1 / 44

Linux Security Overview

Linux Security Overview. Pattara Kiatisevi Research Assistant Network Technology Laboratory (NTL) National Electronics and Computer Technology Center (NECTEC) ott@nectec.or.th Jan 16, 2000. About this presentation. Based on various freely available documents

yoshe
Download Presentation

Linux Security Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Linux Security Overview Pattara Kiatisevi Research Assistant Network Technology Laboratory (NTL) National Electronics and Computer Technology Center (NECTEC) ott@nectec.or.th Jan 16, 2000

  2. About this presentation • Based on various freely available documents • Linux System Administrator Security Guide (http://www.securityportal.com/lasg) • Linux Security HOWTO • Linux Firewall HOWTO • Provide “Overview” of Linux Security

  3. Introduction • Why we need security? • Example of intrusions • Make your system out of service • Make your system do undesignated jobs • Delete/Modify/Steal your data • Hacker vs. Cracker

  4. Level of Security • Physical Security • Host Security • Network Security

  5. Security Policy • First thing to do! • List your resources and users • Specify rights and appropriate use policy (AUP) for each user • Make it clear, easy to understand • Site Security Handbook, RFC 2196

  6. Physical Security • Only authorized user/admin have physical access to the system • Never leave root console unattended, use lock screen software • Set BIOS password • Disable drive A:, CD-ROM at BIOS if necessary • Never note the password at the monitor/console! • Check if there is unintentional reboot

  7. Host Security • User Account Security • Give user only what the need • Longer than 8 characters password is mandatory • Never allow telnet, consider SSH instead • No new account with blank password • Delete account when staff resigns • Use “root” only when necessary • Only staff can use “su” to become root

  8. Service Security • Open only necessary services • File & File System Security • Make sure you understand all about UNIX permission stuff • Beware of SUID, SGID file, make a regular check of your system files • Backup regularly

  9. Password and Encryption • Consider One-Time-Password if telnet is allowed • Crack your own users’ password regularly • Use Shadow Password, if you still don’t! • Consider using this stuff if it helps • PGP to encrypt mails, files (S/MIME maybe another alternative for E-mail) • Web Server with SSL/TLS • SSH

  10. Kernel Security • regularly check kernel security notes • basic security options in kernel • Drop source routed frames • Syn Cookies • Source Address Verification (/proc/sys/net/ipv4/conf/all/rp_filter = 1)

  11. Network Security • Packet Sniffer • Check if it’s running in your machine! • Check if it’s running in your network • Use Switch instead of Hub • Use One-Time-Password or Secure Shell • Restrict Network Service to only legitimate users • TCP Wrapper, filter rules • Consider using Firewall

  12. Linux Physical Access • Computer BIOS • Disable a: • Disable Serial ports • LILO • delay = 0 • restricted • passwd = • chattr +i /etc/lilo.conf

  13. Authentication • PAM • Pluggable Authentication Modules • PAM Smartcart module • Password • Use MD5 • Shadow Password • Crack it regularly • Password Storage

  14. File & File System Security • SUID, SGID • find / -perm +4000 • find / -perm +2000 • Secure File Deletion • wipe • Access Control List on Linux • POSIX ACL for Linux, http://major.rithus.co.at/acl • The Linux Trustees Project, http://www.braysystems.com/linux/trustees.html

  15. System Files • /etc/passwd • /etc/shadow • /etc/groups • /etc/gshadow • /etc/login.defs • /etc/shells • /etc/securetty

  16. Encrypting Services/Data • PGP (Pretty Good Privacy), http://www.pgp.com/, http://www.pgpi.com/ • GnuPG (Gnu Privacy Guard) • PGP4PINE • S/MIME

  17. Encrypting your harddrive • CFS (Cryptographic Filesystem), http://www.cryptography.org/ • TCFS, http://tcfs.dia.unisa.it/ • PPDD, http://linux01.gwdg.de/~alatham • StegFS, http://ban.joh.cam.ac.thk/~adm36/StegFS/ • Best Crypt, http://www.jetico.com/

  18. Network Encryption • IPSec • SSL/TLS, http://www2.psy.uq.edu.au/~ftp/Crypto/, http://www.openssl.org/ • Source of random data

  19. Network Security • PPP Security • PAP, CHAP • TCP/IP Security • TCP/IP is robust but no real provisions for security • Don’t use hostname-based authentication • IPSec • IPv6 • HUNT, http://www.cri.cz/kra/

  20. Basic Config Files and Utilities • /etc/inetd.conf • /etc/services • TCP Wrapper • /etc/hosts.deny, /etc/hosts.allow • Useful commands • ps aux • netstat • lsof

  21. Network-based Authentication • NIS/NIS+ • NIS/NIS+ Howto • Can VPN replace NIS/NIS+? • Kerboros, http://web.mit.edu/kerberos/www

  22. Certificate Authorities Software for Linux • OpenCA, http://www.openca.org/, based on OpenSSL, http://www.openssl.org/ • pyCA, http://sites.inka.de/ms/python/pyca/

