Need Linux Help ! (Looking for potential security issues)

Alien

Stalker
Joined
Oct 21, 2006
Posts
2,166
Location
Cardiff > Wales > UK
Society
The Calypso Rescue Team
Hey all!

I've never really used linux before, only started using it ~10 weeks ago @ university. I can do ls, cat, javac, java etc :D I'm no super user.

My problem is that now for one subject I've been given a linux system and told to find security flaws with it. Flaws that were intentionally added by the staff, so shouldn;t be _too_ hard to find (I hope!). I've tried all I can think of, so far I have:
  • Attempted to look through the user's history files --> found someone setting their UID to 0 (root's?)
  • Run John the ripper, and found some insecure passwords/accounts with no password
  • Looking in the root bashrc file and it included a dot in the path (I know that's bad)

I know there's at least 10 issues, and I've found 5. Could anyone help me with some hints of what potential flaws could be in a system, and how to look for them?

I'll reward 500 EFD from my own stack to each person that helps me find a flaw !

A little more info (Don;t know if it helps):
I'm logged into the system as root
There are many other users set up on the system
I have no idea what I'm doing with linux, so get lost pretty easily :rolleyes:

Thanks ! !
 
grc.com

try grc.com and run some tests.
 
am i'm a hoopy linux user.

but linux never uses root only to install stuff. So a normal user cant nver acces root files.

Maybe try www.ubuntuforums.org . it's a debian based linux which has a bit more knowledge then us EU players lol.

Also grc only checks the firewall not the system it self. Also (dunno if possible) check which files have been recently modified by TIME :) ... betting teacher forget those :)

linux uses timstamps on all the files. (on default btw could be deactivate)

also use nmap to scan for open ports that allow acces with out password. SSH on port 22 can be dangerous if the password is not properly set.
 
Don't forget to use Nmap, the port scanner and security scanning and investigation tool.

nmap -v 127.0.0.1 (or your other nic IP). Many other parameters works too. Check some examples at http://nmap.org/nmap_doc.html

You can also use netstat, to see what services/ports that is listening to traffic:

netstat -anp

Don't know which ports that is (not) safe, eh? No problem. Kurt Seifried's Ports List knows: http://www.seifried.org/security/ports/

Also check if SSHD is running, and be sure to check it's configuration (somewhere) in /etc. Root login should NOT be permitted. Also, only SSH-2 protocol should be allowed. If port 22 is open, SSHD is most probably running. The lesser open ports, the safer system.

Tip: type a command and --help (dash dash help) after it, like this:

netstat --help

.. to see the help page. It doesn't mean that it gets easier, but at least it's something.

Try to find out if the unneeded inetd is running. If so, disable it. You didn't typed what Linux flavor you are running, so I can't give you examples on how you disable it. One way to semi-disable it is to edit the init.d config file in /etc, and put a # char in front of every (command) line. Then the actual command will not run.

Make sure there are anti virus installed in your system. clamav is free and works just fine. Also make sure the systems packages is updated. Older versions of i.e. some particular FTP-servers includes huge bugs (aaawww, poor good old Xplorer Linux System, who got smashed by a :censored: WUFTPD exploit).

You can also try with a Network sniffer, like DISCO, DSniff, IPTraf, TcpDump, KISMET, Yersina or Wireshark.

Nessus is a remote security scanner. It can be useful as well.

... well, this was at least something to start with. There are about a gazillion other things you need to check/do to make sure your system is safe.

Also check out the HOW-TO for Linux Secutiry here: http://tldp.org/HOWTO/Security-HOWTO/
 
Last edited:
Make sure there are anti virus installed in your system. clamav is free and works just fine. Also make sure the systems packages is updated. Older versions of i.e. some particular FTP-servers includes huge bugs (aaawww, poor good old Xplorer Linux System, who got smashed by a :censored: WUFTPD exploit).

as his system is a test system on collega he wont bother to update. But about anit virus. There are no virusses (yet) for linux. The scanner is mainly used for e-mail scanning. Also the calmav is not an active scanner like NOD32 , AVG or windows virus scanners. It can do it manual and is also avaible for win btw. clamwin great for usb sticks.

But i never saw a linux virus yet .. maybe someboyd can point me towards one ?
 
Yes, that's true ranpha. A cron script that runs once a day/week is good to have. The mainly "viruses" for Linux systems are worms, malware and exploits, the latter mainly because of outdated/insecure packages.

