................................................. 652 1.12 Glossary of Terms............................................ 652 Index 669 i ii SIMP Documentation This is the documentation for the 6.4.0-0 release of SIMP, which is compatible with CentOS and Red Hat Enterprise Linux (RHEL). This guide will walk a user through the process of installing and managing a SIMP system. It also provides a mapping of security features to security requirements, which can be used to document a system’s security conformance. Warning: Be EXTREMELY CAREFUL when performing copy/paste operations from this document! Different web browsers and operating systems may substitute incompatible quotes and/or line endings in your files. The System Integrity Management Platform (SIMP) is an Open Source
  • Post-Hearing Comments on Exemption to Prohibition On

    Post-Hearing Comments on Exemption to Prohibition On

    1 UNITED STATES COPYRIGHT OFFICE Rulemaking on Exemptions from Prohibition on Circumvention of Technological Measures that Control Access to Copyrighted Works Docket No. RM 2002-4 RESPONSE TO WRITTEN QUESTIONS OF JUNE 5, 2003 of N2H2, INC., 8e6 Technologies, Bsafe Online Submitted by: David Burt June 30, 2003 N2H2, Inc. 900 4th Avenue, Suite 3600 Seattle, WA 98164 Tel: (206) 982-1130; Fax: (509) 271-4226 Email: [email protected] 2 The Question Posed by the Copyright Office 3 Problems with Narrowing the Exemption to Exclude "Security Suites" 5 First Amendment Concerns Expressed by Proponents are Misplaced 8 Concerns that CIPA Requires Schools and Libraries to Use "Closed Lists" are Misplaced 9 Opponents Do Not Believe the Record Justifies an Exemption 11 The Threats Posed by the Exemption are Real 18 Conclusion 19 Footnotes 20 3 The Question Posed by the Copyright Office On June 5th, 2003, the Copyright Office asked the opponents of the proposed exemption for "Compilations consisting of lists of websites blocked by filtering software applications" for our response to the following: Please clarify, as specifically as possible, the types of applications you believe should or should not be subject to an exception for the circumvention of access controls on filtering software lists, if such an exception is recommended. Please provide any documentation and/or citations that will support any of the factual assertions you make in answering these questions. The opponents of the exemption do not believe any exemption is justified because there is no supporting record to justify it. The opponents further believe that a narrowed exemption designed to exclude "security suite" applications that include lists of blocked websites would unfairly render the databases of some vendors of lists of blocked websites with protection and others without on an arbitrary basis.
  • Ipcop Linux Release 1.4.X Zum Kennenlernen

    Ipcop Linux Release 1.4.X Zum Kennenlernen

    IPcop Linux release 1.4.x zum Kennenlernen Bruno Hopp Jan. 2006 Linuxuser der Universität zu Köln: www.uni-koeln.de/themen/linux Warum ausgerechnet IPcop ?? Vorteile: recycling eines ausgedienten PC möglich. Bislang IPcop auf i386-i686 etabliert, IPcop für Alpha gibt es schon, für Sparc|Ultrasparc nicht geplant. Standardhardware (NIC) wird unterstützt: alle NIC-driver sind als Module ausgelegt. Interfaces: Modem: JA ISDN: JA Ethernet: JA GB-Ethernet: ist in Arbeit, z.Zt. nur einige wenige Adapter unterstützt. Dedizierter HW-router kann besser spezialisierte Auf- gaben (package filtering) erledigen als eine workstation, auf der "nebenher" noch nameserver (bind9), Samba und ein grafisches Interface laufen. Software ● bis release 1.3 auf RedHat Linux basierend, Installation ncurses-basiert ● Grundlegende Überarbeitung ab release 1.4.x LSB conform, Linux from Scratch, angepasste Smoothwall-Skripte ● aktuelle IPcop releases 1.4.9/1.4.10 mit Kernel 2.4.31, kernel 2.6.x in Planung ● iptables 1.4.1; OpenSSH 3.9p1; OpenSSL 0.9.7e-fips; Apache 1.3.33 (build oct.2005) Perl 5.8.5; GRUB 0.9.5; vim 6.3 IPcop basics ● unterliegt der GNU/GPL ● Routing: forwarding & NAT ● Was kann/soll ein Router neben dem reinen ¹Routingª noch tun? ● Package filtering: iptables ● Web traffic: Proxy Squid ± SquidGuard ± DansGuardian ± URL-filter ● Pop3/Imap: Copfilter u.a. ● Logging lokal oder via Log-server Voraussetzungen zur Installation Download des ca. 42 MB groûen iso-images von CD booten oder Startdiskette+ image von Webserver hda wird kpl neu formatiert mit ext3 (egal ob 500 MB oder 10 GB - Partitionierung nicht beeinflussbar) 486/DX2 mit 16 MB mindestens, 586 (Pentium1)+ 64 MB erlaubt normales Arbeiten - abhängig von Zahl der Requests, der Clients, der Addons etc.
  • Nelson Murilo