  23. Internet Server Software • Chroot them? • Keep them up to date • Filter their ports appropriately

  24. DHCP • Firewall to filter DHCP traffic both incoming/outgoing

  25. SMTP • Sendmail • Former security nightmare for admin • Keep it up to date! • If only send out, run in queue mode “sendmail -q1h” • /etc/mail/* • access • domaintable • virtusertable • Postfix • Sendmail Pro, Qmail, Zmailer, Dmail, nullmailer

  26. POP/IMAP Server • Consider use them with SSL • STunnel

  27. Virus • Does UNIX have Virus? • Virus Scanner & Cleaner Software • McAfee (Shareware) • Dr.Solomon (commercial) • AntiVir/X (free for noncommercial) • InterScan Viruswall • Scan incoming E-mails for Viral • AMaViS (Use with McAfee and Sendmail or Postfix)

  28. WWW Server • Apache (http://www.apache.org) • Controlling Access (.htaccess) • Apache with SSL • Apache-SSL • Apache with mod_ssl • Red Hat Secure Server (Apache + RSA Cryptographic modules, USA and Canada only) • Roxen (from Sweden), SSL 40/128 bit support • AOL, Zeus, Webfs, Flash Web Server

  29. Accessing your Web Server • FTP • replace Wu-FPD with ProFTPD ? • Samba, http://www.samba.org/ • Frontpage Access, http://www.rtr.com/ • Rear Site, http://listes.cru.fr/rs/fd • Fast Webpage Exchanger, http://www.enjoy.ne.jp/~gm/program/iwe_en.html

  30. Proxy/Cache Server • Squid • Good ACL support in configuration file already • is it legal to keep log files?? • SquidGuard: External program to handle ACL, filtering, redirection • SOCKS

  31. Telnet • Are you still using Telnet? • TCP-Wrapper, One-Time-Password, SSH might help

  32. Secure Shell (SSH) • Server • SSH 1, 2 • OpenSSH • LSH • Client • SSH • SecureCRT, Fsecure • PuTTy, Mindterm, TeraTerm

  33. X Window System • Firewall port 6000-6010 • SSH, http://csociety.ecn.purdue.edu/~sigos/projects/ssh/forwarding

  34. Firewalling • Linux supports firewalling • IP Filtering • IP Masquerade • Port forwarding • Quality of Service • IPFWADM (Linux 2.0.x) • IPCHAINS (Linux 2.2.x)

  35. IPCHAINS • Powerful packet filter for Linux • A lot of tools to help generating IPCHAINS script • pmfirewall • fwconfig • FCT • kfirewall • a lot more ..

  36. Other firewall software • TIS • IPF • SINUS • Phoenix Adaptive Firewall (commercial, ICSA Certified), http://www.progressive-systems.com/products/phoenix/

  37. Virtual Private Networks • IPSec (Free S/WAN Project for Linux), http://www.freeswan.org/) • PPTP, http://www.moretonbay.com/vpn/pptp.html) • SSH (with many helper scripts & GUI) • Virtual Tunnel (VTUN), http://vtun.netpedia.net/ • Zebedee, http://www.winton.org/uk/zebedee/ • Stunnel, SSL-based, http://mike.daewoo.com/pl/computer/stunnel/

  38. Administrative tools • Local Tools • super, super, runas • WWW-based Tools • Webmin • Linuxconf • COAS • Remote • VNC, http://www.uk.research.att.com/vnc/

  39. Limiting and Monitoring Users • PAM • Bash Startup script (with ulimit command) • Quota • ttysnoop (legal problems, be warned!!), http://uscan.cjb.net/ • UserIPAcct, http://zaheer.grid9.net/useripacct

  40. Log Files • General Logs Security • Append only mode: chattr +a <filename> • Immutable: chattr +i <filename> • More secure systems than syslog • syslog-ng • secure-syslog • Msyslogd

  41. Intrusion Detection • Baselines • Audits • Tripwire (not free anymore) • AIDE, http://www.cs.tut.fi/~rammer/aide.html • L5, ftp://avian.org/src/hacks • Gog&Magog, http://www.multimania.com/cparisel/gog • ViperDB, http://www.resentment.org/projects/viperdb • Sxid, ftp://marcus.seva.net/pub/sxid

  42. Nannie, ftp://tools.tradeservices.com/pub/nannie • confcollect, http://www.skagelund.com/confcollect • Pikt, http://pikt.uchicago.edu/pikt • Linux Intrusion Detection System, http://www.soaring-bird.com.cn/oss_proj/lids/ • Scanning • COPS, Tiger (obsolete) • Strobe, nmap (port scanner), http://www.insecure.org/nmap/ • Nessus, http://www.nessus.org/ • Satan, Saint, http://www.wwdsi.com/saint

  43. Sniffer • tcpdump • sniffit, http://sniffit.rug.ac.be/~coder/sniffit/sniffit.html • Ethereal, http://etheral.zing.org/ • SPY (commercial) • AnitiSniff, http://www.l0pht.com/antisniff/

  44. Read More • LASG, http://www.securityportal.com/lasg • Linux Security, Firewall, VPN, IP-CHAINS HOWTO • CERT • http://www.rootshell.com/ • http://www.securityportal.com/

More Related