Security Concepts - Linux
•Transferir como PPTX, PDF•
0 gostou•1,327 visualizações
An introduction to Linux security considerations and tools.
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a Security Concepts - Linux
Semelhante a Security Concepts - Linux (20)
Mais de Henry Osborne
Mais de Henry Osborne (20)
Último
Último (20)
Security Concepts - Linux
- 2. Overview ▪ Root Usage ▪ User Security and Restriction ▪ Login Blocking ▪ Network Security ▪ OpenSSH ▪ SSH PortTunneling ▪ Public KeyAuthentication ▪ Gnu Privacy Guard (GnuPG)
- 3. Root Usage
- 4. Root Protection ▪ When performing tasks that require the root user account, use the su - command to switch to the root user and execute the command; then use the exit command to revert back to the regular user account. ▪ As a general rule, create a user account that gives sufficient permissions to perform most daily tasks. Use this account instead of the root user account when logging in to the system.
- 5. Root-level Access Management su su –l user_name switches to the specified user in a login shell su user_name switches to the user but does not load that user's environment variables su – user_name switches to the user and loads the user's environmental variables su - switches to the root user and loads the root user's environmental variables su switches to the root user but does not load the root user's environmental variables. -c “command” executes a single command as the root user
- 7. Security Considerations ▪ Users should be trained to use strong passwords. Strong passwords use a mixture of numbers and letters (both upper- and lower-case) and are more than 8 characters in length. ▪ Passwords should expire periodically. ▪ Administrators can limit the resources that users can access.
- 8. User Security Commands chage Set user passwords to expire ulimit Limit computer resources used for applications launched from the shell. Limits can be hard or soft limits. Soft limits can be temporarily exceeded up to the hard limit setting. Users can modify soft limits, but only root can modify hard limits.
- 9. File Auditing ▪ Executable files owned by the root user that have the SUID (Set User ID) permission.With the SUID permission, executables will run with the owner permissions, not with the permissions of the user who runs them. ▪ Executable files owned by the root group that have the SGID (Set Group ID) permission.With the SGID permission, executables will run with the group permissions, not with the permissions of the user who runs them. ▪ Files that have the write and execute permissions for others (everyone on the Linux system who is not a user or group owner of the file). If the file is writable by others, anyone can replace the file with a malicious script to create a security risk.
- 10. Login Blocking
- 11. Pluggable Authentication Modules (PAM) ▪ Login blocking is enabled using the Pluggable Authentication Modules (PAM) module configured in the /etc/pam.d/login file. PAM: – Is a set of modules that enables various authentication systems on a Linux computer. – Can employ modules concurrently. For example, one PAM module can be used to enable biometric logins while another enables standard user and password authentication.
- 12. Configure Login Blocking ▪ Force all users to log out of the system: 1. Log in directly as the root user. 2. Use the w command to view all active user accounts. 3. Use pkill -KILL -u user to force the user to log out for each active user. ▪ Disable the ability to login to the system: 1. Create the /etc/nologin file. 2. Add a message to the file that will be displayed to users when they attempt to log in.
- 13. Network Security
- 15. OpenSSH
- 16. Encryption Types ▪ Symmetric – also known as secret key encryption, pre-shared key or private key encryption – Symmetric encryption is well suited for bulk encryption, because it is less CPU- intensive and much faster than other encryption methods. – Each pair of communicating entities requires a unique shared key ▪ Asymmetric – also known as public key encryption – The public key is made available to anyone; the private key is kept secret. – The strength of an asymmetric encryption system lies in the security of its private keys. If the private key is ever compromised, a new key pair must be generated
- 17. Encryption Standards Symmetric ▪ DES ▪ 3DES ▪ AES ▪ Blowfish Asymmetric ▪ RSA ▪ DSA ▪ Diffie-Hellman Key Exchange
- 18. OpenSSH ▪ Uses a public and private key pair to encrypt and transfer a symmetric key that is then used by both hosts to encrypt and decrypt transmissions during the SSH session. ▪ Can use associated key management software and scripts to automate the exchange of public keys. ▪ Can be used to create a secure tunnel through which other unsecure network protocols, such as IMAP, POP3, SMTP, and X server traffic can be transmitted. ▪ Is available in two versions: – SSH version 1 (SSH1) is an older, less secure version of SSH. SSH1 only supports RSA encryption. – SSH version 2 (SSH2) is the current standard SSH implementation. It can use either DSA or RSA encryption.
