Table of Contents
With advancement in computing technology comes the threat of malware and intruders. This paper seeks to explore mechanisms that can be used to protect and prevent attacks in UNIX systems. The paper has looked into the kernel and the shell. It has explored approaches like OSSEC, UNIX policies that aid in monitoring and detection of malicious activities, permissions and user privileges on files and directories, SSH authentication and other approaches of making the UNIX kernel inaccessible. Finally, memory manipulation techniques for relocating kernel memory in order to prevent attacks have been discussed.
UNIX is a multi-user multi-tasking operating system that runs servers, personal computers, and desktops and it is made up of three parts: the kernel, the shell, and programs. The kernel is a hub that executes system calls and facilitates communication between the user and the OS (University of Leicester, 2018). The shell is an interface found between the kernel and the user. It serves the purpose of interpreting command keyed in by the user. Being a simple system, it is one of the most powerful systems that use files and process as its main entities of execution (Wenzel & München, 2017). In UNIX, issues related to security often arise within the file system. This is because the file system stores information that determines how users execute operations with the system.
Like Windows OS, UNIX has a graphical user interface that enables users to easily use its environment. In UNIX systems, only the root user or superuser or any user who has access to root has the ability to modify system files without authentication (University of Leicester, 2018). It is, however, important to note that the UNIX OS is one of the most secure OS compared to Windows (Wenzel & München, 2017). Any intruder who gains root access, through security holes, will have the power to manipulate the system the way he wishes. According to Wenzel and München (2017), since 2000 most UNIX computers run with minimal or no security measures on their file system which makes them vulnerable to attacks. In order to prevent and protect attacks on the UNIX system, it is fundamental to prevent and protect access to root privileges first. The purpose of this paper is to outline approaches that can be put in place to protect and prevent UNIX from attacks.
Protection and prevention of attacks on UNIX
Without proper detection tools, malware and attackers will always find a way of accessing UNIX systems making it hard to protect and prevent attacks. One tool that suits such purpose is OSSEC. OSSEC is an application that monitors the integrity of files in a system and documents all changes that have been made to a particular file (Stanford University, 2018). It can be customized to automatically block a computer that exhibits malicious activities like a computer that actively accesses other computers within a short time span or to shut down an account that accesses prohibited files within a server (Stanford University, 2018). Standard IDS UNIX Baseline policy can also be implemented to monitor Bash vulnerability and instantiate check like system hardening monitor and privilege command for detecting potential threats. Another prevention mechanism, as outlined by Symantecn Corporation (2015), the configuration of files to read-only mode so as to limit their level of access to programs. In UNIX systems, directories and files have access permission and only appropriate users with particular group permissions can access those directories and the same applies to applications. An application can only access a particular file or directory that it has permission to (Symantecn Corporation, 2015). For instance, the configuration of Apache files in read-only mode will only allow Apache to read files that are related to Apache and not any other application in the system. In the event on of a malware introduced by an intruder, it will not be able to read or write into any directory that it has no permission over (Symantecn Corporation, 2015). This prevents and protects UNIX from attacks.
Another approach for prevention and protection of UNIX systems is the application of access control lists (ACL). This is enlisting users who can access objects within the system and how they can access them. Whenever a user requests to access a particular object, the kernel checks the existence of the user and the mode of access being used (CSSE, 2018). If a match is found, access to the designated object is validated (CSSE, 2018). The existence of such a list makes it hard for an intruder to attack a system as they will have to figure out the name of the entity and the mode of access as defined by the list. Similar technologies are access tokens and user rights, the discretionary access control list and the system access control list.
