firstname.lastname@example.org you would like more information on Linux World.
http://www.access.org.uk) in the UK. A few books are available detailing information from a hackers point of view, eg Computer Hacking: detection and protection by Imtiaz Malik. Then Steve listed the methods of attack hackers can use, such as trojan horses, logic bombs, time bombs and worms. Also a threat are UNIX viruses, although these are far less of a threat currently than DOS or Win viruses. The best known UNIX viruses are the X21, X23 (both shell scripts) and the snoopy virus (which modifies
/etc/passwd). He also briefly listed misuse of UNIX features, such as the rprotocols (eg
rloginetc), telnet, the subversion of email (eg fakemail by telneting to port 25 or sniffing) and IP spoofing. Also covered were Denial of Service attacks, such as spawning multiple processes or the recently much-publicised SYN-ACK attack.
identas an auditing tool, using
sshfor remote access to the system, and extensive system logging among others. The latter was stressed extensively, though care must be taken to ensure log files are resistant to tampering.
http://www.tis.comfor more information). There were several generations of firewalls: firstly with this set-up just described to a dialup account (uucp) to an ISP. This was a fairly secure set-up, but only allowed access to email services. The second generation ran with a faster modem and used a PPP connection to the ISP. This was, like the previous incarnation, cheap, and allowed access to a lot more Internet services (ie USENET, FTP and WWW), but still had low bandwidth and required close monitoring of all incoming connections. The final generation ran through a ISDN packet filtering router outside the firewall. This, though not as cheap as the previous systems, was cost effective and the firewall and router complement each other well to give a secure model. However, there are no incoming connections (FTP and WWW site is held at the ISP).
setguidfiles: most are unnecessarily set as such. The insecurity of passwords was once again pointed out. Unfortunately, due to a slightly late start and a restriction on the finishing time, Jim was unable to completely finish his presentation. However, an extensive synopsis is given in the documentation, including insecurity of X windows, problems with MIME, JAVA and the WWW, along with some security solutions such as firewalls, SSL and SSH. Finally, there is a complete breakdown of a security hole: the infamous BSD
lpdhole, which allows any file on the system to be overwritten.
sshhas opened up the opportunity of working from home without a client's confidential data being plastered all over the Internet. All that is needed is a secure shell installation and my home Linux machine becomes a fully functional and secure X terminal.
ssh1214.tazfrom the CD into your home directory.
tar xvzf ssh1214.taz. This will create a directory called
ssh-1.2.14. Read the
./configure, this will automatically work out the correct configuration for
makewill build the
sshhas been made correctly then type
su rootand run
make install. By default this will install
/usr/localarea and generate a unique key for your machine. It should also install
man sshand you should see the on-line documentation if the installation was successful.
/usr/local/sbin/sshdto start up the
sshdaemon process and then test that
sshis working on the local loop-back by typing
ssh localhost. If you want
sshdto run every time the machine is restarted, this command has to be put in the
/etc/rc.d/rc.localfile. You will be asked for your password and then
sshwill sign you into the local machine through an encrypted channel.
xtermsession from your secure shell. You can tell you are going through a re-directed X server as your
echo $DISPLAY) will end in
sshand run private X sessions between the two machines. It makes no difference to your privacy if the machines are on the same LAN or over the Internet on the other side of the world. An added bonus of the
sshX re-director is that the X traffic is compressed. This can boost X windows performance considerably if the network connection between them is slow.
xloadprocess over a 14.4Kbps modem connection.
sshso it acts as a replacement for
rcp. This will be covered briefly later in this article. Even in its simplest form
sshgives you two really great advantages:
gzipcompression of the encrypted data stream means that working with
sshis faster than a raw
telnetsession alone. You gain much and lose nothing from better privacy.
sshthe password is never transmitted across the network, except when strongly encrypted. However, it is sometimes better to set up the remote machine so that it has the trust of the local machine. This means that
sshcommand execution and
scpfile transfer can be worked into shell or Perl scripts.
sshand you have an account on it.
sshto log into the remote machine, although you will be required to give your system password each time.
ssh-keygencommand. This will generate you a public/private key pair and ask you for a pass phrase, so that your stored key is protected. As well as being able to remember this pass phrase, it is also very important that other people cannot guess it. The best pass phrases are pieces of nonsense that you find memorable, that cannot be connected with you. If you are a Bank Manager then Wibble flobble ploop would be a much better choice than I've got the cash.
ssh-keygenwill do on each machine is put files called
identity.pubin a sub directory called
.sshof your home directory. The actual contents of the private key are protected by the pass-phrase.
~/.ssh/identity.puband needs to be transferred by some means to a file called
identity.pubfile on your local system to
authorized_keyson the remote system.
sshand instead of asking you for your password it now wants you to give it the pass phrase for your local private key. The reason for this is to avoid the need for the remote machine to ask you for a password. The pass phrase is needed so that the copy of your local private key can be unlocked and used to encrypt communication to the remote system. The remote system then knows it must be you as the public key that you placed in
authorized_keyscan be used to decrypt the message.
ssh-agent. It is an in-memory process that you give your pass-phrase to, which then uses your private key to communicate with the remote system.
sshprocesses need to be secure,
ssh-agentmust be an ancestor process of
sshprocesses. The command
ssh-agent shwill start a sub-shell from which
sshcommands can be run. The first thing we need to do, however, is tell this
ssh-agentprocess what our pass phrase is:
$ ssh-agent sh
Need pass-phrase for /home/mhouston/.ssh/identity /email@example.com).
sshyou enter your pass-phrase just once. Now you will be able to enter
scpcommands on any system that trusts you, without being asked for any more passwords.
sshtrust on your Linux machine means that if security is breached on that machine, it is breached for your account on all machines that trust you. The machine that
sshoriginates from and that stores your private key should ideally be a personal system that only you use. A personal laptop computer that you can take with you, would be better than an account on a big system with a large (and inquisitive) user population.
Ssh-agentis not daft enough to leave your pass-phrase lying around in memory, but a determined hacker with
rootprivilege on your system might just be able to catch the input as it is typed. Such a hacker would then have the ability to become you and cause havoc!
sshhas found its way onto many thousands of computers in at least 40 countries. The basic
sshprotocol will remain free in the author's hope that it will become one of the main-stay standard protocols of the Internet.
ssh,and also enhancements to it, like a secure shell client for Microsoft Windows, then Data Fellows Ltd has a commercially licensed version called F-Secure SSH. More information can be found on Data Fellows web site:
Tel: 01763 273 475
Fax: 01763 273 255
Queries: Ask Here
|Join UKUUG Today!||
PO BOX 37