Next Previous Contents

6. Asfaleia kai NFS

Den eimai ka8oloy eidikos sthn asfaleia twn H/Y. Alla mporw na dwsw merikes mikres symboyles se osoys endiaferontai gia thn asfaleia. Omws, me mia epifulajh : H parakatw den einai ka8oloy mia plhrhs lista twn problhmatwn poy sxetizontai me to NFS, kai an nomizete oti eisaste asfaleis, afou diabasate kai ylopoihsate ola touta edw, exw mia gefyra na sas poylhsw. (S.t.m. : Ennoei "bridge" diktuwn.)

Ayth h enothta profanws den sas endiaferei, an exete ena kleisto diktyo, opoy empisteueste oloys toys xrhstes, kai kanena mh empisto atomo den mporei na brei prosbash stoys H/Y toy diktuoy. Dhladh, den yparxei kanenas tropos na synde8oun mesw thlefwnoy sto diktyo sas, kai den yparxei sundesh me alla diktya, opoy den einai o ka8e xrhsths atomo empistosunhs, oute h asfaleia toy diktuoy. Nomizete oti eimai paranoikos; Den eimai ka8oloy. Ta parapanw einai apla oi basikes symboyles asfaleias. Kai 8ymh8eite, ta pragmata poy grafw edw einai apla h arxh twn symboylwn. Ena asfales diktyo xreiazetai enan epimelh kai eidhmona SysAdmin, poy gnwrizei pou na brei plhrofories antimetwpishs twn twrinwn kai twn pi8anwn problhmatwn.

To NFS exei ena basiko problhma, dhladh o client (an den toy poume na kanei diaforetika) empisteuetai ton NFS server, kai antistrofa. Ayto mporei n' apobei kako : Shmainei pws, an o root account toy server hackeytei, einai arketa eukolo na hackeytei kai o root account toy client, kai antistrofa. Yparxoyn kanadyo tropoi antimetwpishs, stoys opoioys 8a epanel8oyme.

Kati poy prepei na diabasete, einai ta symboyleytika keimena toy CERT (s.t.m. : site gia thn asfaleia sto Internet, www.cert.org) gia to NFS. To megalutero kommati toy keimenoy parakatw, asxoleitai me 8emata, gia ta opoia to CERT exei gracei symboyles. Des to ftp.cert.org:/01-README gia mia enhmerwmenh lista twn symboylwn toy CERT. Edw sas dinw merikes tetoies symboyles, sxetikes me to NFS :


CA-91:21.SunOS.NFS.Jumbo.and.fsirand                            12/06/91
     Vulnerabilities concerning Sun Microsystems, Inc. (Sun) Network
     File System (NFS) and the fsirand program.  These vulnerabilities
     affect SunOS versions 4.1.1, 4.1, and 4.0.3 on all architectures.
     Patches are available for SunOS 4.1.1.  An initial patch for SunOS
     4.1 NFS is also available. Sun will be providing complete patches
     for SunOS 4.1 and SunOS 4.0.3 at a later date.

CA-94:15.NFS.Vulnerabilities                                    12/19/94
     This advisory describes security measures to guard against several
     vulnerabilities in the Network File System (NFS). The advisory was
     prompted by an increase in root compromises by intruders using tools
     to exploit the vulnerabilities.

CA-96.08.pcnfsd                                                 04/18/96
     This advisory describes a vulnerability in the pcnfsd program (also
     known as rpc.pcnfsd). A patch is included.

