IT_Solution for Learning

n order login into Linux system (over ssh or other services ) you need a username and password.
Username and password stored in /etc/passwd and /etc/shadow file respectively. When you supplies password, it encrypts and compare with password stored in /etc/shadow, which is also in, encrypted format (it was stored when you or system administrator registers/updates it). If both are equal, you are in. Once logged in, you become the number to Linux kernel. You can obtain your user id and other information using id command:

$ id
uid=1002(vivek) gid=1002(vivek) groups=1002(vivek), 0(wheel)

Where,
=> Username = vivek
=> User numeric id (uid) = 1002

Numbers are uses to represent users and groups in Linux kernel because:
1) Simplified user and group management
2) Security management easy
3) Your UID applied to all files you create

It is always good idea to use the UID more than 1000 for all users for security reason.
Zero UID

The UID number 0 is special and used by the root user. The zero (0) UID enjoys the unrestricted/unlimited access to Linux system. Note that 0 UID assigned to name root; if you wish you can change this (poorly written program may fail) and assign different name.

Similarly, you have group id (GID). It is use by Linux to refer group names. Single user can be member of multiple groups. This result into very good flexibility for access the system and the sharing files. Many UNIX system uses wheel group as power user group. Like the UID value, zero GID value zero enjoys the unrestricted/unlimited access to Linux system.

Some time Linux and other UNIX like (FreeBSD, Solaris etc) uses EUID, RUID, and SUID concept.
The Effective User ID (EUID)

It is use to determine what level of access the current process has. When EUID is zero then the process has unrestricted/unlimited access. Following commands can be used to print Effective User ID under Linux:
$ whoami
$ id -un
The Real User ID (RUID):

It is use to identify who you actually are. Once it is setup by system (usually login program) it cannot be change till your session terminates. You cannot change your RUID. Only root (or person having zero UID) can change the RUID. Use the command id as follows to obtain Real user ID:
$ id –ru
The Saved User ID (SUID):

When new process / executable file such as passwd, started the effective user id that is in force at the time is copied to the saved user id. Because of this feature, you are able to update your own password stored in /etc/shadow file. Off course, executable file must have set-user-id bit on in order to setuid (system call). Before process ending itself it switches back to SUID.

In short,

* RUID : Identify the real user, normal user cannot change it.
* EUID : Decides access level, normal user can change it.
* SUID : Saves the EUID, normal user cannot change it.
* Real Group ID : Identify the real group
* Effective Group ID and Supplementary group ID : Decides access level

Note that access level means kernel can determine whether you have access to devices, files etc.

reference: http://www.cyberciti.biz/

by Rik Farrow

Network Magazine

Networks rely on the truth. Without accurate information, networks work poorly, if at all. However, there are those who use lies to deceive networks and the systems attached to them. These lies can take many forms, such as source address spoofing, but lie detectors exist to help you spot falsehoods and keep your network secure.

Source address spoofing alters a packet's return address so that the packet appears to have come from a source other than the sender. An attacker uses source address spoofing for two reasons: to gain access to resources that only accept requests from specific source addresses, or to hide the source of an attack.

Attackers have used this technique for many years. In fact, the Distributed Denial of Service (DDoS) attacks launched against commercial sites in February 2000 used source address spoofing. Other forms of attack also employ this technique, but most of them would prove unsuccessful today—except for those involving SNMP.

Source address spoofing is often misunderstood, and therefore a cause for concern. Without preventative measures in place, you could become a victim of source addressing spoofing. (A more likely scenario would turn you into an unknowing source of a source-address-spoofing attack.)
On This Page

Local And Remote
Source Route
Hiding The Source
How To Get Spoof-Proof
Tell Me No Lies
Local And Remote

While relying on source addresses to protect services is not a good idea, software that is oriented toward the source of requests is still common. For example, SNMP—a security disaster—often attempts to protect agents on network devices or systems by only accepting requests from specific source addresses. Also, UNIX r commands, the Network File System (NFS), Server Message Block (SMB), and TCP wrappers all include the source address (or system name, in the case of NFS) as part of the access control checks.

These services are especially vulnerable to local attacks in unswitched networks. This is because it is easy for an attacker to sniff packets in an unswitched network, and sniffing contributes to the success of most attacks. On the other hand, switched networks make it difficult (if not impossible) to sniff packets.

