Author: Benjamin D. Thomas
week, advisories were released for Xsco, OpenSSL, uudecode, samba, sox,
phpMyAdmin and wv. The distributors include SCO Group, Conectiva,
Gentoo, Mandrake, Red Hat.
Using Pam
Pluggable Authentication Modules is a method for authenticating
users. Using PAM, programmers can provide a more easy and
versatile means of performing authentication functions. The
ability to change from basic password authentication to the use of
smart cards or even biometrics can be changed without having to
recompile programs or require serious modifications.
Additionally, PAM can be used to modify the terms of access by users as
well as system resources.
Just a few of the things you can do with PAM
- Use
a different encryption method for passwords such as MD5, making them
harder to brute force decode; - Set
resource limits on all your users so they can’t perform denial of
service attacks (number of processes, amount of memory, etc) - Enable
shadow passwords on the fly - Allow
specific users to login only at specific times from specific places
Within
a few hours of installing and configuring your system, you can
prevent many attacks before they even occur. For example, use PAM to
disable the system-wide usage of .rhosts files in user’s home
directories by adding these lines to /etc/pam.d/login:
#
# Disable
rsh/rlogin/rexec for users
#
login auth required
pam_rhosts_auth.so no_rhosts
Set filesystem limits instead of allowing unlimited as is the
default. You can control the per-user limits using the resource-
limits PAM module and /etc/pam.d/limits.conf. For example, limits for
group ‘users’ might look like this:
@users hard core 0
@users hard nproc 50
@users hard rss
5000
This says to limit the creation of core files to zero bytes, restrict
the number of processes to 50, and restrict memory usage per user to 5
Meg.
The Linux-PAM System Administrators’ Guide is a “draft” document that
describes the usage of the default PAM modules.
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html
Keep in mind that there is the potential to create a situation whereby
even root doesn’t have access to the system, creating all kinds of
configuration headaches. Use caution.
Security
Tip Written by Dave Wreski (dave@guardiandigital.com)
Additional
tips are available at the following URL:
http://www.linuxsecurity.com/tips/
—–
LinuxSecurity
Feature Extras:
An
Interview with Gary McGraw, Co-author of Exploiting Software: How to
Break Code – Gary McGraw is perhaps best known for his groundbreaking
work on securing software, having co-authored the classic Building
Secure Software (Addison-Wesley, 2002). More recently, he has
co-written with Greg Hoglund a companion volume, Exploiting Software,
which details software security from the vantage point of the other
side, the attacker. He has graciously agreed to share some of his
insights with all of us at LinuxSecurity.com.
Security
Expert Dave Wreski Discusses Open Source Security – Dave Wreski, CEO of
Guardian Digital, Inc. and respected author of various hardened
security and Linux publications, talks about how Guardian Digital is
changing the face of IT security today. Guardian Digital is perhaps
best known for their hardened Linux solution EnGarde Secure Linux,
touted as the premier secure, open-source platform for its
comprehensive array of general purpose services, such as web, FTP,
email, DNS, IDS, routing, VPN, firewalling, and much more.
[ Linux
Advisory Watch ] – [ Linux Security Week
] – [ PacketStorm
Archive ] – [ Linux
Security Documentation ]
Linux
Advisory
Watch is a comprehensive newsletter that outlines the security
vulnerabilities that have been announced throughout the week. It
includes pointers to updated packages and descriptions of each
vulnerability.[
Subscribe
]
| Distribution: | SCO Group | ||
| 7/30/2004 | Xsco | ||
| Buffer overflow vulnerability UnixWare 7.1.3 Open UNIX 8.0.0 : Xsco contains a buffer overflow that |
|||
| 7/30/2004 | Xsco | ||
| Buffer overflow vulnerability OpenServer 5.0.6 OpenServer 5.0.7 : Xsco contains a buffer overflow |
|||
| 7/30/2004 | OpenSSL | ||
| Multiple vulnerabilities
This patch addresses a large number of outstanding OpenSSL |
|||
| 7/30/2004 | uudecode | ||
| Insecure tempfile vulnerability If a user uses uudecode to extract data into open shared directories, |
|||
| Distribution: | Conectiva | ||
| 7/30/2004 | samba | ||
| Buffer overflow vulnerabilities Exploitation of these vulnerabilities could lead to execution of |
|||
| 7/30/2004 | sox | ||
| Buffer overflow vulnerabilities Ulf Härnhammar found two buffer overflow vulnerabilities[2] in |
|||
| Distribution: | Gentoo | ||
| 7/30/2004 | samba | ||
| Buffer overflow vulnerabilities Two buffer overflows vulnerabilities were found in Samba, potentially |
|||
| 7/30/2004 | phpMyAdmin | ||
| Multiple vulnerabilities
Multiple vulnerabilities in phpMyAdmin may allow a remote attacker with |
|||
| 7/30/2004 | SoX | ||
| Buffer overflow vulnerabilities By enticing a user to play or convert a specially crafted WAV file an |
|||
| Distribution: | Mandrake | ||
| 7/30/2004 | wv | ||
| Buffer overflow vulnerability iDefense discovered a buffer overflow vulnerability in the wv package |
|||
| 7/30/2004 | OpenOffice.org Multiple vulnerabilities |
||
| Buffer overflow vulnerability These updated packages contain fixes to libneon to correct the several |
|||
| Distribution: | Red Hat | ||
| 7/30/2004 | sox | ||
| Buffer overflow vulnerabilities A malicious WAV file could cause arbitrary code to be executed when the |
|||
| 7/30/2004 | ipsec-tools Key verification vulnerability |
||
| Buffer overflow vulnerabilities When configured to use X.509 certificates to authenticate remote hosts, |
|||
Category:
- Security