6.1 H asfaleia toy client

Gia ton client, mporoume n' apofasisoyme me kanadyo tropoys (kai me tis antistoixes epiloges sto mount) oti den empisteyomaste kai polu ton server. Px, mporoume n' apagoreusoyme se programmata suid na doyleuoyn ektos NFS filesystem, me thn epilogh nosuid. (Ayth einai mia kalh idea, kai 8a' prepe na kanete to idio me oloys toys diskoys epanw sto NFS.) Shmainei pws o root user toy server den mporei na trejei ena suid-root programma epanw sto filesystem, na kanei login ston client ws kanonikos xrhsths, kai meta na xrhsimopoihsei to suid-root programma ayto, gia na ginei kai root ston client. 8a mporousame epishs na apagoreusoyme teleiws to trejimo arxeiwn epanw sto mounted filesystem, me thn epilogh noexec. Alla ayto mallon den einai praktiko, epeidh ena filesystem pi8anotata periexei toylaxiston merika scripts h programmata, poy prepei na trejoyn. Aytes tis epiloges tis bazoyme stis sthles epilogwn twn rsize kai wsize, kai tis xwrizoyme me komma.

6.2 H asfaleia toy server : O nfsd

Ston server, mporoume n' apofasisoyme oti den empisteyomaste ton root account toy client. Synepws, mporoume na xrhsimopoihsoyme thn epilogh the root_squash sta exports :


/mn/eris/local apollon(rw,root_squash)

Twra, an enas xrhsths me userID 0 ston client prospa8hsei na brei prosbash (anagnwshs, eggrafhs, sbhsimatos) sto filesystem, o server ypoka8ista thn UID toy xrhsth me thn antistoixh toy "nobody account" toy server. Poy shmainei oti o root xrhsths toy client den mporei na dei h n' allajei arxeia, poy mono o root toy server mporei. Ayto einai kalo, kai pi8anotata prepei na bazete root_squash se ola ta filesystems poy kanete export. "- Alla o root user toy client ejakoloy8ei na mporei na xrhsimopoiei thn entolh su, gia na ginei opoiosdhpote allos xrhsths, ara na mporei na blepei kai n' allazei ta arxeia!", lete. Sto opoio, h apanthsh einai : Nai, etsi akribws einai, kai prepei na einai me ta *nix's kai me to NFS. Ayto, omws, exei mia shmantikh synepeia : Ola ta shmantika binaries kai genikotera arxeia prepei na ta exei own o root, oxi to bin, h opoiosdhpote allos mh-root account, mia poy o monos account, ston opoio den mporei na brei prosbash o root user toy client, einai o root account toy server. Sth selida man toy NFSd yparxoyn kataxwrhmenes polles alles epiloges gia squash, wste n' apofasisete monoi sas poia (den) 8a empistey8eite gia toys clients. Epishs, sas dinontai epiloges na kanete squash s' opoiodhpote sunolo UID kai GID 8elete. Ayta ola perigrafontai sth man selida toy Linux NFSd.

Sthn pragmatikothta, h epilogh root_squash einai h default me ton Linux NFSd. Gia na dwsete prosbash root s' ena filesystem, balte no_root_squash.

Akomh kati shmantiko, einai na bebaiw8oume oti o nfsd elegxei pws oles oi aithseis toy erxontai mono apo mia pronomiouxo 8ura (privileged port). An dex8ei aithseis apo opoiodhpote port, enas opoiosdhpote xrhsths xwris idiaitera pronomia mporei na trejei ena programma, poy 8a brei kapoy sto Internet, poy "milaei" sto prwtokollo toy nfs, kai poy isxyrizetai oti o xrhsths einai aytos poy o idios 8elei na einai. Tromaktiko! O nfsd toy Linux kanei ej orismou tetoion elegxo, omws se alla LS prepei na energopoihsete ayton ton elegxo eseis. To pws, prepei na grafetai sth selida boh8eias gia ton nfsd to sygkekrimenoy LS.

Akomh kati : Pote mhn kanete export ena filesystem ston localhost, h sto 127.0.0.1 . Empistey8eite me!

6.3 H asfaleia toy server : O portmapper

O basikos portmapper, se syndyasmo me ton nfsd, exoyne ena sxediastiko problhma, poy ka8ista dynato to na paijoyme me ta arxeia se NFS servers, xwris na exoyme pronomia (privileges). Eytyxws, o portmapper ton opoio xrhsimopoioun oi perissoteres Linux distributions, einai sxetika asfalhs enantion tetoiwn epi8esewn, kai mporei na ginei asfalesteros, an ry8misoyme se duo sygkekrimena arxeia tis listes prosbashs.

