1 / 26

Security for Administrators

Security for Administrators. Presented by: Greg Smith Pacsec.jp 2004. Introduction. Who am I? Who do I work for, and what is my job? Why I am talking about this?. Who am I?. Greg Smith Using UNIX based operating systems for 8 years Administrator work for 5 years

macon
Download Presentation

Security for Administrators

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security for Administrators Presented by: Greg SmithPacsec.jp2004

  2. Introduction • Who am I? • Who do I work for, and what is my job? • Why I am talking about this?

  3. Who am I? • Greg Smith • Using UNIX based operating systems for 8 years • Administrator work for 5 years • Working with security off and on for 4 years.

  4. Who Do I Work For,and What is My Job? • I work for Secured Infrastructure Design Corporation. • I am a Security Analyst, and Administrator for various BSD / Linux servers

  5. Why I Am Talking About This? • I believe that administrators should be more concerned about the well being of their servers. • I want to try and share some of my basic views on security.

  6. Overview • My Definition of security • Operating system level security • Security via log monitoring • Interactive security • Administrator security measures

  7. My Definition of Security • Making intelligent choices • Being educated, and always learning • Perceptiveness • Adaptation • Care and attention

  8. Operating System Level Security • Proper application management • Keeping proper tabs on users’ interactions with the operating system • Noticing inconsistencies between the administrator and the user logins • Noticing inconsistencies in the file systems

  9. Proper Application Management

  10. Keeping Proper Tabs On Users • Watch login times, if you know said user was not in the office at a particular time, but appears to be logged in, check the logs further to see what this user did • Watch your own logins, if you notice an inconsistency with administrator logins, this would also warrant digging further into the logs.

  11. Noticing InconsistenciesIn The File Systems • Is a file moved, deleted, or copied somewhere else on the system, and you don’t remember doing it? • Are there symlinks from logs to /dev/null. • Are there extra directories created with files in them you have never seen? • Watch for differences in the file system from the last time you logged in.

  12. Security via Logging • Don’t be afraid to use tools like sed, awk, uniq, sort, to better navigate. • Interpret the logs, look for inconsistencies • Apache logs; look for file transfers from personal directories • FTP logs; look for suspicious transfers • Look for SSH authentication errors

  13. Using Text Parsing ToolsTo Make Life Easier • Examples here are all based off FreeBSD 4.9’s default logging system.

  14. Interpret The Logs, Look For Inconsistencies • Examples of this, in cron, 1000 entries • sed s/[0-9]/#/g cron.ot | sort | uniq

  15. Secure/Auth Log Analysis • There are similar lines, parse them out better using awk and grep.

  16. Secure/Auth Log Analysis • cat auth.log | grep Failed | awk '{print $3" "$6" "$7" "$11" "$13}‘ • Using simple grep/awk, weeded out a lot of useless information.

  17. Messages Log Analysis • There are similar lines, parse them out better with grep.

  18. Messages Log Analysis • Using grep to parse better • Going even further • cat messages | grep root | grep BAD • With those simple instructions, your viewing time can be cut substantially.

  19. More Security via Logging • Watch the last log, using the last command • The httpd-access and httpd-error log can be handy in tracing a possible compromise. Use the same methods as in the other examples to better parse the httpd logs.

  20. More Security Via Logging • Monitor logs on a regular basis • Learn the logging system for the particular operating system at hand • To save time, skim logs looking for said inconsistencies; if found then probe deeper. • Watch for inconsistencies in log file sizes

  21. Interactive Security • What do I consider interactive security? • Why would someone use this method?

  22. What Do I ConsiderInteractive Security? • Perceptiveness. • Know your system. • Customize your server or workstation to better suit you. • Understand that proper mindset can increase security substantially.

  23. Why Would Someone Use This Method? • Cut down on man-hours used maintaining systems; less time will have to be spent by administrators on tedious tasks. • Enhance knowledge about basic functions of the operating system. • Less stressful work environment.

  24. Administrative Measures • If a server has been compromised, learn from this, and adapt accordingly. • Segregation • Common sense

  25. Conclusions • Administrators work closest with the actual infrastructure that needs the most attention. • Better education of administrators could lead to less of a chance of being compromised.

  26. Questions? Special Thanks to: Richard S. Keirstead Lars Maul Steve Manzuik

More Related