Enviar pesquisa
Carregar
Linux Security
•
5 gostaram
•
2,190 visualizações
nayakslideshare
Seguir
Tecnologia
Notícias e política
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 43
Baixar agora
Baixar para ler offline
Recomendados
Linux Network Security
Linux Network Security
Amr Ali
Introduction To Linux Security
Introduction To Linux Security
Michael Boman
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti
Basic Linux Security
Basic Linux Security
pankaj009
Security and Linux Security
Security and Linux Security
Rizky Ariestiyansyah
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
Shawn Wells
Linux Operating System Vulnerabilities
Linux Operating System Vulnerabilities
Information Technology
Linux security
Linux security
trilokchandra prakash
Mais conteúdo relacionado
Mais procurados
Essential security for linux servers
Essential security for linux servers
Juan Carlos Pérez Pardo
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
Michael Boelen
File System Implementation & Linux Security
File System Implementation & Linux Security
Geo Marian
Unix Security
Unix Security
replay21
Linux security introduction
Linux security introduction
Mohamed Gad
Linux Security Overview
Linux Security Overview
Kernel TLV
Linux security-fosster-09
Linux security-fosster-09
Dr. Jayaraj Poroor
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
Kaiwan Billimoria
SELinux Basic Usage
SELinux Basic Usage
Dmytro Minochkin
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
Eric Vanderburg
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
Security Session
Windows Security Crash Course
Windows Security Crash Course
UTD Computer Security Group
Ch 6: Enumeration
Ch 6: Enumeration
Sam Bowne
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
FFRI, Inc.
Inside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewall
amiable_indian
Nessus v6 command_line_reference
Nessus v6 command_line_reference
Craig Cannon
BackTrack5 - Linux
BackTrack5 - Linux
mariuszantal
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live Forever
Gregory Hanis
SELinux for Everyday Users
SELinux for Everyday Users
PaulWay
The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
Eliel Prado
Mais procurados
(20)
Essential security for linux servers
Essential security for linux servers
How Many Linux Security Layers Are Enough?
How Many Linux Security Layers Are Enough?
File System Implementation & Linux Security
File System Implementation & Linux Security
Unix Security
Unix Security
Linux security introduction
Linux security introduction
Linux Security Overview
Linux Security Overview
Linux security-fosster-09
Linux security-fosster-09
Security, Hack1ng and Hardening on Linux - an Overview
Security, Hack1ng and Hardening on Linux - an Overview
SELinux Basic Usage
SELinux Basic Usage
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
Ethical hacking Chapter 7 - Enumeration - Eric Vanderburg
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
Windows Security Crash Course
Windows Security Crash Course
Ch 6: Enumeration
Ch 6: Enumeration
MR201406 A Re-introduction to SELinux
MR201406 A Re-introduction to SELinux
Inside Out Hacking - Bypassing Firewall
Inside Out Hacking - Bypassing Firewall
Nessus v6 command_line_reference
Nessus v6 command_line_reference
BackTrack5 - Linux
BackTrack5 - Linux
Telehack: May the Command Line Live Forever
Telehack: May the Command Line Live Forever
SELinux for Everyday Users
SELinux for Everyday Users
The SElinux Notebook :the foundations - Vol 1
The SElinux Notebook :the foundations - Vol 1
Destaque
linux security: interact with linux
linux security: interact with linux
Ammar WK
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Anne Nicolas
Linux Security Myth
Linux Security Myth
Mackenzie Morgan
Linux Security Scanning with Lynis
Linux Security Scanning with Lynis
Michael Boelen
Security of Linux containers in the cloud
Security of Linux containers in the cloud
Dobrica Pavlinušić
Linux Security for Developers
Linux Security for Developers
Michael Boelen
Linux Hardening
Linux Hardening
Michael Boelen
Linux Security, from Concept to Tooling
Linux Security, from Concept to Tooling
Michael Boelen
Securing Your Linux System
Securing Your Linux System
Novell
What's New with Linux on System z
What's New with Linux on System z
Novell
WordPress Security Hardening
WordPress Security Hardening
Timothy Wood
Getting started with GrSecurity
Getting started with GrSecurity
Francesco Pira
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...
