Server security is as important as network security because servers can hold most or all of the organization's vital information. If a server is compromised, all of its contents may become available for the cracker to steal or manipulate at will. There are many ways that a server can be cracked. The following sections detail some of the main issues.
By default, most operating systems install several pieces of commonly used software. Red Hat Linux, for example, can install up to 1200 application and library packages in a single installation. While most server administrators will not opt to install every single package in the distribution, they will install a base installation of packages, including several server applications.
A common occurrence among system administrators is to install an operating system without knowing what is actually being installed. This can be troublesome, as most operating systems will not only install the applications, but also setup a base configuration and turn services on. This can cause unwanted services, such as telnet, DHCP, or DNS to be running on a server or workstation without the administrator realizing it, leading to unwanted traffic to the server or even a path into the system for crackers. See Chapter 5 for information on closing ports and disabling unused services.
Most server applications that are included in a default Red Hat Linux installation are solid, thoroughly tested pieces of software. Many of the server applications have been in use in production environments for many years, and their code has been thoroughly refined and many of the bugs have been found and fixed.
However, there is no such thing as perfect software, and there is always room for further refinement. Moreover, newer software is often not as rigorously tested as one might expect, due to its recent arrival to production environments or because it may not be as popular as other server software. Developers and system administrators often find exploitable bugs in server applications and publish the information on bug tracking and security-related websites such as the Bugtraq mailing list or the Computer Emergency Response Team website. CERT and Bugtraq normally alert interested parties of the vulnerabilities. However, even then, it is up to system administrators to patch and fix these bugs whenever they are made public, as crackers also have access to these vulnerability tracking services and will use such information to crack unpatched systems wherever they can. Good system administration requires vigilance, constant tracking of bugs, and proper system maintenance to ensure a secure computing environment.
Similar to server applications which languish unpatched by developers are administrators who fail to patch their systems or are too ignorant to do so. According to the System Administration Network and Security Institute (SANS), the primary cause of computers security vulnerability is to "assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job."[1] This applies as much to inexperienced administrators as it does to overconfident or amotivated administrators.
Some administrators fail to patch their servers and workstations, while others fail to watch log messages from their system kernel or from network traffic. Another common error is to leave the default passwords or keys in services that have such authentication methods built into them. For example, some databases leave default administration passwords under the assumption that the system administrator will change this immediately upon configuration. Even an inexperienced cracker can use the widely-known default password to gain administrative privileges to the database. These are just a few- examples of inattentive administration that can eventually lead to a compromised system.
Even the most vigilant organization that does their job well and keeps up with their daily responsibilities can fall victim to vulnerabilities if the services they choose for their network are inherently insecure. There are certain services that were developed under the assumption that they will be used over trusted networks; however, this assumption falls short as soon as the service becomes available over the Internet.
Some examples of inherently insecure services include servers that require passwords or passphrases for authentication (in itself, a secure feature), but fail to encrypt the passwords as they are sent over the wire to the authenticating service. Telnet and FTP are two such services. A packet sniffing device set between a remote user and the telnet server can easily be set to steal passwords (especially if the telnet user happens to switch to an administrative user during a telnet session).
The services noted above can also more easily fall prey to what the security industry terms the man-in-the-middle attack. In this type of attack, a cracker redirects network traffic by tricking a cracked name server on the network to point to his machine instead of the intended server. Once someone opens a remote session to that server, the attacker's machine acts as an invisible conduit, sitting quietly between the remote service and the unsuspecting user capturing information. This way a cracker can gather administrative passwords and raw data without either the server's or the user's knowledge.
Another example of insecure services are network file systems and information services such as NFS or NIS which are developed explicitly for LAN usage but are, unfortunately, extended to include WANs (for remote users). NFS does not, by default, have any authentication or security mechanisms configured that will prevent a cracker from simply mounting the NFS share and accessing anything contained therein. NIS, as well, has vital information that must be known by every computer on a network, including passwords and file permissions, within a plain text ACSII or DBM (ASCII-derived) database. A cracker can take this database and find the passwords of each and every user on a network, including the administrator.
[1] |