Unix Security, Day 3

Goals

• verify software from a public source
• see how SSL fits into the public key model
• lock down server daemons
• lock down inetd services

POST

1. import the keys of everyone in the room: gpg --import
2. when should you sign someone's key?
3. sign the keys of everyone in the room: gpg --sign-key
4. check the signatures on your keys: gpg --check-sigs

Now down to practical uses....

1. make two text files: crypto1.txt and crypto2.txt
2. clearsign crypto1.txt gpg --clearsign
3. make a detached signature for crypto2.txt gpg --detach-sign --armor
4. encrypt a note to yourself gpg --encrypt

be sure of your binaries

• roll your own when possible
• check detached signatures
• make a detached signature of a system file: gpg --detach-sign --armor --output here.asc /usr/sbin/sendmail

related: SSL

• the web of trust is replaced with a certifying (and commercial!) entity
• the process is automated

1. Browser asks for an https URL.
2. Server returns a signatory certificate (verisign, etc) and a public key.
3. Browser checks the certificate, may prompt the user.
4. Browser produces a session key, encrypts it to the server's public key and returns it to the server.
5. The socket continues on, using the session key and RSA (or other) encryption).

shut down unnecessary services

Safest to do from the terminal.

• start with inetd
• wrap inetd services with a wrapper like tcpd
  • /etc/hosts.allow
  • /etc/hosts.deny

enforce stronger services