4. Root Protection
▪ When performing tasks that require the root user
account, use the su - command to switch to the
root user and execute the command; then use the
exit command to revert back to the regular user
account.
▪ As a general rule, create a user account that gives
sufficient permissions to perform most daily tasks.
Use this account instead of the root user account
when logging in to the system.
5. Root-level Access Management
su su –l user_name switches to the specified user in a login shell
su user_name switches to the user but does not load that user's
environment variables
su – user_name switches to the user and loads the user's
environmental variables
su - switches to the root user and loads the root user's
environmental variables
su switches to the root user but does not load the root
user's environmental variables.
-c “command” executes a single command as the root user
7. Security Considerations
▪ Users should be trained to use strong passwords.
Strong passwords use a mixture of numbers and
letters (both upper- and lower-case) and are more
than 8 characters in length.
▪ Passwords should expire periodically.
▪ Administrators can limit the resources that users
can access.
8. User Security Commands
chage Set user passwords to expire
ulimit Limit computer resources used for applications
launched from the shell. Limits can be hard or soft
limits. Soft limits can be temporarily exceeded up to
the hard limit setting. Users can modify soft limits, but
only root can modify hard limits.
9. File Auditing
▪ Executable files owned by the root user that have the SUID (Set
User ID) permission.With the SUID permission, executables will
run with the owner permissions, not with the permissions of the
user who runs them.
▪ Executable files owned by the root group that have the SGID
(Set Group ID) permission.With the SGID permission,
executables will run with the group permissions, not with the
permissions of the user who runs them.
▪ Files that have the write and execute permissions for others
(everyone on the Linux system who is not a user or group owner
of the file). If the file is writable by others, anyone can replace
the file with a malicious script to create a security risk.
11. Pluggable Authentication Modules (PAM)
▪ Login blocking is enabled using the Pluggable
Authentication Modules (PAM) module configured
in the /etc/pam.d/login file. PAM:
– Is a set of modules that enables various authentication
systems on a Linux computer.
– Can employ modules concurrently. For example, one
PAM module can be used to enable biometric logins while
another enables standard user and password
authentication.
12. Configure Login Blocking
▪ Force all users to log out of the system:
1. Log in directly as the root user.
2. Use the w command to view all active user accounts.
3. Use pkill -KILL -u user to force the user to log
out for each active user.
▪ Disable the ability to login to the system:
1. Create the /etc/nologin file.
2. Add a message to the file that will be displayed to users
when they attempt to log in.
16. Encryption Types
▪ Symmetric
– also known as secret key encryption, pre-shared key or private key encryption
– Symmetric encryption is well suited for bulk encryption, because it is less CPU-
intensive and much faster than other encryption methods.
– Each pair of communicating entities requires a unique shared key
▪ Asymmetric
– also known as public key encryption
– The public key is made available to anyone; the private key is kept secret.
– The strength of an asymmetric encryption system lies in the security of its
private keys. If the private key is ever compromised, a new key pair must be
generated
18. OpenSSH
▪ Uses a public and private key pair to encrypt and transfer a symmetric key
that is then used by both hosts to encrypt and decrypt transmissions during
the SSH session.
▪ Can use associated key management software and scripts to automate the
exchange of public keys.
▪ Can be used to create a secure tunnel through which other unsecure network
protocols, such as IMAP, POP3, SMTP, and X server traffic can be transmitted.
▪ Is available in two versions:
– SSH version 1 (SSH1) is an older, less secure version of SSH. SSH1 only supports RSA
encryption.
– SSH version 2 (SSH2) is the current standard SSH implementation. It can use either DSA
or RSA encryption.
19. Port Tunneling Process
1. The client sends the non-secure protocol
information to the port on the server running the
SSH daemon.
2. The SSH daemon intercepts all traffic sent to that
port, encrypts it, and sends it to the SSH client.
3. The SSH client receives the encrypted traffic,
decrypts it, and forwards it to the default port for
the client.
4. The client receives the data on its usual port.
22. Authentication Method
1. The client specifies which public key the server uses for authentication,
and the server checks to ensure the key has previously been
authenticated to the server.
2. If the key is known to the server, it chooses a random number, encrypts it
with the public key, and sends it to the client.
3. The client decrypts the number with a private key and uses its own public
key and random number to create a hash (MD5 checksum).The client
sends the hash back to the server.
4. The server uses the public key and the random number to create its own
hash (MD5 checksum) and then checks whether both hash values match.
5. If the hashes match, the server grants access to the user. If the hashes do
not match, the user is prompted to log in using a password.
The root user account is the Linux system superuser and can perform any task.
Some Linux commands cannot be run by anyone but the root user.