In order for an exploit to occur to the kernel of a UNIX system, the location of kernel memory has to be utilized for it is a necessary spot for mounting an attack (The kernel development community, 2018). Approaches like kernel address space layout randomization (KASLR) are the most suitable for subverting exploit that target kernel memory. KASLR functions by making the location of the kernel memory non-deterministic and hence increasing the difficulty level of exploitation or attack (The kernel development community, 2018). KASLR utilizes four approaches to achieve its objectives: text and module base, stack base, dynamic memory base or structure layout. The text and module base involves changing the physical and virtual location of the base address of the kernel during booting hence frustrating the efforts of any attacks that require kernel code (The kernel development community, 2018). Stack base is an approach which involves changing the base address of the kernel stack between processes. A continuous changing address is very hard to attack as it is impossible to predict how it will change in future. Dynamic memory base is not that secure but it involves changing the location address of the kernel memory after every boot (The kernel development community, 2018). When a computer boots, the kernel address changes making it hard to attack the kernel after boot. Finally, the structure layout is randomization of sensitive locations that an attack can take place. For an attack to take place, it has to exploit a particular security hole. By randomizing the locations of the security holes on the UNIX kernel makes it hard for an attack to take place.
Other approaches include disabling root login for remote use. In order to run commands that affect the system, one has to have root privileges. If such privileges are disabled for remote login, it would be hard for attackers to access any UNIX system remotely. Passwords are common in accessing systems however, they are easily exploitable (Anthony, 2012). For UNIX systems, is it recommended to use SSH key authentication and disable all passwords authentication. SSH is a very secure protocol used by UNIX systems to communicate to servers. Moreover, the combination of characters within a single SSH key is hard to figure out and crack (Anthony, 2012). Additionally, SSH login can also be strengthened by continuously changing the SSH login port. By default, this port is usually port 22 and most attackers will try to attack it. By changing it, it becomes hard for the attacker to locate the SSH services (Anthony, 2012). Furthermore, limiting the number of computers that can access the server through SSH is also crucial. This is a deliberate move that aims at easily identifying a breach when it occurs. When numerous computer are connected to the server, it becomes easier for an attacker to access the server without easily being notices. Finally, a configuration can be done on the login to disable it after a number of specific failed login attempts or even delaying the time taken to attempt entering the password again after failed login (Anthony, 2012). This is to reduce the probabilities and lock out any automated malware designed to try a thousand options, within a short period of time, to crack the logins.
In most cases, most of the attacks are launched remotely through networks. Securing information transmission through networks becomes one of the essentials in preventing and protecting UNIX systems. Use of VPN and private networking technology systems is the best option for preventing UNIX systems from external attacks (Ellingwood, 2017). VPNs and private networks help in mapping out networks that can be accessed by specific servers. Configuration is done to ensure that only information that is public in nature is allowed for consumption by the public. It is, however, important to note that this should be the last option besides the above-mentioned alternatives. Use of VPN and private networks do not prevent UNIX systems from internal attacks but only reduces the possibilities of being attacked from outside sources (Ellingwood, 2017).
In conclusion, it has been established that the kernel is the most fundamental component of the UNIX system which can easily be manipulated but users who have root privilege. For this reason, protecting and preventing attackers from having root privilege is fundamental in enhancing security for UNIX-based systems. In order to prevent internal attacks, IT specialists should ensure that users do not have root privilege and that users have to have specific permissions in order to access certain files and directories. This can easily be achieved by enlisting users lists and assign them certain privileges. Manipulation of the location address of the kernel memory that is vulnerable to attacks should also be undertaken to make these locations non-predictable hence thwarting efforts of attackers. Use of VPN and private networks should be encouraged to lock out potential external attackers. Moreover, users should stop using logins and adopt the use of SSH authentication as their login approaches. Finally, IT specialists should enable failed automatic locks on the logins that will freeze the login fields of shut down the system after a specific number of failed login attempts.
- Anthony. (2012). How To Protect Your Server Against Dictionary Attacks – Linux Academy Blog.
- CSSE. (2018). OS Protection and Security (pp. 9-19).
- Ellingwood, J. (2017). 7 Security Measures to Protect Your Servers | DigitalOcean.
- Stanford University. (2018). File Integrity Monitoring (OSSEC) | University IT.
- Symantec Corporation. (2015). Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities (pp. 2-8).
- The kernel development community. (2018). Kernel Self-Protection — The Linux Kernel documentation.
- University of Leicester. (2018). What Is UNIX?.
- Wenzel, M., & München, T. (2017). Some aspects of Unix file-system security (pp. 4-9).