SNMP is a good example. Suppose SNMP agents have been configured to only respond to requests for information or changing variables from a server at the address 10.2.2.98. Using netcat, a tool for sending or receiving IP packets, an attacker can easily spoof a request from 10.2.2.98 and send it to the agent of his or her choice.

When the agent responds, it will send the response back to 10.2.2.98. The real manager will ignore the response, as it won't correspond to any outstanding request. The attacker, however, will need to sniff the response off the network for the attack to succeed, as the response was routed back to the real SNMP manager.

Even if the attacker cannot sniff the response, the attack might still succeed, as variables can be successfully changed (via an SNMP set command) without seeing the response. If the attacker shares the same subnet with the manager, the attacker might use Reverse Address Resolution Protocol (RARP) to masquerade as the manager of the IP address.

Remote attacks that seek access via source address spoofing must also have some way of seeing the return packets. Keep in mind that when a remote attacker spoofs some other network's source address, the responses will be routed to that other network, and the attacker will not receive those packets. Of course, the attacker might be able to sniff along the route to the other network. This type of attack, which requires breaking into systems located within ISPs or other intermediate networks, has been successfully carried out.
Top Of Page
Source Route

Another old trick that may still work involves source routing. Source routing is an IP option used today mainly by network managers to check connectivity. Normally, when an IP packet leaves a system, its path is controlled by the routers and their current configuration. Source routing provides a means to override the control of the routers.

Source routing can be strict or loose. Strict source routing lets a manager specify the path through all the routers to the destination. Return responses use the same path in reverse. Loose source routing lets managers specify an address that the packet must pass through on its way to the destination. It is loose source routing that aids an attacker.

A remote attacker might seek to access a UNIX system protected with TCP wrappers, or a Windows NT Internet Information Server (IIS) protected by an access list based on source addresses. If the attacker simply spoofs one of the permitted source addresses, the attacker may never get a response. However, if the attacker both spoofs an address and sets the loose-source-routing option to force the response to return to the attacker's network, the attack can succeed.

The simplest defense against loose source routing is to not permit these packets to enter (or leave) the network. Just about any firewall will block any packet that has source routing enabled by default. You can also configure routers to block packets with source routing. TCP wrappers and many UNIX OSs can also block source-routed packets.

An attacker might also attempt "blind spoofing" to gain access to a system that "protects" itself by checking source addresses. In blind spoofing, the attacker may not need to see the responses for the attack to be successful. The first known version of this attack was launched against security specialist Tsutomu Shimomura in 1994. Shimomura was using TCP wrappers to protect his UNIX system from unauthorized access. However, the attacker succeeded by guessing the sequence numbers used in the response packets during the attack, which enabled the attack to change the configuration of the targeted system.

Sequence number attacks have become much less likely because OS vendors have changed the way initial sequence numbers are generated. The old way was to add a constant value to the next initial sequence number; newer mechanisms use a randomized value for the initial sequence number. (There are some constraints on this "random" value, however, to keep it from working incorrectly.)

Using the source address to authorize a network request is not safe. To improve your security, replace r commands with Secure Shell (SSH), and only use NFS and SMB with improved authentication (SMB has stronger authentication in all versions beyond Windows for Workgroups).

SNMP 1 and SNMP 2 still rely on source addresses for security. While you can block SNMP at the borders of your networks, you will remain vulnerable to SNMP-based scanning and attacks on your internal networks until SNMP 3 has been implemented and installed.
Top Of Page
Hiding The Source

Besides spoofing source addresses for phony authentication, attackers can also spoof their own source addresses in attacks where reply packets are not important. Any network-based Denial of Service (DoS) attack fits this description because the point of the attack is not to get a response but instead to flood the target with requests.

In DoS attacks, it actually makes more sense for the attacker to spoof the source address, otherwise the attacker might wind up blocking his or her own access to the network. Spoofing source addresses also makes tracking the attack much more difficult, as the packets themselves must be traced on each network and subnet, back to the source.