Den plas8hkan ises oles oi Linux distributions! Merikes fainomenika sugxrones den perilambanoyn asfalh portmapper, akomh kai shmera, polla xronia af' otoy ayth h trupa asfaleias egine koinh gnwsh. Toylaxiston mia akomh dianomh periexei th selida man gia asfalh portmapper, alla o idios o portmapper den einai asfalhs. O eukolos tropos na elegjete an o portmapper sas einai asfalhs h oxi, einai na trejete thn entolh strings(1) kai na deite an diabazei ta sxetika arxeia /etc/hosts.deny kai /etc/hosts.allow. Ypo8etontas oti o portmapper sas einai o /usr/sbin/portmap, mporeite na ton elegjete me thn entolh : strings /usr/sbin/portmap | grep hosts. Ston diko moy H/Y, apantaei kapws etsi :


/etc/hosts.allow
/etc/hosts.deny
@(#) hosts_ctl.c 1.4 94/12/28 17:42:27
@(#) hosts_access.c 1.20 96/02/11 17:01:27

Prwta dior8wnoyme to arxeio /etc/hosts.deny. Prepei na periexei th grammh :


portmap: ALL

poy 8a arnh8ei thn prosbash se oloys. Enw exoyme kleisei thn prosbash m' ayton ton tropo, trexoyme thn entolh rpcinfo -p gia na elegjoyme oti o portmapper pragmatika diabazei kai kanei o,ti toy leei to arxeio ayto. (H rpcinfo den prepei na dinei ejodo, h, pi8ana, ena mhnyma la8oys.) Den 8a eprepe na einai aparaithto na epanekkinhsoyme ton portmapper.

To na kleisoyme ton portmapper gia oloys einai polu drastiko metro. Synepws ton jananoigoyme, dior8wnontas to arxeio /etc/hosts.allow. Alla prwta, prepei na jeka8arisoyme ti 8eloyme na gracoyme mesa toy. Basika, 8a eprepe na periexei oloys toys H/Y poy prepei na exoyn prosbash ston portmapper mas. Ston typiko H/Y me Linux, elaxistoi alloi H/Y 8a h8elan prosbash root gia opoiondhpote logo. O portmapper diey8unei ta : nfsd, mountd, ypbind/ypserv, pcnfsd, kai tis "r" services, opws h ruptime kai h rusers. Apo ta parapanw, mono ta nfsd, mountd, ypbind/ypserv, kai isws kai o pcnfsd, exoyn kapoia shmasia. Oloi oi H/Y poy xreiazontai prosbash ston diko sas, 8a eprepe na mporoun. As poume oti h dieu8ynsh toy H/Y sas einai 129.240.223.254 , kai oti einai syndedemenos sto ypodiktyo 129.240.223.0 , an kapoios allos H/Y 8elei prosbash s' ayton. (Aytous toys oroys toy eishgage to Networking HOWTO. An xreiastei, epistrecte s' ayto gia na freskarete th mnhmh sas.) Tote, eisagoyme th grammh :


portmap: 129.240.223.0/255.255.255.0

sto arxeio hosts.allow. Einai to idio me thn dieu8ynsh diktuoy poy dinoyme sto arxeio route, kai th maska ypodiktuoy (subnet mask) poy dinoyme sto ifconfig. Gia th syskeyh eth0 ston H/Y mas, to ifconfig prepei na deixnei :


...
eth0      Link encap:10Mbps Ethernet  HWaddr 00:60:8C:96:D5:56
          inet addr:129.240.223.254  Bcast:129.240.223.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:360315 errors:0 dropped:0 overruns:0
          TX packets:179274 errors:0 dropped:0 overruns:0
          Interrupt:10 Base address:0x320 
...

kai h entolh netstat -rn prepei na bgazei :


Kernel routing table
Destination     Gateway         Genmask         Flags Metric Ref Use    Iface
...
129.240.223.0   0.0.0.0         255.255.255.0   U     0      0   174412 eth0
...

