Sysadmin:Security
From UGCS
(Difference between revisions)
(→Possible attack vectors) |
(→Possible attack vectors) |
||
| Line 19: | Line 19: | ||
** How to detect: check logs for root accesses on login machines- there shouldn't be many because we don't use sudo on them that much | ** How to detect: check logs for root accesses on login machines- there shouldn't be many because we don't use sudo on them that much | ||
** Solution: reboot the machine and change the sysadmin's password (this will invalidate any old credentials) | ** Solution: reboot the machine and change the sysadmin's password (this will invalidate any old credentials) | ||
| + | *** Also check logs to see what they were able to do on other machines | ||
* AFS server gets hacked | * AFS server gets hacked | ||
** Hack the AFS server and get system:administrator access to AFS | ** Hack the AFS server and get system:administrator access to AFS | ||
Revision as of 21:50, 27 November 2007
Contents |
Known Problems
- Users could DoS our kerberos admin server by using the newacct-creator keytab to create lots of new principals. Minor severity
- Symlink attack possible to gain access to Apache Kerberos service keytab for Poseidon
- If too much spam comes in, it can overload slapd on zeus causing mail to softbounce and the load on zeus to go way up. The solution is to set the ldap database to readonly temporarily.
Probable Problems
- All the python we wrote needs to be double-checked
- Machines need to be kept up to date at minimum once a week (every 3 days is preferable if time available)
Possible problems
- Cfengine can be used to break into machines
Possible attack vectors
- Directly hack zeus or hera
- How to detect: ??
- Solution: Disaster
- Hack a login machine and steal sysadmin's credentials
- Part of this damage is mitigated by requiring passwords for sudo on core servers; however, it doesn't fix afs system:administrator problems
- How to detect: check logs for root accesses on login machines- there shouldn't be many because we don't use sudo on them that much
- Solution: reboot the machine and change the sysadmin's password (this will invalidate any old credentials)
- Also check logs to see what they were able to do on other machines
- AFS server gets hacked
- Hack the AFS server and get system:administrator access to AFS
- How to detect: ??
- Solution: Disaster
- NFS image server gets hacked
- Someone hacks the NFS image server and adds a rootkit to our login root image
- How to detect: Tripwire
- Solution: rebuild the image or restore from known good backup
Fixed problems
- Credit to sle from OCF: possible race condition in cgi-wrapper and php-wrapper - need to perform chdir after dropping privileges
- Kerberos security holes that need to be patched urgently
- krb5-admin-server: up to date on zeus and that's all we need to worry about in terms of major major exploits at the moment --Elizabeth@ugcs.caltech.edu 05:56, 26 September 2007 (PDT)
- linux-2.6: CVE-2007-4571 and CVE-2007-4573 - local privilege escalation vulnerabilities, extremely serious on amd64. working on backporting a fix and getting it compiled by hephaestus. --Elizabeth@ugcs.caltech.edu 05:56, 26 September 2007 (PDT)
- Fixed by installing the debian linux-2.6.18-5-dpkg package (forget when)- Joshua
- CVE-2007-4995 openssl vulnerability - need to upgrade all core servers
- Note: debian's automated install does NOT auto-restart impacted services, so an lsof is needed to check for 'path inode' values indicating use of replaced library
Policies
Password Resets
- If they have access to an email account that's in their mailAlternateAddress, send them a randomized password (md5sum'ing random stuff)
- If they have a phone number in ldap, and we can call them on that, use it
- Use ssh pubkey to encrypt password if ssh key available
- If these fail, and their full name is listed on the UGCS account, confirm records with the Alumni Assoc.
