LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
  Search this Thread
Old 06-15-2011, 02:03 PM   #31
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582

Quote:
Originally Posted by softwarelabus View Post
It's been about a decade since I was an admin on Linux.
Some of the members that frequent this forum spend most of their time performing incident response. Those who did, and some have done that the past decade here at Linuxquestions.org, have found themselves confronted with a wide variety of breaches of security and a changing threat-scape. Based on their personal knowledge and practical experience with auditing and solving security whodunits those members may post advice or solutions that go well beyond what a member may ask for in his or her OP. And I trust win32sux and Hangdog42 to give quality security advice.

Now, because you keep focusing on one minor aspect could it be that (since you have been away for that long) you no longer possess a good view on Linux security (as in threats, hardening and auditing)? Sure checking hashes is a standard part of auditing server security but it is just one aspect (and some of the things you're talking about like servers-stored hash databases and binary, configuration file and database encryption are already done: see Samhain). Could it be you do not actually know what kind of threats you will be dealing with and their common solutions?
 
1 members found this post helpful.
Old 06-15-2011, 03:07 PM   #32
softwarelabus
LQ Newbie
 
Registered: Jun 2011
Posts: 27

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
Some of the members that frequent this forum spend most of their time performing incident response. Those who did, and some have done that the past decade here at Linuxquestions.org, have found themselves confronted with a wide variety of breaches of security and a changing threat-scape. Based on their personal knowledge and practical experience with auditing and solving security whodunits those members may post advice or solutions that go well beyond what a member may ask for in his or her OP. And I trust win32sux and Hangdog42 to give quality security advice.

Now, because you keep focusing on one minor aspect could it be that (since you have been away for that long) you no longer possess a good view on Linux security (as in threats, hardening and auditing)? Sure checking hashes is a standard part of auditing server security but it is just one aspect (and some of the things you're talking about like servers-stored hash databases and binary, configuration file and database encryption are already done: see Samhain). Could it be you do not actually know what kind of threats you will be dealing with and their common solutions?
Of course. Again, I'm talking about *adding* security, not replacing it. That being said, win32sux and Hangdog42 have not pointed out any vulnerabilities in my method.
 
0 members found this post helpful.
Old 06-15-2011, 03:44 PM   #33
softwarelabus
LQ Newbie
 
Registered: Jun 2011
Posts: 27

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
[snip]
but it is just one aspect (and some of the things you're talking about like servers-stored hash databases and binary, configuration file and database encryption are already done: see Samhain).[snip]
No, it's entirely different concept. I keep pointing out that's open-source code, while the entire point of my script is that it would be custom and undisclosed code.



Quote:
Originally Posted by unSpawn View Post
Could it be you do not actually know what kind of threats you will be dealing with and their common solutions?
I probably know a lot more than you might think I know. It's been a long time since doing SA work, but as a software engineer, website developer and owner of numerous websites for over a decade I've dealt with Internet security. When two guys start telling people that adding a simple checksum script that merely checks for file changes is going to decrease my security is when I know something odd is happening.

I'm still waiting to see the vulnerabilities in my script idea.
 
0 members found this post helpful.
Old 06-15-2011, 04:23 PM   #34
Peufelon
Member
 
Registered: Jul 2005
Posts: 164
Blog Entries: 1

Rep: Reputation: Disabled
Quote:
by all means point out the vulnerability in my script idea.
I don't know anything about cybersecurity except what I read in the IT news and a few books, so I'm perfectly suited to ask stupid questions.

Quote:
a simple script to scan the entire linux server to obtain some file checksums, perhaps a checksum for each major root folder
Tripwire (for example) does that and much more (agreed?), so your custom script will check up on what Tripwire finds? Is that the idea?

Quote:
Files that change a lot such as log files wouldn't be scanned.
You can configure tripwire to ignore log files. Everyone should tail their log files, and look over the suitably filtered entries, independently of running an IDS.

Quote:
which folders are best to scan? No answers yet
You could take a look at what Tripwire does; that should give you plenty of ideas.

Quote:
The reasoning behind (bipartite checksums) is just in case a hacker decides to add some useless bytes to a file so that the file checksum does not change.
Wouldn't a better idea be to use multiple "integrity hashes" such as SHA-256 and some others, for each file? It seems to me that this would be more likely to detect an attempt to change the file but not the checksum.