The Linux Foundation
Hardening Linux Server Security
Hardening Linux Server Security
Ilham Kurniawan
System hardening - OS and Application
System hardening - OS and Application
edavid2685
CentOS Linux Server Hardening
CentOS Linux Server Hardening
MyOwn Telco
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
Vincent Giersch
Destaque
(17)
linux security: interact with linux
linux security: interact with linux
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Kernel Recipes 2013 - Linux Security Modules: different formal concepts
Linux Security Myth
Linux Security Myth
Linux Security Scanning with Lynis
Linux Security Scanning with Lynis
Security of Linux containers in the cloud
Security of Linux containers in the cloud
Linux Security for Developers
Linux Security for Developers
Linux Hardening
Linux Hardening
Linux Security, from Concept to Tooling
Linux Security, from Concept to Tooling
Securing Your Linux System
Securing Your Linux System
What's New with Linux on System z
What's New with Linux on System z
WordPress Security Hardening
WordPress Security Hardening
Getting started with GrSecurity
Getting started with GrSecurity
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...
LCNA14: Security in the Cloud: Containers, KVM, and Xen - George Dunlap, Citr...
Hardening Linux Server Security
Hardening Linux Server Security
System hardening - OS and Application
System hardening - OS and Application
CentOS Linux Server Hardening
CentOS Linux Server Hardening
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
Semelhante a Linux Security
linux
linux
Ajay Chawda
It04 roshan basnet
It04 roshan basnet
rosu555
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hacking
Vi Tính Hoàng Nam
cibers
cibers
Luis Francisco López Urrea
Expo ciberseguridad
Expo ciberseguridad
LuisFranciscoLopez4
Presentation on linux
Presentation on linux
Veeral Bhateja
Automotive Grade Linux and systemd
Automotive Grade Linux and systemd
Alison Chaiken
Differences Between Operating Systems And Software And...
Differences Between Operating Systems And Software And...
Mary Gregory
Linux operating system ppt
Linux operating system ppt
Achyut Sinha
Red Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security Agency
sanchetanparmar
Software update for embedded systems
Software update for embedded systems
SZ Lin
outpass system
outpass system
Dhivakar K
Advance linux presentation_0702011
Advance linux presentation_0702011
Aravindan Arun
Basic orientation to Linux
Basic orientation to Linux
Vidyaratha Kissoon
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
Shawn Wells
Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015
Filipe Miranda
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
Giuseppe Paterno'
IS3440 Unit 2 Discussion
IS3440 Unit 2 Discussion
Sharon Price
File System And Configuration File Essay
File System And Configuration File Essay
Kimberly Reyes
Linux sever building
Linux sever building
Edmond Yu
Semelhante a Linux Security
(20)
linux
linux
It04 roshan basnet
It04 roshan basnet
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hacking
cibers
cibers
Expo ciberseguridad
Expo ciberseguridad
Presentation on linux
Presentation on linux
Automotive Grade Linux and systemd
Automotive Grade Linux and systemd
Differences Between Operating Systems And Software And...
Differences Between Operating Systems And Software And...