But I think that Linux.Rst-B is classified as a virus. It also appears in -C versions.

Oh, I got some more:

If sendmail is activated, make sure to kill it. If it's still alive, kill it again (like French Frogs at rig, you know). It normally uses port 25 and (umm, the other one, ... I forgot it).

Also make sure that portmap is dead. Port 111 that one uses.

File/directory permissions is also good to look at. 777 is bad. 755 is better. Check out chmod --help for more info on that.

Speaking of viruses, when my Linux machine got a code it wasn't supposed to execute, it started to send a huge amount of spam mails to all and everyone. Another time, when directory permissions was 777, someone used an insecure PHP script to download and execute code at my server. Suddenly, my Linux machine was a phishing bank. The company DynDNS closed my domain temporarily, dunno why :scratch2: :laugh: (No, I am not a customer of DynDNS today, because I fixed the problem very quick, but they deeeeelaaaaayeeeeed the reactivation of my domain... damn DynDNS suckers).

Oh well, I've been a Linux user for over 11 years so it has been a lot of "incidents" where everything went a direction it wasn't meant to :D
 
Last edited:
/etc/passwd and /etc/shadow are the password files (unless the system depends on a distributed authentication system such as KerberosIV or NIS). Look for empty fields in the second column (which indicates an account without a password).

"netstat -t |grep LISTEN" will show what network TCP services are open. There should not too many things, especially not TELNET.

If there is a webserver and database, there could be lots of other things allowing unauthorized access through there, too many to list. At the very least, look for hidden files (names starting with one or more ".") and make sure they belong.
 
+rep SnowLeopard (even tho I can't lol), I forgot to mention the web server in my replies above.
 
Just starting on these now!

How do I check sshd settings, and what should I be looking for? It is always running

Thanks in advance
 
Subscribing. I have a personal linux server I use as a gateway and I know I don't know enough to be real secure. Once I get it working again I will be refering to this post for tips to try on it.
 
Accounts with no passwords are no problem (no login possible), even with empty ones are fine as long as the configured login shell is not in the list of allowed shells.

Stuff to check for:

- Only needed services exposed to external network interfaces
- No unneeded services running
- Permissions on files (/etc and other locations)

Tussi
 
Try the command sudo sh, enter your own password, if you are lucky, you are added as a "wheeler", which means that you are eligible to run applications as superuser, 'sudo sh' will open a new shell with root priviliges.

Also, check for hidden files, ls -la, maybe someone placed an little application there that sudos you.

Also, try using local kernel exploits .. (if you successfully obtain root, you'll be a happy person) :)

Edit: hidden files are those with a . infront of the name, use the command type (type /bin/sh will i.e say it's an elf binary or something like that).
 
How do I check sshd settings, and what should I be looking for? It is always running

check /etc/ssh/sshd_config
also a good idea is to check ~/.ssh/authorized_keys for stuff that dosn't belong there (esp. in /root/.ssh).

Try the command sudo sh, enter your own password, if you are lucky, you are added as a "wheeler", which means that you are eligible to run applications as superuser, 'sudo sh' will open a new shell with root priviliges.

Also, check for hidden files, ls -la, maybe someone placed an little application there that sudos you.

Also, try using local kernel exploits .. (if you successfully obtain root, you'll be a happy person) :)

Edit: hidden files are those with a . infront of the name, use the command type (type /bin/sh will i.e say it's an elf binary or something like that).
Best plan is to put alias l="ls -al" into ~/.bashrc and use l as default way to list directories.

To get root on a system where you have physical access: just set init=/bin/bash boot option. Very handy in case you forgot your root password...

Tussi
 
Handed this in today, the only thing I found was sshd running and port22 was open with 'tcp'.

I'm sending 500EFD to Minken and SnowLeopard for their help. Thanks guys !
 
Handed this in today, the only thing I found was sshd running and port22 was open with 'tcp'.

I'm sending 500EFD to Minken and SnowLeopard for their help. Thanks guys !

Tyvm, but I'm worried you didn't find what you were supposed to.
Port 22 is the ssh port, so it's normal for it to be open... without it you wouldn't get remote access.
Hope it goes well!
 
Read this doc carefully; you should be able to find your security holes... most of them anyway.

GL!

PS Very nice topic.
 
Back
Top