Quote:
another idea is to upload it every time before using it just to make sure it was not edited.
Yes, you don't want your database to be accessible in your server to the hypothetical cracker who gets into your server.

Another possibility would be to encrypt it, using a passphrase not stored on the server in any form, which you manually type in each time you run the script. (If your intent is the check the integrity checker, say Tripwire, you might as well let Tripwire run daily and only run your custom script when you feel squirrelly.)

Quote:
This is an attempt to know if the os is ever hacked.
You are not trying to detect loadable kernel module trojans, correct?

Strictly speaking, wouldn't it be more correct to say that you are trying to detect possible replacements of executable files with maliciously modified variants? And that the kind of intrusion you envision probably attacks vulnerable unpatched applications, rather than the Linux kernel?

Quote:
if I can find a bad academic scientist or one that made a single major mistake, then by your reasoning it means academic science itself is bad. Custom undisclosed code is a major advantage in that it prevents hackers from analyzing the code.
I think the point is that goofs in open source code are far more likely to be noticed and brought to the attention of the author. In the nicest possible way. Goofs in closed source code are likely to be noticed only long after the cracker has come in and exfiltrated the good stuff.

Quote:
this thread could be riddled with hackers.
Pet peeve: since when do we computer enthusiasts let the mass media get away with the incorrect substitution of "hacker" for "cracker"?

A hacker is someone who can quickly put together an elegant program which works as designed. (The term is ironic, because it refers to good work, not hack work.) A cracker is someone who cracks open servers. Analogous to a safecracker.

Quote:
I also think the *probability* of hackers trying to hit the forums to deter people from doing this is relatively high.
Yes, the already mentioned HBGary scandal confirmed what many had long suspected, that low level operatives of the Surveillance State (and probably, Microsoft and some other companies which can't decide whether they want to kill Linux or buy it) employ "astroturfing" software to skew discussion in places like LQ in the directions they prefer. Or to spread FUD in an attempt to disrupt innovations which threaten their interests. So wise LQ readers expect to see some "probable astroturfing", and try not to take offense if they are sometimes suspected of same.
 
Old 06-15-2011, 04:43 PM   #35
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 418Reputation: 418Reputation: 418Reputation: 418Reputation: 418
Quote:
Originally Posted by Peufelon
Yes, the already mentioned HBGary scandal confirmed what many had long suspected, that low level operatives of the Surveillance State (and probably, Microsoft and some other companies which can't decide whether they want to kill Linux or buy it) employ "astroturfing" software to skew discussion in places like LQ in the directions they prefer. Or to spread FUD in an attempt to disrupt innovations which threaten their interests. So wise LQ readers expect to see some "probable astroturfing", and try not to take offense if they are sometimes suspected of same.
Excuse me? Are you accusing LQ members of deliberately misinforming people about security practices?
 
1 members found this post helpful.
Old 06-15-2011, 04:50 PM   #36
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by softwarelabus View Post
I probably know a lot more than you might think I know.
Do realize that I don't deal with hearsay, assumptions or fiction: I only deal with facts. I can only determine what you know by what you show evidence of.

These days the majority of compromises no longer happens due to rootkits but through the web stack, as evidenced by the myriad of flaws in (commonly PHP-based) applications caused by RFI, LFI, database injections and such. These vectors of attack may lead to situations where you will not be able to generate hashes or where hashing makes no sense, where generating hashes lead to too many false positives or where there may be no actual hash mismatches. Before-the-fact ops like hardening and detection provide a smaller attack surface and early warning / mitigation capabilities and as such the main problem with checking hashes is it is an after-the-fact op which, if you do not question trustworthiness of the kernel or userland utilities you use for checking hashes, could lead to "interesting" results. Any (pseudo) code or anything showing you already paid attention to all of that and how you countered it could turn this discussion into something more meaningful slash interesting IMHO.
 
1 members found this post helpful.
Old 06-15-2011, 05:02 PM   #37
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by Peufelon View Post
Yes, the already mentioned HBGary scandal confirmed what many had long suspected, that low level operatives of the Surveillance State (and probably, Microsoft and some other companies which can't decide whether they want to kill Linux or buy it) employ "astroturfing" software to skew discussion in places like LQ in the directions they prefer. Or to spread FUD in an attempt to disrupt innovations which threaten their interests. So wise LQ readers expect to see some "probable astroturfing", and try not to take offense if they are sometimes suspected of same.
Unless you are able to back up anything with well-vetted references as moderator I strongly suggest you refrain from posting anything about "the Surveillance State" or any claims about "astroturfing software to skew discussion" in this forum. Feel free to discuss this with me via the use of email, TIA.
 