Linux operating system ppt
Linux operating system ppt
Red Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security Agency
Software update for embedded systems
Software update for embedded systems
outpass system
outpass system
Advance linux presentation_0702011
Advance linux presentation_0702011
Basic orientation to Linux
Basic orientation to Linux
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
2008-09-09 IBM Interaction Conference, Red Hat Update for System z
Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
IS3440 Unit 2 Discussion
IS3440 Unit 2 Discussion
File System And Configuration File Essay
File System And Configuration File Essay
Linux sever building
Linux sever building
Mais de nayakslideshare
Mips 64
Mips 64
nayakslideshare
Digital Signature
Digital Signature
nayakslideshare
Spyware
Spyware
nayakslideshare
Digital Signature
Digital Signature
nayakslideshare
Gis
Gis
nayakslideshare
Lcd
Lcd
nayakslideshare
Hyper Threading Technology
Hyper Threading Technology
nayakslideshare
Intro To Hacking
Intro To Hacking
nayakslideshare
Quantum Teleportation
Quantum Teleportation
nayakslideshare
Biochip 1
Biochip 1
nayakslideshare
Biochip
Biochip
nayakslideshare
Satellite Networks
Satellite Networks
nayakslideshare
Cybercrime
Cybercrime
nayakslideshare
Cybercrime 1
Cybercrime 1
nayakslideshare
Biochip 1
Biochip 1
nayakslideshare
Touch Screens
Touch Screens
nayakslideshare
Dna Fingerprinting
Dna Fingerprinting
nayakslideshare
Thinking Critically About WWW
Thinking Critically About WWW
nayakslideshare
Remote Sensing
Remote Sensing
nayakslideshare
Teleportation
Teleportation
nayakslideshare
Mais de nayakslideshare
(20)
Mips 64
Mips 64
Digital Signature
Digital Signature
Spyware
Spyware
Digital Signature
Digital Signature
Gis
Gis
Lcd
Lcd
Hyper Threading Technology
Hyper Threading Technology
Intro To Hacking
Intro To Hacking
Quantum Teleportation
Quantum Teleportation
Biochip 1
Biochip 1
Biochip
Biochip
Satellite Networks
Satellite Networks
Cybercrime
Cybercrime
Cybercrime 1
Cybercrime 1
Biochip 1
Biochip 1
Touch Screens
Touch Screens
Dna Fingerprinting
Dna Fingerprinting
Thinking Critically About WWW
Thinking Critically About WWW
Remote Sensing
Remote Sensing
Teleportation
Teleportation
Último
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
DianaGray10
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
UiPathCommunity
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Safe Software
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
Brian Pichman
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
Liveplex
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
Bachir Benyammi
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
Eric D. Schabell
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
bruanjhuli
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
Jamie (Taka) Wang
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
Matsuo Lab
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
Christian Posta
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
Jamie (Taka) Wang
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
shyamraj55
201610817 - edge part1
201610817 - edge part1
Jamie (Taka) Wang
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
Precisely
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
DianaGray10
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
IES VE
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
Udaiappa Ramachandran
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
Adam Moalla
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
Aggregage
Último
(20)
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
201610817 - edge part1
201610817 - edge part1
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
Linux Security
1.
1 © Network Intelligence
India Pvt. Ltd. Linux Security & Auditing
2.
2 © Network Intelligence
India Pvt. Ltd. Agenda History of Linux Linux Distributions Business drivers for Linux Linux Architecture Physical Security Operating System Security Network Security File System Security User and Group Security Application Security Linux Security Tools
3.
3 © Network Intelligence
India Pvt. Ltd. History of Linux Linus Benedict Torvalds writes an open-source operating system in 1991 Primary purpose is as a research project At that time, no other open-source Unix flavors available. All are proprietary and costly. Linux became hugely popular among the student and research community Today it is a viable alternative for enterprise applications.
4.
4 © Network Intelligence
India Pvt. Ltd. Linux – Business Drivers IBM sold $759 million worth of Linux servers in 2001 (Dataquest) Total Linux server market estimated at $4billion and growing rapidly Oracle, Sun, HP, IBM, Novell, and other major vendors all actively support Linux Open-source – implies: Cheaper cost of acquisition Possibility of greater security More flexibility in choosing components and configuring them
5.
5 © Network Intelligence
India Pvt. Ltd. Linux – Distributions The Linux kernel and associated utilities are packaged and distributed by a number of firms: Red Hat Mandrake Debian SuSE Changes: Most free distributions are no longer ‘free’ Red Hat has stopped after Fedora Mandrake requires payment for security patches SUSE has been bought over by Novell Debian, Slackware still free
6.
6 © Network Intelligence
India Pvt. Ltd. Linux Attack Portscanner Identifies open ports Identifies running services Identifies Operating System Vulnerability Scanner Identifies versions and vendor of services Determines vulnerabilities in those Vulnerability Databases www.SecurityFocus.com/bid Feed in vendor, software and version number Check the vulnerabilities and see if any exploits available Portscan Report – Superscan Portscan Report - Nmap
7.
7 © Network Intelligence
India Pvt. Ltd. LINUX SECURITY
8.