Source address spoofing requires root access on UNIX systems. The attacker must have root access so that the attack software can open a "raw" network socket. Most applications use "cooked" sockets, in which the IP stack provides the necessary packet headers. A raw socket means that the application must prepare the necessary headers itself—that is, do its own cooking. This permits the attacker to put any information he or she wants in the headers, including spoofed source addresses. Note that Windows NT also supports raw sockets, so this is not just a UNIX issue.
Top Of Page
How To Get Spoof-Proof

DoS attacks that use source address spoofing became popular in 1997. RFC 2267 was written in response to this type of attack. It suggests that ISPs practice ingress filtering (see Distributed Denial of Service Attacks, March 2000). In general terms, this means that ISPs should filter traffic and drop any packets with spoofed source addresses. In practical terms, this has proven difficult.

One problem is that many ISPs do not have the technical ability to arrange packet filtering to block packets with spoofed source addresses. Also, many complain that packet filtering reduces equipment performance. While this was true in the past, it is not so today. In the early 1990s, adding packet filtering to a Cisco Systems router could cut throughput by as much as 70 percent. Today, routers have better designs, and it is possible on some routers to block packets with spoofed source addresses with no effect on throughput at all.

For example, Cisco Express Forwarding (CEF) is an advanced IP switching technology, designed for high-performance layer-3 IP backbone switching. You can configure this by executing the following command while in configuration mode:

ip verify unicast reverse-path

A router (or a layer-3 switch) bases routing decisions on the destination address and the routing information. Using the same mechanism, a router can examine the source address and determine if it came from the correct interface. (The route to the source leads back the way it arrived.)

If the route is not the same, the source address must be spoofed, unless asymmetric routes are being used. Asymmetric routes mean that there is more than one way to reach the destination. If asymmetric routing is not in use, enabling this facility will block all packets with spoofed source addresses.

Linux and Berkeley Software Distribution (BSD) system kernels also support a similar facility. If you are using a Linux or BSD system as a router or terminal server, either can be configured to block packets with spoofed source addresses (merely by setting a kernel parameter). In Linux systems, you can enable this mechanism by echoing "2" to each rp_filter name found in the /proc file system (/proc/sys/net/ ipv4/conf/*/rp_filter).

Terminal servers can also block packets with spoofed source addresses. Some terminal servers do this by default. Others can do this by applying an access control list to the Ethernet connection coming from the terminal server (rather than on each incoming modem port). Reports posted to SecurityFocus.com's Bugtraq archives indicated no performance loss at all: CPU usage did increase, but it remained well below 50 percent utilization.
Top Of Page
Tell Me No Lies

The simple solution is to block packets with obviously spoofed source addresses from entering your network. Most firewalls do this by default. If you use packet filters, block packets as they enter the external interface if they have internal source addresses, private network addresses, or the local host address (127/8).

Source address spoofing does not need to be a problem—mechanisms for thwarting it abound. Take the time to be a good Netizen and block these packets at the border of your network. Stop lying packets at the source.

Rik Farrow is an independent security consultant. His Web site, http://www.spirit.com, contains security links and information about network and computer security courses. He can be reached at mailto: rik@spirit.com.
Resources

Computer security expert Wietse Venema's Web site includes information about TCP wrappers. Go to http://www.porcupine.org.

Reports about configuring terminal servers and routers to block spoofed source addresses are available from SecurityFocus.com's Bugtraq archives.

RFC 2267, entitled "Defeating Denial of Service Attacks which Employ IP Source Address Spoofing," is available at http://www.faqs.org/rfcs/rfc2267.html.

reference:http://technet.microsoft.com/en-us/library/cc723706.aspx

A few weeks ago I rushed out an update to fix a potentially dangerous Cross-Site Scripting (XSS) vulnerability in WP-Cumulus. With the PHP part of the plugin shielded from ‘outside use’, I was hoping no more issues would pop up. Still, I’m glad MustLive alerted me to another issue that uses the Flash movie itself. The exploit worked by calling the SWF file directly, and supplying link with javascript. I’m not quite sure how dangerous this is, but I’ve modified the movie so it only executes regular links.

Please update your copy of WP-Cumulus to 1.23 asap. For most users it should only take two clicks.

The should not affect how WP-Cumulus works on WordPress blogs. But there have been a number of ports and other projects that use the Flash movie. I urge the authors of those projects to examine the new Flash movie, and see if it still works in/with their product. The exploit is not unique to WordPress, and they may need to modify the security check to fit their project.

reference:http://www.roytanck.com/

1. Pingdom

Pingdom, which is also available as an iPhone application, makes sure that your website is reachable and responding properly at all times, providing you with email and SMS alerts if it’s not. It monitors uptime and overall performance, creating charts and tables that are easy to understand, enabling you to spot trends and accurately pinpoint problems.

