|C O L U M N|
Headline: Unix Security: It Doesn't Have To Be So Insecure
August 23, 1999
By Robert J. Kohlhepp
Why does the word Unix strike fear into the minds of the security-conscious everywhere? Lab Director, Rob Kohlhepp emphasizes the need for quick installations of solid, secure Unix systems in his latest Online Column.
Unix is probably the most prolific server in use on the Internet for e-mail, Web and other services. So why does the word Unix strike fear into the minds of the security-conscious everywhere? Why do most immediately think security hole when they think of Unix? Because Unix offers comprehensive IP-related services that are causing its own detraction.
My Unix servers are stable and flexible. I set them up and they run forever, unless someone mucks with them. However, because of them, I must read security bulletins, download, patch and reboot, and fret about breakins. Unfortunately, the only way to avoid this is to use a server OS that has no (or very few) native IP services, such as MacOS or NetWare (pre NetWare 5).
Not only does Unix security seem unattainable, so does Unix installation to a general audience. Many vendors have started to address this but, we are a long way from a quick installation of a solid, secure Unix system. Installing a Unix server in your environment doesn't have to be difficult. Vendors have just been slow to implement a simple install and configure process. Maybe that's why they have flourishing integration teams.
By default, most Unix systems implemented for Internet-accessible services need very few of the packages that are install by default. For our server, we simply commented out almost every single line in the /etc/inetd.conf file. Why doesn't this happen by default? I would rather enable what I need (after researching the security risk) than disable after the fact.
Recently, I installed an Apple Mac OS X server and found that Apple has made a few steps toward closing default holes. During installation, the configuration program asked me if I wanted to enable remote logins. When I selected "no," my server installed without the remote services (telnet, rlogin, rexec and rsh, for example). This probably eliminated 90 percent of the vulnerabilities of my server.
However, there were still many other unnecessary services left running. So, Apple didn't go far enough.
By contrast, my recent installation of Solaris 2.6 didn't ask me a single question regarding possible security. It installed every single service known to mankind. I should have been prompted for each and every service--with an adequate description of each. This would give me the information needed to determine the risks associated with each service.
Now, I am no Unix novice. I understand most of the services that are running on my Unix machines. However, sifting through the /etc/inetd.conf file and figuring out what each entry means is somewhat time-consuming. Am I supposed to know that "rpc.cmsd" is related to Solaris' calendar program? How about this entry for clarity:
# Sun Font Server
Does every Solaris administrator know what a font server is? Does everyone have X terminals or other dependent machines? Does that need to be enabled by default? I think not. In a perfect world, the install script would have prompted me, and I would have been able to pre-empt the extensive research. Ideally, I would see:
Would you like to enable the font server? This allows remote (usually diskless) clients, such as X terminals, to load fonts from this machine. (default "no") ->
Linux distributions, such as RedHat 6, install most inetd services with a TCP wrapper. This lets you implement some control over which hosts and networks are allowed to access those services. But, again, by default the TCP wrapper is only configured to log connections, not restrict them. So you will have to dig into the manual pages on /etc/hosts.allow and setup the proper rights yourself.
For the time being, Unix security is relegated to those who want to revolve their life around security bulletins and patches. Not to mention putting up with some downtime and rebooting to activate some of the patches. Network Computing's Security Express newsletter can help. This weekly e-mail newsletter delivers practical security solutions. Subscribers to Security Express receive security alerts, product updates and software patches, as well as instructions on how to counter threats. Learn more about this service and/or sign up at http://www.networkcomputing.com/express/
For the record, other platforms are implementing more IP-related services as well. This is evident from the increasing number of exploits on Windows NT and NetWare servers.
Send your comments on this column to Rob Kohlhepp at firstname.lastname@example.org.