Roy Schestowitz wrote:
> The short life and hard times of a Linux virus
Let's talk about "Fortress Linux" for a second. Linux is much like a
Midieval fort.
To begin with, there is the socketsLibrary, much like a huge hill, with
lots of green grass, and no trees. It's nearly impossible to just
sneak up. The Linux firewall knows the IP address, can do reverse DNS
lookup, can log who came in and who came out, and the connections can
be quickly and easily logged. It's also very difficult to get secure
access rights because the ports that are available typically give you
no access rights unless you are authenticated. Anonymous FTP won't
even let you read the files you deposited.
ssh and ssl make it possible to mutually authenticate users and can
offer multiple tiers of authentication (mutually authenticated keys,
userid/password, and IP address or subnet).
route and netstat -r make it possible to explicitly set correct routes.
Since these are set in a file owned by root, it's very difficult to
spoof a route to create a bogus access. Netstat -r will let you know
immediately if someone has tried to tamper with the routing.
Furthermore, since the secure hosts can be stored in a /etc/hosts file,
which is checked BEFORE dns, it's much more difficult to "spoof" a
Linux device.
IPchains lets you decide which machines can talk to which applications
and which machines can talk to which other machines.
Xinetd lets you control exactly which hosts can access any service.
Even if the firewall did let you through, this puppy can still lock you
out.
PAM (pluggable authentication modules) make it possible to lock down
accounts very tightly. The default is to create user accounts and
place encrypted and undecryptable passwords into a file. Even if you
know what the encrypted password is (you have to be root to get that
information) you can't use that information to get the "clear text"
password.
Password prompts in Linux usually display nothing. No stars or
givaways to let people know how many characters are in the password, or
even when you have actually pressed a key and when you have
fake-pressed a key to mislead someone looking over your shoulder to get
the password.
Access rights at owner and group level. Even if you manage to get
logged into a legitimate user account, you can't just go browsing
anywhere you feel like. Directories and files all require read access
to view. To change into someone else's directory, you have to have
execute permissions. To execute a script, you need execute permissions
(but not read permissions, which means that others can't easily fake up
a "similar" program).
Setuid scripts let one user access files which are readable by another
user, but only if he is a member of the group file. This is an
effective way to provide very limited functionality to someone, giving
them permission to execute specific programs, but not give him all of
the rights of a "root" user or a manager. For example, if an employee
needs write access to a spreadsheet to post his time records, his
manager can give him "execute only" access using setuid so that only
employees in that manager's group can post their time to a file that
only the manager can read or write. Because setuid scripts also keep
track of real user ids, it's very easy to log and track would-be
perpetrators, and even prosecute them.
sudo is similar to a setuid script, but can give a group of users or a
single user access to a group of commands, but any attempt to execute
those commands, will be recorded in a log which only the system
administrater (root) can actually read.
su almost lets you get full access to the machine, but your attempts to
upgrade are recorded, including failed attempts. In most cases,
attempts to su into a machine you are not authorized to access as root,
can get you fired and/or arrested instantly.
you can also log in a root, but you have to be at the physical console
to do this. The root account will terminate instantly if it sees that
you are attempting to log in as root through a remote connection.
Assuming that there are identification cards showing who is in the
building and who has physical access to the machine, there is a very
good chance that even these perpetrators will not escape justice.
Swiping your badge at 2 AM and trying to log in as root at a restricted
Linux machine is almost certain to result in severe consequences. In
some cases, a successful root login during certain times can result in
direct page (e-mail to cell phone) of the owner or administrator, and
possibly even the police.
If you DO manage to get a bogus command into the computer, and do
manage to get it particular access rights. You still have a problem.
The access times, and modification times of the file, the directories,
and the log of the permission setting will be recorded in various
places which can be easily examined by a forensic investigator.
There are logs of the e-mails and other incoming information which can
be audited, and can't easily be removed by anyone but the authorized
owner. If squid is enabled, it not only caches the requests, but keeps
a log of what has been visited and when.
Many Linux applications on very secure systems, such as servers, often
work only through proxies, which means that all inbound and outbound
traffic can be logged for critical information which can be linked to
other information on the machine.
Assuming you manage to make it in and out, and do ANYTHING other than
just peek at the public /tmp files, there is a pretty good chance that
you could find FBI agents knocking at your door, especially if you
attempt things like identity theft, wire fraud, or setting up "bots".
Unlike the Microsoft EULA which gives Microsoft the right to let anyone
access any of your information, the Linux license agreements make no
assumption that the customer has granted permission for any access not
otherwise accessed.
At minimum, you could be charged with criminal computer trespassing, a
felony punishable by up to 5 years in federal prison.
If you access it through radio, common carrier, or FCC regulated
networking media, you could face an additional violation for illegal
communications.
If you leave any files on the machine, you could be prosecuted for
computer vandalism.
If you attempt to use any information you have collected from the
computer, you can be charged with illegal wiretapping. If you wire-tap
a business, you can also be charged with industrial espionage.
And nothing in any of the Linux license agreements requires that you
wave ANY of those rights to take civil or criminal actions, and even
encourage you to disclose any information which might help the
investigation (no nondisclosure agreements).
If you even TRY to mess with a Linux machine, there WILL be
consequences.
Rex Ballard
http://www.open4success.org
|
|