1 members found this post helpful.
Old 06-16-2011, 07:17 AM   #38
softwarelabus
LQ Newbie
 
Registered: Jun 2011
Posts: 27

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Peufelon View Post
I think the point is that goofs in open source code are far more likely to be noticed and brought to the attention of the author.
I've never seen a study on that. So it's unknown.

Regarding commercial software, it all depends on the hiring team, how picky they are in selecting their team, the software engineers, managers. Two identical software engineers, both who equally love the project they're on, where one gets paid handsomely, and other does it for free at his or her own schedule, logic dictates that the paid coder will produce higher quality code. That's just pure logic. Sure, some open source projects have a truckload of coders, but when given a good choice from both sides, I would take quality over quantity any day. More coders equates to more mistakes and crappier code.

I believe the future of open-source will be in improving the process of obtaining higher quality. They need to be far more selective in who pick to be on the team. If I owned a popular open-source project, I would be ridiculously selective. Maybe that's why FreeBSD does good work, e.g., quality over quantity. My open source project would be my way, or the highway. Then again, that's probably why my open-source project would be a ghost town, lol. So long as we live in a capitalistic society, I'm sorry to say that my preference / 1st-pick is commercial. Most of the products I use are commercial products. Don't get me wrong, I absolutely love the concept of open-source. Hey, if I ever become financially free, I'll try my best to support open-source. One requirement is that every coder must also be financially free. Doesn't hurt to dream.
 
0 members found this post helpful.
Old 06-16-2011, 08:03 AM   #39
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 418Reputation: 418Reputation: 418Reputation: 418Reputation: 418
Quote:
Originally Posted by softwarelabus
Regarding commercial software, it all depends on the hiring team, how picky they are in selecting their team, the software engineers, managers. Two identical software engineers, both who equally love the project they're on, where one gets paid handsomely, and other does it for free at his or her own schedule, logic dictates that the paid coder will produce higher quality code.
What makes you think that open source programmers aren't paid? Do a little googling and you'll find that there are legions of paid open source programmers. From companies like IBM, HP, Red Hat and many others. You keep asserting that paid = quality. Personally, I'd like to see some data on that because in my professional experience, that certainly has been far from a hard and fast rule. I've seen talented, paid programmers produce crap. Sometimes it is because they don't understand the target market, sometimes it is because they've become enamored of a truly bad idea. For example, Adobe has had a lengthy series of security headaches because some bozo decided that it was a good idea to allow a pdf reader to execute embedded code. And I'm sure ActiveX was well coded. Didn't stop it from being a security nightmare though.

Also, you seem to assume that money is the only driver. If you actually look at open source projects like Apache, you'll see that the participants realized very early on that the mechanism they used to serve web pages was simply not a competitive advantage. However, by joining an open source community, they got to greatly leverage their investment and ended up with a superior, and less expensive, product than they would have had access to otherwise. In other words, in many instances, open source make sound business sense in that it allows you to cut costs and focus on your true competitive advantages. Sounds like basic capitalism to me. And as the owner of a small business, I can say from personal experience that use of open source software has allowed us to explore areas that would have been prohibitively expensive with commercial software. This means we are a better, more productive business because we didn't buy into the idea that commercial is always better.

Quote:
More coders equates to more mistakes and crappier code.
Or perhaps a more likely explanation is that the management of said coders is incompetent.

But this is digressing to a huge degree from the point of this thread. You asked for advice on your security approach and you got it. However, your recent posts indicate that you don't seem to feel that way, so let me summarize my opinion on your approach:

In and of itself, it probably doesn't increase your security risk. However, it appears to me to be a flawed approach that will lead to a false sense of security, and therefore a higher likelihood that you will be compromised and not know it. In particular:

- Your approach relies on a single algorithm known to be flawed. Interestingly, this algorithm and its Linux implementation are open source, and by your own criteria are therefore completely unsecure.

- Your approach is completely redundant with known high-quality software that has been in active use for years. Which is more secure, newly written untested software or battle tested software?