8 © Network Intelligence
India Pvt. Ltd. Linux Architecture Linux Kernel – the actual code that interfaces between user applications and hardware resources Hardware controllers – used by the kernel to interact with hardware Operating System Services – software other than the kernel that are considered part of the OS: X Windows system, command shell User Applications – software other than kernel and services: text editors, browsers, etc.
9.
9 © Network Intelligence
India Pvt. Ltd. Diagrammatically (GNU-LINUX) KERNEL – LINUX User Applications (GNU) OS Services (Apache, Sendmail, etc.) Hardware Controllers Hardware – CPU, HDD, Keyboard, Mouse, Monitor, RAM
10.
10 © Network Intelligence
India Pvt. Ltd. Key points about Linux Kernel It is separately distributed from user applications and other software Uses modules, which can be dynamically loaded For instance, support for FAT32 need not be fixed, but can be added dynamically Kernel can be completely recompiled and unnecessary components can be removed – unlike Windows Kernel has had buffer overflow vulnerabilities being discovered in it – very critical
11.
11 © Network Intelligence
India Pvt. Ltd. Kernel Security One of the most important ways to keep Linux secure is to ensure a patched kernel Check your kernel version uname –a Third-party kernel patches for enhanced security: Linux Intrusion Detection System – for ensuring integrity of critical files Secure Linux Patch – prevent common buffer overflows, and simple security measures International Kernel Patch – kernel-level strong encryption to be built-in
12.
12 © Network Intelligence
India Pvt. Ltd. Click and run Security Bastille Linux Available for popular Linux flavors www.Bastille-linux.org You’ll also need Perl-Tk Creates a set of security measures through a GUI Most of the implemented changes can be undone Must be first run on ‘test’ systems Demo
13.
13 © Network Intelligence
India Pvt. Ltd. Bastille-Linux snapshot
14.
14 © Network Intelligence
India Pvt. Ltd. Boot Security Boot configuration is decided by LILO (Linux Loader) or GRUB (Grand Unified Boot Loader) Check that only one OS is configured to load If required ensure there is an entry for password= in lilo.conf Also, ensure permissions are 600 Demo
15.
15 © Network Intelligence
India Pvt. Ltd. Operating System Security Check processes top –n 1 –b ps- aux Check installed software rpm –q –a RPM = Red Hat Package Manager = installer packages for software on RH systems Look out for unnecessary packages Also ensure latest versions of packages are installed – especially those that are used by lower-privileged users: httpd, openssh, kernel, sendmail, etc. rpm –q –a | grep kernel
16.
16 © Network Intelligence
India Pvt. Ltd. Cron and At Cron is used to schedule regular jobs. At is used to schedule one time job in the future Both can be misused to install time-bombs on the system, which may suddenly cause the system to malfunction Can be restricted using files /etc/cron.allow, cron.deny, at.allow and at.deny DEMO cron.allow contains root cron.deny contains ALL
17.
17 © Network Intelligence
India Pvt. Ltd. Linux Auditing Linux auditing is done using syslogd Configuration file is /etc/syslog.conf Format is: Facility.Priority Action to be taken Facility – the application/program that is generating the logs Priority – Emerg, alert, crit, err, warning, notice, info, debug, none Action – send it to a file, send it to console, send it via email, send it to another system (loghost) Segregation of responsibilities – send logs to another system, where the security administrator has control
18.
18 © Network Intelligence
India Pvt. Ltd. Linux Auditing – important commands Recent logins last Last login time for all users (dormant users) lastlog Last failed logins (requires to create /var/log/btmp file) lastb Security related events /var/log/secure Tools for Log Analysis Swatch – real-time monitoring of logs Logsentry Logwatch
19.
19 © Network Intelligence
India Pvt. Ltd. Tools for testing COPS Computer Oracle and Password System Outdated Checks for common mis-configurations, weak passwords, insecure permissions, etc. TIGER Similar to COPS, but more comprehensive Also not recently updated TARA Most updated and recent version of TIGER Runs using shell scripts or preferably Perl
20.
20 © Network Intelligence
India Pvt. Ltd. Network Security Services are started by /etc/rc.d scripts and xinetd chkconfig --list chkconfig levels {numbers} {service} on|off Xinetd services are configured by individual files in /etc/xinetd.d/ Open network connections netstat –antp Use the –p option to see which processes are responsible for which open ports Also lsof can be used
21.