    Nelson Murilo

    #! /bin/sh # -*- Shell-script -*- # $Id: chkrootkit, v 0.44 2004/09/01 CHKROOTKIT_VERSION='0.44' # Authors: Nelson Murilo <nelson@pa ngeia.com.br> (main author) and # Klaus Steding-Jessen <[email protected]> # # (C)1997-2004 Nelson Murilo, Pangeia Informatica, AMS Foun dation and others. # All rights reserved ### workaround for some Bourne shell implementations unalias login > /dev/null 2>&1 unalias ls > /dev/null 2>&1 unalias netstat > /dev/null 2>&1 unalias ps > /dev/null 2>&1 unalias dirname > /dev/null 2>&1 # Native commands TROJAN="amd basename biff chfn chsh cron date du dirname echo egrep env find \ fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall \ ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 \ ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd \ tcpdump top telnetd timed traceroute vdir w write" # Tools TOOLS="aliens asp bindshell lkm r exedcs sniffer w55808 wted scalper slapper z2" # Return Codes INFECTED=0 NOT_INFECTED=1 NOT_TESTED=2 NOT_FOUND=3 INFECTED_BUT_DISABL ED=4 # Many trojaned commands have this label GENERIC_ROOTKIT_LABEL="^/bin/.*sh$|bash|elite$|vejeta|\.ark" ######################### ############################################# # tools functions # # 55808.A Worm # w55808 (){ W55808_FILES="${ROOTDIR}tmp/.../a ${RO OTDIR}tmp/.../r" STATUS=0 for i in ${W55808_FILES}; do if [ -f ${i} ]; then STATUS=1 fi done if [ ${STATUS} -eq 1 ] ;then echo "Warn ing: Possible 55808 Worm installed" else if [ "${QUIET}" != "t" ]; then echo "not infected"; fi return
  • Hack Proofing Sun Solaris 8.Pdf

    Hack Proofing Sun Solaris 8.Pdf

    158_hack_sun_FC 11/11/01 2:46 PM Page 1 1 YEAR UPGRADE BUYER PROTECTION PLAN ™ Protect Your Solaris Network from Attack • Complete Coverage of Solaris 8 C2 and Trusted Solaris 8 • Hundreds of Damage & Defense,Tools & Traps, and Notes from the Underground Sidebars, Security Alerts, and FAQs • Step-by-Step Instructions for Making the Most of Solaris 8 Security Enhancements Wyman Miles Ed Mitchell F. William Lynch Randy Cook Technical Editor From the authors of the bestsellingbes-selling HACK PROOFING™ YOUR NETWORK 158_HPsun_FM 10/5/01 5:07 PM Page i [email protected] With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based ser- vice that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. [email protected] is an interactive treasure trove of useful infor- mation focusing on our book topics and related technologies. The site offers the following features: I One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. I “Ask the Author”™ customer query forms that enable you to post questions to our authors and editors. I Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material.
  • Configurando Um Servidor Proxy Com O Squid

    Configurando Um Servidor Proxy Com O Squid

    Configurando um servidor proxy com o Squid Capítulo 2: Compartilhamento, DHCP e Proxy • Configurando um servidor proxy com o Squid o Instalando o Squid o Criando uma configuração básica o Configurando o cache de páginas e arquivos o Adicionando restrições de acesso . Bloqueando por domínios ou palavras . Bloqueando por horário o Gerenciando o uso da banda o Proxy com autenticação o Configurando um proxy transparente o Configuração automática de proxy nos clientes o Mais detalhes sobre a configuração dos caches • Usando o Sarg para monitorar o acesso • Monitorando com o ntop • Usando o SquidGuard para bloquear páginas impróprias • Usando o DansGuardian o Atualizando as blacklists o Proxy transparente com o DansGuardian • Obtendo um endereço fixo, usando um DNS dinâmico Configurando um servidor proxy com o Squid O Squid permite compartilhar a conexão entre vários micros, servindo como um intermediário entre eles e a internet. Usar um proxy é diferente de simplesmente compartilhar a conexão diretamente, via NAT. Ao compartilhar via NAT, os micros da rede acessam a internet diretamente, sem restrições. O servidor apenas repassa as requisições recebidas, como um garoto de recados. O proxy é como um burocrata que não se limita a repassar as requisições: ele analisa todo o tráfego de dados, separando o que pode ou não pode passar e guardando informações para uso posterior. Compartilhar a conexão via NAT é mais simples do que usar um proxy como o Squid sob vários aspectos. Você compartilha a conexão no servidor, configura os clientes para o utilizarem como gateway e pronto. Ao usar um proxy, além da configuração da rede, é necessário configurar o navegador e cada outro programa que for acessar a Internet (em cada um dos clientes da rede) para usar o proxy.
  • Debug Register Rootkits a Study of Malicious Use of the IA-32 Debug Registers