(H dieu8ynsh diktuoy brisketai sthn prwth sthlh.)

Ta arxeia hosts.deny kai hosts.allow perigrafontai stis antistoixes man selides me ta idia onomata.

SHMANTIKO : Mhn bazete o,tidhpote, ektos apo ari8mous IP stis sxetikes me ton portmapper grammes aytwn twn arxeiwn. Tyxon pinakes antistoixiwn me onomata H/Y, mporoun emmesa na prokalesoyn drasthriothta toy portmapper, poy 8a jekinhsei cajimo stoys pinakes antistoixiwn, poy emmesa mporoun na prokalesoyn drasthriothta toy portmapper, poy...

Ta parapanw logika prepei na kanoyn asfalestero ton server sas. To mono (nai, siga!) problhma poy paramenei, einai kapoios poy mpainei ws root se "empisto" mhxanhma (h kanei ekkinhsh me MS-DOS), kai xrhsimopoiei ayto to pronomio gia na steilei aithseis apo ena asfalismeno (secure) port, ws opoiosdhpote xrhsths 8a h8ele na paroysiazetai o idios.

6.4 To NFS kai ta firewalls

Einai polu kalh idea na balete firewall sto nfs, kai na katey8unete me portmap ta ports ston router h sto firewall sas. O nfsd dra sto port 2049, kai me to udp kai me to tcp prwtokollo. O portmapper dra sto port 111 (kai me tcp kai me udp), kai o mountd sta ports 745 kai 747 (tcp kai udp). Synh8ws. Fysika, prepei na elegjete ta ports me thn entolh rpcinfo -p.

An, apo thn allh pleyra, 8elete to NFS na pernaei apo firewall, yparxoyn epiloges stoys newteroys NFSds kai mountds, poy toys kanoyn na xrhsimopoioun mia eidikh (oxi, omws, protyph) 8ura, poy mporei na menei anoixth se firewall.

6.5 Perilhch

An xrhsimopoieite ta : hosts.allow/deny, root_squash, nosuid, kai diafora pronomiouxa (privileged) xarakthristika twn ports sto software twn portmapper/nfs, 8' apofugete polla apo ta shmera gnwsta bugs toy nfs, kai 8a mporesete na ais8an8eite sxedon sigoyroi toylaxiston gi' ayta. Alla, akomh kai meta ap' ol' ayta : Otan enas eisboleas exei prosbash sto diktyo sas, mporei na emfanisei perierges entoles sto .forward sas, h na diabasei to taxydromeio sas, otan ginei export kata NFS sto /home, h to /var/spool/mail. Gia ton idio logo, pote den 8a 'prepe na dinete prosbash sto idiwtiko sas kleidi toy PGP me to nfs. 'H, toylaxiston, prepei na gnwrizete ton kindyno poy synepagetai mia tetoia energeia. Kai twra gnwrizete hdh mia pleyra aytou toy kindunoy!

To NFS kai o portmapper synapoteloun ena sun8eto yposusthma, kai ara den einai entelws api8ano n' anakalyf8oun nea bugs, eite sth basikh sxediash, eite sthn ylopoihsh toy systhmatos poy xrhsimopoioume emeis. Akomh kai trupes asfaleias mporei na einai hdh gnwstes shmera, tis opoies kapoios xrhsimopoiei me kako skopo. Omws, etsi einai h zwh! Gia na briskeste, loipon, se apostash asfaleias apo tetoia pragmata, prepei toylaxiston na diabazete ta newsgroups comp.os.linux.announce kai comp.security.announce, ws to elaxisto dynaton poy mporeite na kanete.


Next Previous Contents