Unix security

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Unix security" – news · newspapers · books · scholar · JSTOR (September 2014) (Learn how and when to remove this message)

Unix security refers to the means of securing a Unix or Unix-like operating system.

A core security feature in these systems is the file system permissions. All files in a typical Unix filesystem have permissions set enabling different access to a file.

Unix permissions permit different users access to a file. Different user groups have different permissions on a file.

Many Unix implementations add an additional layer of security by requiring that a user be a member of the wheel user privileges group in order to access the su command.^[1]

Most Unix and Unix-like systems have an account or group which enables a user to exact complete control over the system, often known as a root account. If access to this account is gained by an unwanted user, this results in a complete breach of the system. A root account however is necessary for administrative purposes, and for the above security reasons the root account is seldom used for day to day purposes (the sudo program is more commonly used), so usage of the root account can be more closely monitored. ^{[citation needed]}

Selecting strong passwords and guarding them properly are important for Unix security. ^{[citation needed]}

On many UNIX systems, user and password information, if stored locally, can be found in the /etc/passwd and /etc/shadow file pair.

Operating systems, like all software, may contain bugs in need of fixing or may be enhanced with the addition of new features. Patching the operating system in a secure manner requires that the software come from a trustworthy source and not have been altered since it was packaged. Common methods for verifying that operating system patches have not been altered include the use of the digital signature of a cryptographic hash, such as a SHA-256 based checksum, or the use of read-only media.^{[citation needed]}

Unix-like operating systems are immune to most Microsoft Windows viruses because binaries created to run on Windows generally won't run on other platforms. However, many Unix like installations provide file storage services to Microsoft Windows clients, such as through the use of Samba software, and may unintentionally become a repository for viruses stored by users. It is common for Unix servers to act as mail transfer agents and as a consequence email virus scanning is often installed. The ClamAV virus scanner is available in source code form and may be used to scan Unix file systems for viruses which infect other operating systems.

There are viruses and worms that target Unix-like operating systems. In fact, the first computer worm—the Morris worm—targeted Unix systems.

Network firewall protects systems and networks from network threats which exist on the opposite side of the firewall. Firewalls can block access to strictly internal services, unwanted users and in some cases filter network traffic by content.^{[citation needed]}

iptables is the current user interface for interacting with Linux kernel netfilter functionality. It replaced ipchains. Other Unix like operating systems may provide their own native functionality and other open source firewall products exist. More detailed information about iptables is contained elsewhere. A brief discussion is contained here in order to describe how iptables may be used to configure a Linux firewall.

netfilter provides a state-full packet filter which can be configured according to network interface, protocol, source and/or destination address, source and/or destination port and the state of the packet. A network packet traverses several chains between the time it is received by a network interface and the time it is accepted by the host or forwarded to another host. The common chains are INPUT, OUTPUT and FORWARD. The INPUT chain is traversed for all packets as they are received by a network interface, regardless of whether they are to be accepted by the host or forwarded to another host. The OUTPUT chain is traversed for all packets as they are transmitted by a network interface. The FORWARD chain is traversed for those packets are being routed through the host from one network interface to another, such as is the case for a multi-homed system (a system with more than one physical network interface).

Each of the built-in chains has a default policy which defines what action is taken for a packet which reaches the end of the chain. Packet traversal ends when a rule matches the packet and has an action of ACCEPT, DROP, REJECT or RETURN.

The simplest iptables firewall consists of rules for each desired service, followed by a rule which indicates that any packets which reach this rule are dropped. A system which only permitted, for example, incoming email traffic would have a rule which accepted connections on the SMTP port, and then dropped others. A rule would be required which indicated that all established connections were also permitted so that outgoing connections would receive responses from other systems.

The following example shows a simple packet filter for the INPUT chain for the above described example:

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt   in        out                 source               destination
    0     0 ACCEPT     all—any    any     anywhere             anywhere            state ESTABLISHED
    0     0 ACCEPT     tcp—any    any     anywhere             anywhere            tcp dpt:smtp
    0     0 LOG        all—any    any     anywhere             anywhere            LOG level warning
    0     0 DROP       all—any    any     anywhere             anywhere

The addition of an explicit DROP action ensures that the packets are discarded should the default policy of the INPUT chain accidentally be changed to ACCEPT.

There is less need for an OUTPUT chain and the default policy of the OUTPUT chain can safely be set to ACCEPT. In some instances it may be desirable for a firewall to limit certain outgoing connections to a certain set of approved systems. This is known as egress filtering and may be used to prevent viruses within the firewall from escaping to other systems. For example, it may be the policy of a network to limit outgoing email connections to a single authorized email servers as a way of combating e-mail spam. This could be achieved by the following example:

Chain OUTPUT (policy ACCEPT)
 pkts bytes target     prot opt    in     out                  source              destination
    0     0 DROP       tcp—any    any    !server               anywhere            tcp dpt:smtp

There is no need to include any other rules in this example as the default policy for the OUTPUT chain is ACCEPT. This rule assumes that the host which is acting as the firewall will not be sending email itself, such as to the email server. This is a good assumption as typically a firewall system contains the minimal amount of system code needed to act as a firewall.

A more restrictive OUTPUT chain would contain permissive (ACCEPT) entries for those services which may be accessed outside the firewall and then a restrictive (DROP) policy for the chain itself.

Secure network communication:

• Layer 7:
  • GPG
  • PGP
• Layers 4,5:
  • SSL/TLS
  • Stunnel
  • S/MIME
• Layer 3:
  • VPN
  • IPsec
• Layer 2: PPTP

Packet sniffing:

• tcpdump, Wireshark

Attacks:

• Man in the middle attack
• LAND, ping of death, Christmas tree packet, Denial of service et al.
• Software tools based password/passphrase/key stealing attacks on the system. Such as strace/truss/tusc/dtrace/SystemTap based ones.

• rootkits, kernel modules, chkrootkit
• exploit details, buffer overflows, local vs remote

• banners
• SMTP - spam
• Sendmail - banners help header version etc.
• Domain Name System - reverse mapping dnssec

• Practical UNIX and Internet Security, Simson Garfinkel and Gene Spafford, O'Reilly & Associates, 2003.

• The Unix Security Model for web server administration Archived 2006-10-04 at the Wayback Machine Robert K. Moniot 2000
• An Architectural Overview of UNIX Network Security Robert B. Reinhardt 1993
• Unix security papers