1 / 31

Securing your Investment with OpenSource or not … Simon Boardman

Securing your Investment with OpenSource or not … Simon Boardman. Topics Covered. Security of my PC Security of my server Security of my data. PC Security. Anti-Virus – Avast A good Free One is called AVAST which is free for Home Users: http://anti-virus-solution.com/avast4/index.asp

uma
Download Presentation

Securing your Investment with OpenSource or not … Simon Boardman

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing your InvestmentwithOpenSource or not …Simon Boardman

  2. Topics Covered • Security of my PC • Security of my server • Security of my data

  3. PC Security • Anti-Virus – Avast • A good Free One is called AVAST which is free for Home Users: • http://anti-virus-solution.com/avast4/index.asp • Firewalls • Use the Free One provided by Windows Service Pack 2/3 etc • SpyBot • Protect yourself against SpyWare with Free SpyBot • There are plenty of web sites that 'pretend' to be SpyBot so you end up installing SpyWare on your computer. This is the official site and it's free: • http://www.safer-networking.org/en/home/index.html

  4. PC Software • Disk Defragger • Disk fragmentation leads to system slowdowns, PC crashes, slow startups and shutdowns. Auslogics Disk Defrag is designed for fast optimization of modern hard disks. Disk Defrag is absolutely FREE. • http://www.auslogics.com/disk-defrag/index.php • Registry Defragger • Keeping the registry as compact as possible means better computer performance. Auslogics Registry Defrag is fast becoming a useful and essential tool in keeping your registry defragmented. As a result, the Registry becomes compact and small, greatly improving your computer performance • http://www.auslogics.com/en/software/registry-defrag • TCP/IP Optimiser • The TCP Optimizer is a free, easy Windows program that provides an intuitive interface for tuning and optimizing your Internet connection. There is no installation required, just download and run. • http://www.speedguide.net/downloads.php

  5. Sever Security – What to Stop! • Typical Multi-User Mode start-up: (Unix / Linux or Windows) rc2 S85tcp S86rpc S87nfs P90apache S99cups S99smbd P86sendmail S90nis S95docview S99nmbd prngd snmpd sshd named pppd inetd aasd lpd ntpd

  6. Unix/Linux Network Security – inetd.conf • Services controlled by inetd(ADMN) • inetd is knows as a Super Server • inetd is started by /etc/rc2.d/S85tcp (/etc/tcp) • inetd configures the services listed in • /etc/inetd.conf • inetd reads /etc/services (and /etc/protocol) to get the name, aliases, port and protocol to use for each service

  7. Unix/Linux Network Security – inetd.conf • Services controlled by inetd(ADMN) • On a traditional install inetd configures services including: • ftp stream tcp nowait root /etc/ftpd ftpd -a • telnet stream tcp nowait NOLUID /etc/telnetd telnetd • shell stream tcp nowait NOLUID /etc/rshd rshd • login stream tcp nowait NOLUID /etc/rlogind rlogind • exec stream tcp nowait NOLUID /etc/rexecd rexecd • pop3 stream tcp nowait root /etc/popper popper • imap stream tcp nowait root /etc/imapd imapd • swat stream tcp nowait root /usr/sbin/swat swat • Can disable a service by commenting it out • # telnet stream tcp nowait NOLUID /etc/telnetd telnetd • And then restarting inetd with a SIGHUP • kill -1 `cat /etc/inetd.pid`

  8. Unix/Linux What about OpenSource? • Well OpenSource products have been included for some time … • Tcp wrappers • Ipfilter • Openssh • ipsec

  9. Unix/Linux inetd.conf - TCPWrappers • Tcpwrappers: • Can be used to log and control access to inetd services • To enable tcpwrappers on telnetd: • Edit /etc/inetd.conf • Comment out the entry: • telnet stream tcp nowait NOLUID /etc/telnetd telnetd • Uncomment the entry: • # telnet stream tcp nowait NOLUID /etc/tcpd telnetd • Save the file • Restart inetd using: • kill -1 `cat /etc/inetd.pid` • Telnet to the server and check syslog: Jul 11 17:26:14 jrbt5 telnetd[2102]: connect from jrbhp1

  10. Unix/Linux inetd.conf - TCPWrappers • Controlling Access using tcpd(ADM) • hosts_access(SFF) control implemented using: /etc/hosts.allow and /etc/hosts.deny • These files contain no rules by default • Access is controlled as follows: • Grant access if you match an entry in the /etc/hosts.allow file • Deny access if you match an entry in the /etc/hosts.deny file • OpenSource: • WEBMIN

  11. Unix/Linux inetd.conf - TCPWrappers • Some hosts_access(SFF) examples: • To deny everything, in /etc/hosts.deny add: ALL: ALL • To allow everything leave /etc/hosts.allow empty • To allow exceptions in /etc/hosts.allow add: ftpd: .friendly.domain telnetd: ALL@192.168.124.1 rlogind: 192.168.1.0/255.255.255.0 • To report on blocked access ALL :ALL : spawn (echo Attempt from %h %a to %d at `date` | tee -a /var/log/tcp.deny.log |mail me@sco.com )

  12. Unix/Linux Firewalls / Secure Shell / VPN’s • IP Filter Firewall Package for OS’s • http://www.linuxsecurity.com/content/view/124101/161/ • Openssh • http://www.openssl.org/ • Ipsec • http://support.real-time.com/open-source/ipsec/index.html

  13. Questions – Boardman’s Pass it On • What’s the Super Server controlling networking? • And what’s the services configuration file? • What’s the most secure ; rcp, ftp or sftp? • To deny telnet all access in which TCP Wrapper would I put ALL: ALL? • What the ‘IP filter’ package called? • What tool would I use to set up a VPN?