    Debug Register Rootkits a Study of Malicious Use of the IA-32 Debug Registers

    DV1446 – Kandidatarbete i Datavetenskap Bachelor Thesis in Computer Science – Security Engineering Debug register rootkits A study of malicious use of the IA-32 debug registers May 2012 Authors: Emil Persson, Joel Mattsson Supervisor: Ewa Osekowska School of Computing Blekinge Institute of Technology This thesis is submitted to the School of Computing at Blekinge Institute of Technology in partial fulfillment of the requirements for the degree of Bachelor of Science in Computer Science. The thesis is equivalent to 20 weeks of half time studies. Contact Information: Authors: Emil Persson E-mail: [email protected] Joel Mattsson E-mail: [email protected] University advisor: Ewa Osekowska E-mail: [email protected] School of Computing Blekinge Institute of Technology Internet : www.bth.se/com SE–371 79 Karlskrona Phone : +46 455 38 50 00 Sweden Fax : +46 455 38 50 57 Abstract The debug register rootkit is a special type of rootkit that has existed for over a decade, and is told to be undetectable by any scanning tools. It exploits the debug registers in Intel’s IA-32 processor architecture. This paper investigates the debug register rootkit to find out why it is considered a threat, and which malware removal tools have implemented detection algorithms against this threat. By implementing and running a debug register rootkit against the most popular Linux tools, new conclusions about the protection of the Linux system can be reached. Recently, debug register rootkits were found on Windows as well. This project intends to bring knowledge about the problem and investigate if there are any threats.
  • A Freebsd 4.8-RELEASE Operating System Security Checklist

    A Freebsd 4.8-RELEASE Operating System Security Checklist

    A FreeBSD 4.8-RELEASE Security Checklist 页码,1/14 A FreeBSD 4.8-RELEASE Operating System Security Checklist Support the BSD projects by getting a subscription to one or more of the family: FreeBSD, OpenBSD, NetBSD and Darwin Updated: June 12, 2003 Location: http://www.sddi.net/FBSDSecCheckList.html Location of the checklist version: http://www.sddi.net/FBSDSecCheckListaslist.html This document is also available in Portuguese, translated by someone or something that didn't notify me, but is still much appreciated. Assuming it's accurate, of course. If you are part of an institution or business, and you found this document useful, consider paying a fee to assist us in producing more documents and keeping this one up-to-date. You can use Paypal and send to the account of [email protected]. Location: http://www.traduzweb.com.br/scripts/tws.dll/ingport?p=kounen&lg=in_pt&url=http%3A% 2F%2Fwww.sddi.net%2FFBSDSecCheckList.html%23Installation Please note that I haven't spent much time recently on the document, but I do plan to expand and revise. As 5.0 is not meant for production, I will at least wait for 5.1 to be out for a while before I approach locking down FreeBSD 5.x. This document is intended to be a working checklist of security settings implemented on FreeBSD servers version 4.8-RELEASE. There are a number of well-written and often brilliant documents providing overviews, how-to's and faqs on FreeBSD security for the practical systems administrator, but there is no to-the-point, checklist that can be a tool for each time a server is built.
  • Métodos Para Detecção Local De Rootkits E Módulos De Kernel Maliciosos Em Sistemas Unix

    Métodos Para Detecção Local De Rootkits E Módulos De Kernel Maliciosos Em Sistemas Unix

    MÉTODOS PARA DETECÇÃO LOCAL DE ROOTKITS E MÓDULOS DE KERNEL MALICIOSOS EM SISTEMAS UNIX Nelson Murilo Klaus Steding-Jessen Pangéia Informática NIC BR Security Office SRTS 701, 70 cj E, sala 304 Rua Hum, 45 Caixa Postal 6146 70340-902 Brasília-DF 13083-970 Campinas-SP [email protected] [email protected] RESUMO Rootkits são ferramentas utilizadas com freqüência por invasores para ocultar sua presença em máquinas comprometidas, fazendo parte inclusive de alguns Worms e ferramentas de DDoS. Uma invasão pode passar meses sem ser descoberta graças a essas ferramentas. Além das versões tradicionais, rootkits vem sendo imple- mentados também sob a forma de módulos de kernel (LKMs), dificultando a sua detecção. Este artigo descreve o funcionamento desses dois tipos de rootkit, alguns métodos para sua detecção em sistemas Unix e uma ferramenta de código aberto, implementada pelos autores, para detecção automatizada de rootkits. ABSTRACT Rootkits are a very popular technique among intruders to hide themselves in compromised machines. Some rootkits are also used by Worms and DDoS tools. An intrusion can remain undetected for months when such a tool is used by an attacker. Rootkits are also being implemented as Loadable Kernel Modules (LKMs), making them much harder to detect. This paper describes the traditional as well as the LKM-based rootkit and presents some rootkit detection methods for Unix machines. This paper also presents an open source tool, developed by the authors, to detect rootkits. 1 INTRODUÇÃO evolução dos rootkits, seguido da descrição dos com- ponentes e funcionamento dos rootkits tradicionais e Com a popularização de ferramentas de ataque au- também dos implementados sob a forma de LKMs.