- Your approach (namely the random file-splitting aspect) is overly complex and will be completely dependent on maintaining a large data set of known good values. In my opinion, the larger the reference data set needs to be, the more open it is to errors that could result in security breaches. Furthermore, there is no indication that you have a process to verify the integrity of any reference data set. In other words, you've got a referential problem here. In order for this approach (or any like it) to work, there has to be a known good state. And in your case, if the crackers fool the known good state, you have no other way of detecting it.

So there you have it, I think your approach is flawed. It might not open any new avenues of attack, but it certainly isn't increasing security.
 
1 members found this post helpful.
Old 06-16-2011, 09:31 AM   #40
softwarelabus
LQ Newbie
 
Registered: Jun 2011
Posts: 27

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Hangdog42 View Post
What makes you think that open source programmers aren't paid? Do a little googling and you'll find that there are legions of paid open source programmers. From companies like IBM, HP, Red Hat and many others. You keep asserting that paid = quality. Personally, I'd like to see some data on that because in my professional experience, that certainly has been far from a hard and fast rule. I've seen talented, paid programmers produce crap. Sometimes it is because they don't understand the target market, sometimes it is because they've become enamored of a truly bad idea.
You're twisting the truth. If you believe most open-source coders get paid money, then you're sadly mistaken.



Quote:
Originally Posted by Hangdog42 View Post
For example, Adobe has had a lengthy series of security headaches because some bozo decided that it was a good idea to allow a pdf reader to execute embedded code. And I'm sure ActiveX was well coded. Didn't stop it from being a security nightmare though.
There you go again with your biased cherry picking. If you're going to bring in specific examples, then be a bit unbiased, and scientific.



Quote:
Originally Posted by Hangdog42 View Post
However, your recent posts indicate that you don't seem to feel that way, so let me summarize my opinion on your approach:

In and of itself, it probably doesn't increase your security risk. However, it appears to me to be a flawed approach that will lead to a false sense of security, and therefore a higher likelihood that you will be compromised and not know it.
Incorrect. Don't pretend to know me. I've already stated you are wrong about me.


Quote:
Originally Posted by Hangdog42 View Post
In particular:

- Your approach relies on a single algorithm known to be flawed. Interestingly, this algorithm and its Linux implementation are open source, and by your own criteria are therefore completely unsecure.
Wrong. First, I never said I would or would not use cksum. It take me about 30 minutes >at most< to write my own cksum in c++. Even if I used cksum, I see no sufficient reasons to not trust it. Second, I said from the start of this thread that I'll randomly split the files in multiple checksums to overcome the possibility of a hacker trying to outsmart checksums.



Quote:
Originally Posted by Hangdog42 View Post
- Your approach is completely redundant with known high-quality software that has been in active use for years. Which is more secure, newly written untested software or battle tested software?
Again you refuse to acknowledge what I've said repeatedly, that the difference is my code is undisclosed.


Quote:
Originally Posted by Hangdog42 View Post
- Your approach (namely the random file-splitting aspect) is overly complex and will be completely dependent on maintaining a large data set of known good values.
Put your $ where your mouth is. I'll conduct a legal bet with anyone that I could write such effective code in one day. The code is extremely easy. I'll be writing it within a few weeks.



Quote:
Originally Posted by Hangdog42 View Post
Furthermore, there is no indication that you have a process to verify the integrity of any reference data set. In other words, you've got a referential problem here. In order for this approach (or any like it) to work, there has to be a known good state. And in your case, if the crackers fool the known good state, you have no other way of detecting it.
The known is to keep the OS in it's original state.



Quote:
Originally Posted by Hangdog42 View Post
So there you have it, I think your approach is flawed. It might not open any new avenues of attack, but it certainly isn't increasing security.
Ah, I see. You say it "certainly" isn't secure, lol. Says you.

Last edited by softwarelabus; 06-16-2011 at 09:36 AM.
 
0 members found this post helpful.
Old 06-16-2011, 09:47 AM   #41
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,237

Rep: Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651
Quote:
Originally Posted by softwarelabus View Post
Hi,

Sorry if this is a trivial question. It's been about a decade since I was an admin on Linux. I wanted to write a simple script to scan the entire linux server to obtain some file checksums, perhaps a checksum for each major root folder. This will be a web & email server. This is an attempt to know if the os is ever hacked. Any recommendations as to which folders and file types should be included in the checksum scans?

