1 / 23

Linux Security

Linux Security. Linux is not secure. No computer system can ever be "completely secure". make it increasingly difficult for someone to compromise your system. The more secure your system, the more miserable you and your users will tend to be Security = 1/(1.072 * Convenience). Linux Security.

mimir
Download Presentation

Linux Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Linux Security

  2. Linux is not secure • No computer system can ever be "completely secure". • make it increasingly difficult for someone to compromise your system. • The more secure your system, the more miserable you and your users will tend to be • Security = 1/(1.072 * Convenience)

  3. Linux Security • What level of threat the system needs to be protected against? • Analyze the system • Packet Filtering • Turn off unnecessary services • Be aware of what is happening on your system • Keep track the vulnerabilities - Software patches • Backups • Recover effectively from a security incident • User accounts • Minimal amount of privilege they need • Remove inactive accounts • The use of the same user-ID on all computers and networks is desirable for the purpose of account maintenance • User account provides accountability

  4. Linux Security • Root Security • Only become root to do single specific tasks • Never use the rlogin/rsh/rexec suite of tools (called the r- utilities) as root • Always be slow and deliberate running as root. Your actions could affect a lot of things. Think before you type!

  5. Password security and encryption • Use shadow password • Password checking and selection • Pluggable Authentication Modules – PAM • man pam.d

  6. Linux-PAM • Linux Pluggable Authentication Modules • Login, ftp, su, sudo, etc. • Modules: /lib/security • Configurations file: /etc/pam.d • Determine the method to authenticate • Contain a list (i.e., stack) of calls to the modules • Pluggable: it is easy to add/remove modules from an authentication stack

  7. PAM example • auth requisite pam_securetty.so • To make sure the root user logs in from an allowed terminal • session required pam_limits.so • Set up user limits according to /etc/security/limits.conf

  8. Restricting access • Control access to your system • /etc/hosts.deny • man hosts.deny • /etc/hosts.allow • man hosts.allow

  9. Miscellaneous Security Issues • Remote event logging • hosts.equiv and ~/.rhosts • Rshd, rlogind should be disabled • fingerd • Security and NIS • /etc/group, /etc/passwd, /etc/hosts… • Security and NFS • Security and sendmail

  10. Security of NFS • A client request will include the client user-id of the process making the request • The server must decide whether to believe the client's user-ids. • NFS provides a means to authenticate users and machines • Recommend the use of globally unique UID and the root_squash • Use /etc/hosts.deny and /etc/hosts.allow to grant access

  11. Security Tools • nmap • nessus • tripwire • crack • Other powerful tools

  12. Security Preparation • Make a full backup of your machine • Keep track of your system accounting data • Apply all new system updates • Subscribe to mailing lists to get information about potential problems

  13. OpenSSH • OpenSSH: http://www.openssh.com/ • Secure Network Communication • A suite of secure tools that replaces telnet, rcp, ftp, etc. • SSH protocol version 2 (SSH2) • Not compatible with SSH protocol version 1 • When OpenSSH starts • Establish an encrypted connection • Authenticate the user • Client and server send information back and forth

  14. SSH • Use two key pairs • Host key pair: a set of public/private keys that is established when you install openssh-server package • /etc/ssh • Session key pair: a set of public/private keys that change hourly • ./ssh

  15. SSH • First time when SSH client connects with SSH server • After verification, the client makes a copy of the server’s public host key • The client then generates a random key, which is encrypted and sent to the server

  16. Set up a Firewall under Ubuntu • firestarter: a sophisticated, graphical tool for building and maintaining a firewall • ufw • uncomplicated firewall • Command-line intrface to iptables • gufw (gufw.tuxfamily.org): a graphical interface to ufw • firestarter and gufw utilities are graphical front-ends for iptables • Iptables: Build and manipulate network packet filtering rules in the Linux kernel

  17. A Typical Firewall Setup

  18. Ufw: the uncomplicated firewall • sudo ufw allow ssh • sudo ufw enable • to turn on ufw • By default, ufw starts with a default policy that blocks all inbound traffic and allows outbound traffic • sudo ufw status verbose • gufw

  19. iptables • Two components • Netfilter • Run in the kernel space • A set of tables that hold rules that the kernel uses to control network packet filtering • Iptables • Run in the user space • Set up, maintain, and display the rules by netfilter

  20. iptables • First rule: test whether a packet destination is port 23 and drops the packet if it is • Second rule: tests whether a packet is received from the IP address 192.168.1.1 and alter the packet destination if it was

  21. How iptables work

  22. One iptables Example

  23. Useful Websites • http://www.cert.org • http://www.sans.org/ • http://www.sans.org/rr • http://www.securityfocus.com/ • http://www.phrack.org/

More Related