21 © Network Intelligence
India Pvt. Ltd. Network Services Possibly not required: NFS and related services: autofs, nfs, nfsserver, nfslock Unused networking services: routed, gated, ratvf, snmpd, named, dhcpd, dhclient, dhrelay, nscd, smb Mail Services: Sendmail, postfix Optional network and local services: atd, ldap, kudzu, rhnsd, ypbind, apache, quota, quotad, myself, etc. Printing services: lpr, cups, lprng
22.
22 © Network Intelligence
India Pvt. Ltd. Xinetd Logic change from earlier inetd.conf file Builds in controls similar to TCPWrappers and more: Access_control: which hosts are allowed to connect and at what times Logging: which data gets logged Resource utilization: limits on maximum connections supported, CPU usage, etc. Others
23.
23 © Network Intelligence
India Pvt. Ltd. Trusted Hosts Entries in /etc/hosts.equiv and /etc/hosts.lpd are critical They allow users from those hosts to connect without supplying a password! Also, users can create .rhosts and .netrc files in their home directories, which function similarly. Find these as well
24.
24 © Network Intelligence
India Pvt. Ltd. Telnet and FTP vs. SSH Telnet and FTP are plain-text protocols Should be replaced by SSH Any inside user can sniff the traffic, even on switched networks with relative ease SSH uses encryption to provide services equivalent to Telnet and FTP Configuration is in /etc/sshd/sshd_config SSH clients are available for free – putty for Windows
25.
25 © Network Intelligence
India Pvt. Ltd. User and Group Security User accounts are created in /etc/passwd Hashed passwords, password and account lockout policies are in /etc/shadow Password and account lockout policies can be set during account creation, or with the chage command: Minimum password age Maximum password age Expiry warning time Inactive time after which account is locked out Some future data when account will be locked out
26.
26 © Network Intelligence
India Pvt. Ltd. Checks for these files No dormant or generic accounts present Accounts of separated users not present All system (non-user) accounts have /bin/false for the shell All system accounts have *NP* or *LK* in their password fields in /etc/shadow SOP exists for verifying validity of accounts in these files Every account in passwd has a corresponding entry in shadow Only one line contains 0 in the uid field in the passwd file
27.
27 © Network Intelligence
India Pvt. Ltd. Password and Account Lockout Other stronger policies require use of PAM – Pluggable Authentication Modules PAM Allows the following to be set Minimum password length No dictionary words No part of username in the password Number of alphanumeric and punctuation characters to be present PAM is configured in the /etc/pam.d folder DEMO – change of password for user auditor
28.
28 © Network Intelligence
India Pvt. Ltd. Password Strength Verification Also known as Password Cracking Use ‘Crack’ from http://www.users.dircon.co.uk/~crypto/downl oad/c50-faq.html Works on almost all Unix platforms, and is very fast Also viable password cracker is John the Ripper Set these tools running for a day or two and ferret out all weak passwords
29.
29 © Network Intelligence
India Pvt. Ltd. Root Security No user must login directly as ‘root’ Administrators must login with their own accounts, and then use ‘su’ to become root. This ensures accountability Viable alternative is the ‘sudo’ utility, which allows: Listing of privileged accounts Actions that can be taken by these accounts Download from http://www.courtesan.com/sudo/intro.html Time out of logged in user, so he has to re-authenticate in order to use ‘sudo’
30.
30 © Network Intelligence
India Pvt. Ltd. File System Security Unix Permissions are applicable to three entities: Owner of the file (everything in Unix is a file) Group owner of file Everyone else Three main permissions apply, with numeric representations Read = 4 Write = 2 Execute = 1
31.
31 © Network Intelligence
India Pvt. Ltd. Unix Permissions Permissions are visible in the ls –l output: Example First character identified type of file D = directory - = file S = socket L = link (shortcut) P = pipe Next three identify read, write and execute for owner, next three identify for group, and last three for everyone else
32.
32 © Network Intelligence
India Pvt. Ltd. Unix Permissions These letters are added up: For instances: - rw- r-- r-- It’s a file Owner can Read (4) and Write (2) Group can Read (4) Everyone else can Read (4) So permissions on this file are 644 Conversely permissions, like 700 represent -rwx --- ---
33.