One possibility is to double the checksums. For example, checksum #1 would consist of checksums for the 1st half of each file, while checksum #2 would consist of checksums for the 2nd half of the files. IOW, checksum #1 would sum the total bytes for the first half a each file. The reasoning behind this is just in case a hacker decides to add some useless bytes to a file so that the file checksum does not change. Thus, splitting the checksum per file would detect such attempts. That's just a basic outline. I would not do an exact 50% - 50% split. One day it might 30% - 70%, the next day it could be 51% - 49%, etc.

Thanks for any input and help.
Really, you should have IDP/IDS in place to know that someone has accessed your system. Use auditing, traffic monitoring, firewalls, logging, alerting etc...

The "scan it every so often" idea might work... but at what cost? If you scan it every hour, then someone could have already been in your system for 59 minutes. If you scan every 5 minutes you will kill your performance.

To me, its better to watch the gates and doors than spend time to count the money every 5 minutes.
 
1 members found this post helpful.
Old 06-16-2011, 09:49 AM   #42
softwarelabus
LQ Newbie
 
Registered: Jun 2011
Posts: 27

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Hangdog42 View Post
What makes you think that open source programmers aren't paid? Do a little googling and you'll find that there are legions of paid open source programmers.
Seems like a contradiction since the very definition of open-source means it must be free:

http://www.opensource.org/docs/osd

BTW, this forum uses vbulletin, correct? Vbulletin is not open-sourced, and is a commercial product. If true, then why are you here? ;-) ... Just playing with you.

Interesting discussion on the topic:
https://www.vbulletin.com/forum/arch...p/t-65504.html


http://en.wikipedia.org/wiki/VBulletin
Quote, first line of the wiki page, "vBulletin (vB) is a commercial Internet forum software produced by Jelsoft Enterprises and vBulletin Solutions, both subsidiaries of Internet Brands."
 
0 members found this post helpful.
Old 06-16-2011, 09:54 AM   #43
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,237

Rep: Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651
Quote:
Originally Posted by softwarelabus View Post
Seems like a contradiction since the very definition of open-source means it must be free.
I generally stay out of arguments that are of little help to anyone. But I must point out that this quote is a false statement.

If you don't understand what you are talking about, then you shouldn't be talking about it. It can be misleading for someone else looking for correct answers.

Last edited by szboardstretcher; 06-16-2011 at 09:55 AM.
 
Old 06-16-2011, 10:01 AM   #44
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,148
Blog Entries: 2

Rep: Reputation: 4864Reputation: 4864Reputation: 4864Reputation: 4864Reputation: 4864Reputation: 4864Reputation: 4864Reputation: 4864Reputation: 4864Reputation: 4864Reputation: 4864
Quote:
Originally Posted by softwarelabus View Post
Seems like a contradiction since the very definition of open-source means it must be free:

http://www.opensource.org/docs/osd
And who says that companies that pay people to work on open source software can't release that software as open source? MySQL is developed by a company, but open source, AMD has paid programmers for the radeon-drivers, also open source. And there are many more. No contradiction here.
 
Old 06-16-2011, 10:12 AM   #45
softwarelabus
LQ Newbie
 
Registered: Jun 2011
Posts: 27

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by TobiSGD View Post
And who says that companies that pay people to work on open source software can't release that software as open source? MySQL is developed by a company, but open source, AMD has paid programmers for the radeon-drivers, also open source. And there are many more. No contradiction here.
An individual can define a word, e.g., open source, as they wish, but that doesn't change the standard definition. It appears that the standard definition of open-source is that it must be free. Sounds silly to me, but I'm just saying.

I just checked another source, dictionary.com. The first & top most definition is,

"o·pen-source"
"Computers . pertaining to or denoting software whose source code is available free of charge to the public to use, copy, modify, sublicense, or distribute"
http://dictionary.reference.com/browse/open-source
 
0 members found this post helpful.
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Checksum 4 Slackware download - what type of checksum is this. Earnest Lux Linux - Newbie 1 02-02-2008 08:02 PM
checksum juanb Linux - Newbie 1 08-12-2004 03:40 AM
Checksum wonderpun Linux - General 1 08-28-2002 05:04 PM
Checksum? frkstein Linux - General 1 05-04-2002 02:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration