Unix Security, Day 2

Goals

• lock down your own machine first
• use public key cryptosystems
• then worry about the network

POST

• What are some technical threats to your security?
• What are some human threats to your security?
• What are some natural/environmental threats to your security? In the following /etc/passwd fragment, what is the default group (by name or number) of the user "paco"? paco:x:345:712::/home/paco:/bin/bash peter:x:346:712::/home/paco:/bin/sh
• What can you tell about both users (or the system, or the admin) from their entries here?

pass policies

• must have a password!
• passphrases, not passwords
• shadowing
• start out with good passphrases
  • assign the first good, remember-able,unguessable, force-resistant passphrases
  • talk to your users: no writing, no telling, no same passes
  • dongles
  • distributions forcing root upon installation
• maintain good passphrases
• nothing Guess-able: "nothing on the desk"
• password uniqueness with no re-use
• expiration p. 259
• don't ask your users for their passes
• change passwords for known entities: (face to face, pubkey, + caller ID, etc)
• crack your own passwords
• aging
• lockouts
• set to fake pass before telling
• scan for missing passes

controlling wayward users

• "that's what I always use"
• "save password" options
• lock screens
• log out of unused apps/boxes
• guest user philosophy
• restricted shells
• process-limited shells
• no setuid/setgid shells; only executables

use cryptosystems to your advantage

concepts

• symmetric systems
• asymmetric systems
• generating and using keypairs: public, private
• web of trust
• signing keys
• clearsigning documents
• encrypting to a pubkey

the players

• PGP, from PRZ
• GnuPGP
• CKT (cyber knights templar)

using gpg

• generate a keypair: gpg --gen-key
• view your pubkeys: gpg --list-keys
• view your secret keys: gpg --list-keys
• export your pubkey: gpg --export --armor --output filename id
• import your pubkey: gpg --export --armor identifier
• clearsign a document: gpg --clearsign document
• import a key: gpg --import filename
• sign a key: gpg --sign-key id, export back to them
• encrypt a document: gpg --encrypt

be sure of your binaries

• roll your own when possible
• check detached signatures

enforce stronger services

• use ssh2 instead of telnet, ftp, rlogin

admin specific

• only one root (you!)
• age your own pass
• unable to telnet/ftp as root
• root from console? p243
• only root when necessary: LOGOUT!
• no . in path
• be aware of typing on kb in public
• be aware of overtyping

Keeping track

• watch your logs
• use cron to email important stuff
• grep for interesting keywords

Homework

Remember, your login is based on your machine's hostname, not on any other number.
~/[initials] refers to the subdirectory under your homedir, named after your initials. Everything except for .dotfiles will be stored in your ~/[initials] directory.