33 © Network Intelligence
India Pvt. Ltd. Other File Security Measures Permissions of a new files are determined by the value umask Advanced Windows-like Access Control Lists can also be created on Linux using the linux-acl package Disk usage can be periodically verified with the df- k command SUID and SGID files are executables that can be executed by anyone, but they execute with privileges of owner (usually root) or group – very critical checks! find / -perm –4000 find / -perm –2000
34.
34 © Network Intelligence
India Pvt. Ltd. File Integrity File Integrity can be verified: Size and timestamp – can be modified to fool the auditor MD5 hashes – secured method, but tedious File Integrity Software: Must be used immediately after the installation Create a database of MD5 hashes of all critical files Monitor changes to these files and send alerts Tripwire – commercial, scalable, central console AIDE – open-source, reasonably enterprise-level
35.
35 © Network Intelligence
India Pvt. Ltd. Application Security Linux systems can be used as File Servers – Samba – Windows-compatible file server Print Servers –lpd, cups, etc. Mail Server – Sendmail (historically insecure), Qmail, Postfix VPN Server – FreeS/WAN Databases – PostgreSQL, MySQL (free), Oracle, Sybase, DB2 (commercial) DNS Servers – BIND LDAP Servers Time Servers
36.
36 © Network Intelligence
India Pvt. Ltd. Application Security – Web Servers The Apache web server is an open-source, stable, robust and scalable solution with 64% market share Apache is usually configured to run with lower- privileged account ‘apache’ or ‘nobody’ Installation location is referred to as $ServerRoot, and web site contents are located at $DocumentRoot Configuration file is at $ServerRoot/httpd.conf Configuration is done with the help of ‘Directives’
37.
37 © Network Intelligence
India Pvt. Ltd. Important Directives Directory: access control based on source IP address or domain name for various files and folders of the website, using Allow and Deny keywords Also, within this directive, various options can be set. Recommended to set Options None Denial of Service and Buffer Overflow attacks can be prevented by LimitRequest* and Rlimit* directives CGI security is most important, to ensure scripts cannot be misused for compromising the server Apache uses various modules for added functionality. These must be reduced to a minimum Banner of Apache must be changed Apache must be run in ‘chroot’ environment
38.
38 © Network Intelligence
India Pvt. Ltd. Linux Security Software Linux Firewall: IPTables (new version of IPChains) Scalable Cost-effective Robust Linux IDS Snort Scalable Robust Slight learning curve – Demo IPCop – Bootable CD version of firewall and IDS
39.
39 © Network Intelligence
India Pvt. Ltd. Security Testing Software Nmap Most popular security tool Port scanner Detects Operating System also Can run in very stealth mode Demo Nessus Vulnerability Assessment software Client-Server mode, server only in Unix Uses Plugins for tests
40.
40 © Network Intelligence
India Pvt. Ltd. Conclusion Linux is not secure in default configuration Security can be added to a very high level, but must be balanced with functionality The correct Linux distribution must be chosen, and minimum installation done Patches must be diligently applied Syslog logs must be exported and analyzed periodically Network Services must be kept to a minimum User and groups must be periodically audited File/folder access control lists must be set File Integrity software may be used in high-security installations Application-specific security measures are also a must
41.
41 © Network Intelligence
India Pvt. Ltd. References The Unix Auditor’s Practical Handbook – K. K. Mookhey http://www.nii.co.in/research/papers.html Practical Unix and Internet Security – Simson Garfinkel and Gene Spafford Linux Security Benchmark - http://www.cisecurity.org/ Linux Security and Controls – ISACA & K. K. Mookhey – to be available at ISACA bookstore in 2nd quarter
42.
42 © Network Intelligence
India Pvt. Ltd. About NetIntel IT Security Consultancy Firm Penetration Testing Security Auditing Security Training – Unix, Windows, Databases, Ethical Hacking, Intrusion Detection, etc. BS7799 Consultancy Application Security Audit Business Continuity Management Security Implementation & Design
43.
43 © Network Intelligence
India Pvt. Ltd. THANK YOU
Baixar agora