260 likes | 492 Views
Linux Security. Linux is not secure. No computer system can ever be "completely secure". make it increasingly difficult for someone to compromise your system. The more secure your system, the more miserable you and your users will tend to be Security = 1/(1.072 * Convenience). Linux Security.
E N D
Linux is not secure • No computer system can ever be "completely secure". • make it increasingly difficult for someone to compromise your system. • The more secure your system, the more miserable you and your users will tend to be • Security = 1/(1.072 * Convenience)
Linux Security • What level of threat the system needs to be protected against? • Analyze the system • Packet Filtering • Turn off unnecessary services • Be aware of what is happening on your system • Keep track the vulnerabilities - Software patches • Backups • Recover effectively from a security incident • User accounts • Minimal amount of privilege they need • Remove inactive accounts • The use of the same user-ID on all computers and networks is desirable for the purpose of account maintenance • User account provides accountability
Linux Security • Root Security • Only become root to do single specific tasks • Never use the rlogin/rsh/rexec suite of tools (called the r- utilities) as root • Always be slow and deliberate running as root. Your actions could affect a lot of things. Think before you type!
Password security and encryption • Use shadow password • Password checking and selection • Pluggable Authentication Modules – PAM • man pam.d
Linux-PAM • Linux Pluggable Authentication Modules • Login, ftp, su, sudo, etc. • Modules: /lib/security • Configurations file: /etc/pam.d • Determine the method to authenticate • Contain a list (i.e., stack) of calls to the modules • Pluggable: it is easy to add/remove modules from an authentication stack
PAM example • auth requisite pam_securetty.so • To make sure the root user logs in from an allowed terminal • session required pam_limits.so • Set up user limits according to /etc/security/limits.conf
Restricting access • Control access to your system • /etc/hosts.deny • man hosts.deny • /etc/hosts.allow • man hosts.allow
Miscellaneous Security Issues • Remote event logging • hosts.equiv and ~/.rhosts • Rshd, rlogind should be disabled • fingerd • Security and NIS • /etc/group, /etc/passwd, /etc/hosts… • Security and NFS • Security and sendmail
Security of NFS • A client request will include the client user-id of the process making the request • The server must decide whether to believe the client's user-ids. • NFS provides a means to authenticate users and machines • Recommend the use of globally unique UID and the root_squash • Use /etc/hosts.deny and /etc/hosts.allow to grant access
Security Tools • nmap • nessus • tripwire • crack • Other powerful tools
Security Preparation • Make a full backup of your machine • Keep track of your system accounting data • Apply all new system updates • Subscribe to mailing lists to get information about potential problems
OpenSSH • OpenSSH: http://www.openssh.com/ • Secure Network Communication • A suite of secure tools that replaces telnet, rcp, ftp, etc. • SSH protocol version 2 (SSH2) • Not compatible with SSH protocol version 1 • When OpenSSH starts • Establish an encrypted connection • Authenticate the user • Client and server send information back and forth
SSH • Use two key pairs • Host key pair: a set of public/private keys that is established when you install openssh-server package • /etc/ssh • Session key pair: a set of public/private keys that change hourly • ./ssh
SSH • First time when SSH client connects with SSH server • After verification, the client makes a copy of the server’s public host key • The client then generates a random key, which is encrypted and sent to the server
Set up a Firewall under Ubuntu • firestarter: a sophisticated, graphical tool for building and maintaining a firewall • ufw • uncomplicated firewall • Command-line intrface to iptables • gufw (gufw.tuxfamily.org): a graphical interface to ufw • firestarter and gufw utilities are graphical front-ends for iptables • Iptables: Build and manipulate network packet filtering rules in the Linux kernel
Ufw: the uncomplicated firewall • sudo ufw allow ssh • sudo ufw enable • to turn on ufw • By default, ufw starts with a default policy that blocks all inbound traffic and allows outbound traffic • sudo ufw status verbose • gufw
iptables • Two components • Netfilter • Run in the kernel space • A set of tables that hold rules that the kernel uses to control network packet filtering • Iptables • Run in the user space • Set up, maintain, and display the rules by netfilter
iptables • First rule: test whether a packet destination is port 23 and drops the packet if it is • Second rule: tests whether a packet is received from the IP address 192.168.1.1 and alter the packet destination if it was
Useful Websites • http://www.cert.org • http://www.sans.org/ • http://www.sans.org/rr • http://www.securityfocus.com/ • http://www.phrack.org/