  14. Unix/Linux Securing my data … • The unfortunate basics … • The backup … • The remote backup … • The failover …

  15. Stop being negative – what disaster? • FACT: Hardware Fails. • CHOICES: What can we do about that? • Accept the fact that one element of the infrastructure will go down at some point, usually sooner than we’d like. • The Sales Guy said these things last forever …

  16. Ok, I accept that hardware fails – so what? • Do you have an effective Disaster Recovery Plan? • Yes, we do – it’s all documented, it’s simple and it’s regularly tested as part of the yearly IT budget. • Yes, we do – The IT Dept produced a document and so it ‘should’ work ‘should’ a disaster occurs. • Yes, we do – we backup nightly. • Not my problem – it’s the customer’s responsibility to do this. Whether you have one or not here’s the free stuff you can do …

  17. To think about … • Pre-Installation Work with the hardware: • Know to ‘know’ your hardware. • You need to ‘know’ your software too. • Build ‘Redundancy’ into your build with Power Supplies, CPU’s, Network cards and, of course, disks. • RAID your operating system AND your data. • If I’m not using that piece of hardware should I leave it in, turn it off in the BIOS or remove it? • I’ve just bought the hardware, why does it need a Firmware upgrade? • Do I need to really look in the BIOS?

  18. What does the OS give me? • About the Installation … • The installation doesn’t know how your filesystems are going to be laid out does it make assumptions. • The installation doesn’t know what packages you may need, so does it install them all? • Once installed, the OS will need Maintenance applied.

  19. Unix/Linux Preventing Disaster? • Tricky to do but here are some useful things to do: • Add to /.profile the line: PS1="`uname -n` # " export PS1 • Keep a record of the disk structure or so you know how they were laid out. • Take copies of critical Operating System files. • Traditionally; create Emergency Server Floppies and a CD image or Tape to restore from. • Take a full ‘cpio’ backup.

  20. Unix/Linux Common Post Installation Faults … • The Server’s Slow … • - Have you checked, enabled, ‘sar’? • - Have you checked /etc/hosts ; DNS? • - Where’s the comparison? Can you thrash the server with performance benchmark tools? • http://sourceforge.net/projects/aimbench • Have you enabled NTP? • Have you pointed SendMail to your Exchange Server or OpenSource email solution? • A disk has failed – what do I do? • - Test disk failures prior to production.

  21. Can I configure redundant network cards? • Can I use Load Balancing on my Network Cards • Can I use Failover Network Cards? • Can I simply plug a spare card into the server?

  22. What tools are there to make backups? • How do I backup to tape? • - ‘cpio’ or ‘tar’ or ‘OpenSource’ gnu tools • More importantly, how do I restore files? • More likely, how do I get another server up and going quickly because the production server’s down? • Can I backup to a standby server?

  23. Unix/Linux Introducing ‘cpio’: • - Remote ‘cpio’ copies • Host Equivalence ie. ‘trust’ – /.rhosts • Can I copy over all the printers in /etc/lp to another server? • Can I copy over all the users in /etc/passwd to another server? • Can I copy over all the data on my server to another server?

  24. Unix/Linux Introducing ‘rdist’: • http://www.magnicomp.com/rdist/ • Create a "distfile" in the form: HOSTS = ( root@serverb ) FILES = ( /data ) ${FILES} -> ${HOSTS} install -R ; • Here, we are going to sync the files in /data from this server to "serverb" and run the command "rdist" in the form: # rdist -iR -f distfile

  25. Unix/Linux Introducing ‘rsync’: • http://samba.anu.edu.au/rsync/ • Now, let's start with some basic examples: • Run: # rsync -bazv /local/rsync <other server>:/tmp • This will recursively copy the directory /local/rsync from you Unixware system to the <other server>. • You will notice that by default 'ssl' transport is used and you will be prompted for a password.

  26. Windows • Windows also has ‘rcp’ built in for free … try in from your Windows XP command prompt • There are also plenty of OpenSource and commerical ‘sync’ software products available to achieve the same thing.

  27. Third Party Tools • Free or Paid For? = Supported or Not • Free: • http://www.roseindia.net/opensource/open-source-backup-software.shtml • Paid for Examples: • ArcServe • LoneTar • MicroLite • NetVault • etc

  28. Manual Failover Solutions • Here’s the common scenario: • Two Servers – One is in Production and One is the ‘Standby’ • How do I sync the servers? • I need to ensure the users and printers are sycn’ed • I need to ensure the application and data are sycn’ed • Ipalias (arp)

  29. Shared Storage … • If sycn’ing the data’s not the ideal solution here then Shared Storage might be. • Put a Storage Cabinet between the servers and place the data there. • Can both servers mount the filesystems on the storage cabinet at the same time? • If the cabinet goes down then we need either more redundancy in the cabinet or a SaN … • I can do a similar solution with Virtualisation …, such as OpenSource Zen, VMware and Microsoft’s HyperV

  30. Automated or Manual? • How much control do you want? • You can automate everything with, say, Veritas Cluster or Sire Technologies – SavWare for mirroring disks … or OpenSource: • http://www.linux.com/feature/57073 • You ‘still’ need to be aware of: • Where’s my application actually running? • Sync’ing the users and printers • What went wrong that caused a switch over? • Can I switch back? • You can take manual control with your own script. • It may be simple but gives you great flexibility.

  31. Questions – Boardman’s Pass it On • Easy One – What do you need to ‘know’? • Can you name a performance monitoring tool? • What common tools can be used to copy files remotely? • Lastly, what’s the command to set a virtual IP alias?

More Related