2. Dotcom-Monitor

Dotcom-Monitor is an advanced website monitoring service which maximises your uptime so that you can increase sales and provide a continuous service to customers worldwide, protecting the reputation of your business. It provides real-time and email reports and charts, and sends alerts to exactly the right people when problems arise. It even lets you create multiple logins for numerous users, each of which have permission to access different parts of the tool.

3. McAfee Secure

McAfee Secure monitors your servers for potential security breaches, protecting end-users of your website from identity theft, credit card fraud, spyware, spam, viruses and online scams. Your site is tested and certified daily, and awarded the “live” McAfee Secure mark to show that it has passed its daily test, which greatly increases shopper confidence. McAfee currently certify over 80,000 websites, all of which are listed on the McAfee Secure database.

4. Webmetrics GlobalWatch

GlobalWatch monitors a diverse range of websites, internet applications and services. It identifies and diagnoses downtime, errors and poorly performing transactions, providing performance measurements, detailed reports and flexible alerts. This powerful tool, which supports Web 2.0, AJAX and plugin-based applications like Flash and Java, gives you a truly global perspective on how end-users see your site with monitoring agents stationed in the USA, Asia, Africa and Europe.

5. Nimsoft Monitoring Solutions (NMS)

NMS monitors your servers and their configured server applications. All core server resources, from CPU to memory, event logs, print jobs and queues are accounted for. NMS is not only quick and easy to install, but lightweight (you only install the bits that you really need) and scalable (you can monitor hundreds and even thousands of servers at a time). The NMS dashboard is simple and clear with views showing all your servers interconnected, colour-coded status indicators and server-to-server response times.

6. Solarwinds Orion Network Performance Monitor (NPM)

Orion NPM makes sure that every one of your servers is working 100% efficiently, but it doesn’t stop there: it monitors all routers, switches and wireless access points in your network too. It’s quick to set up, very attractive (a rarity in server monitoring) and supported by hundreds of expert network engineers. What’s more, you don’t have to be an expert yourself to use it: anyone can get it up and running in under an hour, straight out of the box.

7. Nagios

Nagios is a comprehensive IT infrastructure monitoring system that provides a snapshot of your entire operations network while keeping tabs on the health and status of all your applications, services, operating systems, network protocols and system metrics. Instant alerts are sent to your IT staff by email and SMS as soon as problems arise and failed servers, applications and devices can be restarted automatically. Nagios is highly compatible with almost all in-house and third party applications.

8. ENVIROMUX Server Environment Monitoring System

This powerful tool, which is perfect for use in data centers, web hosting facilities, telecom switching sites and server closets, monitors temperature, humidity, liquid presence, motion, intrusion and vibration, to ensure that your server’s operating in ideal physical conditions. You can integrate up to eight video cameras into the system to get a live view from anywhere in the world. Nagio’s users get 5% off the list price.

9. Jacarta interSeptor Pro

The interSeptor Pro records and charts temperature and humidity conditions surrounding your server. It alerts you (via email or SMS) when air conditioning settings should be adjusted to maximise energy savings. Three different models are available: the big 8-port (8 different temperature and humidity sensors), the huge 16-port and the massive 24-port. Additional alarm sensors can be added to detect water leaks, smoke and power failures.

10. Simple Server Monitor

Simple Server Monitor provides a substantial monitoring service for those on a tight budget. It costs just $69.95, following a 30-day free trial. Despite its tiny price tag, it’s packed full of useful features including up-to-the-minute monitoring of uptime and accessible performance charts. It uses popup messages, desktop alarms, email and SMS to alert you to any network uptime losses.

reference:http://www.webdesignbooth.com/10-really-useful-server-monitoring-tools/

Many of us have wondered where str0ke has been and why milw0rm has not been updated in a good while. I recently was informed that str0ke has been hospitalized due to a strange condition with his heart, which he has had since he was a child.

Sadly....

I've just received information that str0ke @ milw0rm has passed away due to cardiac arrest early this morning at 9:23 AM. We @ blacksecurity are deeply saddened by the loss of a good hearted friend.

We wish nothing but blessing to his wife and 4 children.

RIP str0ke 1974-04-29 - 2009-11-03 09:23

good bye str0ke...your elite...thanks for your officia website....