The root account is created during the installation process, and it receives the account number 0 (zero); in contrast, normal (standard) user accounts receive ascending numbers beginning at 500 or 1000 depending on the distribution.
exit
Return to account from which the su command was typed. When no su command has been typed, exit terminates the shell. When using a computer that uses a shell exclusively, exit logs the user out.
logout
Log out of the system, while leaving the system powered on.
To give standard user accounts the permissions to execute a limited set of commands as the root user, use the sudo command.
There is a limited number of files on a Linux system owned by root or the root group that legitimately need the SUID or SGID permission set. Before changing permissions, first verify whether they actually have been set appropriately.
Administrators can prevent users from logging in to a Linux system. This may be necessary while troubleshooting problems or while responding to a security event.
Remove unneeded software
Unneeded software takes disk space and could introduce security flaws. To remove unneeded software:
Run one of the following commands:
Use dnf list installed to see installed RPM packages on the computer.
Use dpkg -get-selections to see installed Debian packages on the computer.
Research the function of any unrecognized package to determine whether it is necessary.
Use yum, rpm, or dpkg to uninstall unneeded packages.
Check for unneeded network services
Unneeded network services waste the computer's resources and might provide attackers with an entry point for an attack. To view a list of installed services, use one of the following commands:
For init-based systems, run chkconfig at the shell prompt.
For systemd-based systems, run systemctl list-unit-files at the shell prompt.
Review the output of these commands and look for unusual or unrecognized services. Then use the man command and the Internet to determine whether they can be safely removed or disabled. Use chkconfig, insserv, or init to disable the service on init-based systems. On systemd distributions, you can use the systemctl disable or the systemctl mask command to disable a service. Alternatively, you could use yum, zypper, rpm, or dpkg to remove the package entirely.
Locate open ports
Open ports can provide information about what operating system a computer uses and can provide entry points for an attack. To locate open ports:
Install the nmap utility (if not already installed).
Use one of the following commands to scan for open ports:
nmap -sT host_IP_address scans for open TCP ports
nmap -sU host_IP_address scans for open UDP ports
From the results of the scan, determine which ports to close and which services use the ports.
Disable the services using those ports.
Consider running nmap on the local system as well as from a different network host. This will reveal what ports are open and which services are actually allowed through the host's firewall.
Check network connections
Open network connections (e.g., open sockets) on a computer also create a security risk. A socket is an endpoint of a bidirectional communication flow across a computer network. Use the following netstat options to identify the open network connections on the Linux system:
-a lists both listening and non-listening sockets.
-l lists listening sockets.
-s displays statistics for each protocol.
-i displays a table of all network interfaces.
OpenSSH is a tool that encrypts network traffic over a network connection.
OpenSSH is an open source implementation of the Secure Shell (SSH) protocol and implemented by default on most Linux distributions.
Symmetric
Data Encryption Standard (DES) is an old encryption standard created by the National Security Agency in the 1970s. DES uses weak encryption and can be easily broken.
Triple DES (3DES) is an enhanced version of DES. 3DES applies DES three times and uses a 168-bit key.
Advanced Encryption Standard (AES) is a stronger encryption system that supports encryption key lengths up to 256 bits. AES is based on the Rijndael cipher developed by Joan Daemen and Vincent Rijmen.
Blowfish is an older encryption system designed to replace DES. Blowfish uses 64-bit blocks and key lengths anywhere from 32 bits to 448 bits.
Asymmetric
Rivest, Shamir, and Adleman (RSA) is based on factoring large numbers into their prime values. RSA supports key-lengths from 1,024 to 4,096 bits.
Digital Signature Algorithm (DSA) is a United States Government encryption standard often used for digital signing. DSA currently supports Secure Hashing Algorithm-1 (SHA-1), which uses key lengths between 160 and 256 bits, or SHA-2, which uses key lengths between 256 and 1024 bits.
Diffie-Hellman Key Exchange was developed by Whitfield Diffie and Martin Hellman. It is a key agreement protocol that generates symmetric keys simultaneously at sender and recipient sites over non-secure channels. The Diffie-Hellman key exchange:
Provides for key distribution and does not provide any cryptographic services.
Is based on calculating discreet logarithms in a finite field.
Is used in many algorithms and standards.
Is subject to man-in-the-middle attacks and requires strong authentication to validate the endpoints.
Secure Shell (SSH) port tunneling encrypts data from non-secure protocols before sending the data over a network.
Non-secure protocols, such as email and X server traffic, can be tunneled through SSH.
Public key authentication uses a public key instead of a username and password to authenticate an SSH connection.
Gnu Privacy Guard (GnuPG) is an encryption tool that encrypts and digitally signs email and also encrypts files.
GnuPG is an implementation of the Pretty Good Privacy (PGP) protocol.
It uses public/private key encryption to secure information.