 |
| Linux Magazine / DEPARTMENTS / |
Building on last month's column on host security, I'm going to meander into an area that has bugged me for some time: those damned eight-character Unix passwords. Linux is burdened with this unsightly legacy, but it's fairly simple to fix, and I describe the problem and the solutions in this column.
Last issue we covered the packet filtering schemes Linux uses at the moment, and will use in the near future. In keeping with my effort to defy any kind of road map of these articles, I will devote this column to some basic issues involved in increasing the security of a Linux box. The art of implementing a security policy is very much one of balancing ease of use with security.
In my first column last spring I described how Linux's ipchains subsystem was used for IP packet filtering in Linux 2.2. "Packet filtering" involves discarding selected network packets based on the contents of their header. You arrange your network so that all packets pass through your Linux box, and then control from there what types of traffic can flow in and out of your network.
Welcome back, gentle reader. I'm going to take a little sidestep this month and trace the finding and the fixing of a Linux 2.2 networking bug that was discovered back in early June. If you're an administrator running a version of the 2.2 kernel that came out before 2.2.10, you should know about this exploit anyway. But even if you're not, the story makes an interesting case study of how security issues get solved in the Linux community. I'll trace the bug from its initial discovery, right through to the article on the popular Web site, Slashdot, which is where I first heard about it.
In my June column, I gave an overview of IPv4 (Internet Protocol, version 4), and described some common problems with its implementation. This month, I'm going to give you the same kind of information for TCP; the Transmission Control Protocol, which makes up well over 95% of unencrypted traffic on the Internet.
The attack reached its peak at approximately 4:30pm. I was sitting in my office at Vineyard. NET, an Internet service provider on Martha's Vineyard, typing at a shell window connected to my ISP's primary Web and mail server. Suddenly, the computer printed something on my screen that was tremendously disturbing. I had asked the computer to list the files in the current directory. The computer had told me that it was unable to do so:
Welcome back, gentle reader. Last month I provided a brief introduction to packet filtering under Linux -- how to get your Linux box to drop specific network packets which pass through it. This month I'm going to do something I wouldn't ordinarily, but hey, I was busy working on the next-generation packet filtering stuff when the deadline for this column hit me; just don't tell the editors and maybe we can get away with it :).
When Linus released the 2.1.102 development kernel last May, people were surprised that the old packet filtering control program, Jos Vos's ipfwadm, no longer worked. Documentation of the change followed in 2.1.103.