Security Portal: Creating and Preventing Backdoors in UNIX SystemsJun 29, 2000, 20:31 (1 Talkback[s])
(Other stories by Kurt Seifried)
" Backdoors are by far one of the worst nightmares of many system and network administrators. We all know our networks and hosts will at some point be penetrated, and if we've done our job right we should be able to detect that penetration. However, one problem always rears it's ugly head; do we format the drive, reinstall from trusted media, then patch the system, configure it, and restore data from backups; or do we just try to patch the system up and remove any surprises the attacker may have left. In some cases it is clear cut, for a users workstation with most data stored centrally, rebuilding the system is far faster then trying to fix it. On the other hand what if you have a production email server handling incoming email for 10,000 people and no backup machine to switch to?"
"Like any security problem it's best to understand it completely, which means learning how an attacker can place backdoors on a system. Working from this point it's relatively simple to devise defenses. Because of the complexity in most UNIX systems (network daemons, hundreds of installed programs, etc.) there are many methods and places to squirrel away backdoors. Basically the attacker needs to have some form of network access to the machine, i.e. a telnet account or the ability to send ICMP packets, and compromised software on the machine, i.e. a setuid shell hidden in their home directory, or a trojaned login binary...."
"In UNIX....there are hundreds of hiding places to put your backdoors and trojans in. The best way to defend against them is to reduce the complexity of the system. For example each server should have one primary function, i.e. DNS, SMTP, POP, WWW, and so on. Remove any unneeded software, especially anything that uses setuid or setgid binaries. If possible disable things such as kernel modules, and compile a static kernel. The chance to save 50k of memory by having the tape drive support compiled in as a module generally isn't worth the bother. Use multiple layers of security, for example have a firewall that blocks all outgoing packets except for certain kinds, and possibly logs all the packets during off hours. This way if an attacker installs software that "dials" home (for example by sending out an xterm) the firewall might block it, or at least log it. Install and use software like Tripwire properly, have a set of valid checksums on trusted removable media. Make sure you have emergency boot media for your system, and preferably a set of recovery tools to go with it."