- 19. Port Tunneling Process 1. The client sends the non-secure protocol information to the port on the server running the SSH daemon. 2. The SSH daemon intercepts all traffic sent to that port, encrypts it, and sends it to the SSH client. 3. The SSH client receives the encrypted traffic, decrypts it, and forwards it to the default port for the client. 4. The client receives the data on its usual port.
- 22. Authentication Method 1. The client specifies which public key the server uses for authentication, and the server checks to ensure the key has previously been authenticated to the server. 2. If the key is known to the server, it chooses a random number, encrypts it with the public key, and sends it to the client. 3. The client decrypts the number with a private key and uses its own public key and random number to create a hash (MD5 checksum).The client sends the hash back to the server. 4. The server uses the public key and the random number to create its own hash (MD5 checksum) and then checks whether both hash values match. 5. If the hashes match, the server grants access to the user. If the hashes do not match, the user is prompted to log in using a password.
- 25. Security
Notas do Editor
- The root user account is the Linux system superuser and can perform any task. Some Linux commands cannot be run by anyone but the root user. The root account is created during the installation process, and it receives the account number 0 (zero); in contrast, normal (standard) user accounts receive ascending numbers beginning at 500 or 1000 depending on the distribution.
- exit Return to account from which the su command was typed. When no su command has been typed, exit terminates the shell. When using a computer that uses a shell exclusively, exit logs the user out. logout Log out of the system, while leaving the system powered on. To give standard user accounts the permissions to execute a limited set of commands as the root user, use the sudo command.
- There is a limited number of files on a Linux system owned by root or the root group that legitimately need the SUID or SGID permission set. Before changing permissions, first verify whether they actually have been set appropriately.
- Administrators can prevent users from logging in to a Linux system. This may be necessary while troubleshooting problems or while responding to a security event.
- Remove unneeded software Unneeded software takes disk space and could introduce security flaws. To remove unneeded software: Run one of the following commands: Use dnf list installed to see installed RPM packages on the computer. Use dpkg -get-selections to see installed Debian packages on the computer. Research the function of any unrecognized package to determine whether it is necessary. Use yum, rpm, or dpkg to uninstall unneeded packages. Check for unneeded network services Unneeded network services waste the computer's resources and might provide attackers with an entry point for an attack. To view a list of installed services, use one of the following commands: For init-based systems, run chkconfig at the shell prompt. For systemd-based systems, run systemctl list-unit-files at the shell prompt. Review the output of these commands and look for unusual or unrecognized services. Then use the man command and the Internet to determine whether they can be safely removed or disabled. Use chkconfig, insserv, or init to disable the service on init-based systems. On systemd distributions, you can use the systemctl disable or the systemctl mask command to disable a service. Alternatively, you could use yum, zypper, rpm, or dpkg to remove the package entirely. Locate open ports Open ports can provide information about what operating system a computer uses and can provide entry points for an attack. To locate open ports: Install the nmap utility (if not already installed). Use one of the following commands to scan for open ports: nmap -sT host_IP_address scans for open TCP ports nmap -sU host_IP_address scans for open UDP ports From the results of the scan, determine which ports to close and which services use the ports. Disable the services using those ports. Consider running nmap on the local system as well as from a different network host. This will reveal what ports are open and which services are actually allowed through the host's firewall. Check network connections Open network connections (e.g., open sockets) on a computer also create a security risk. A socket is an endpoint of a bidirectional communication flow across a computer network. Use the following netstat options to identify the open network connections on the Linux system: -a lists both listening and non-listening sockets. -l lists listening sockets. -s displays statistics for each protocol. -i displays a table of all network interfaces.
- OpenSSH is a tool that encrypts network traffic over a network connection. OpenSSH is an open source implementation of the Secure Shell (SSH) protocol and implemented by default on most Linux distributions.
- Symmetric Data Encryption Standard (DES) is an old encryption standard created by the National Security Agency in the 1970s. DES uses weak encryption and can be easily broken. Triple DES (3DES) is an enhanced version of DES. 3DES applies DES three times and uses a 168-bit key. Advanced Encryption Standard (AES) is a stronger encryption system that supports encryption key lengths up to 256 bits. AES is based on the Rijndael cipher developed by Joan Daemen and Vincent Rijmen. Blowfish is an older encryption system designed to replace DES. Blowfish uses 64-bit blocks and key lengths anywhere from 32 bits to 448 bits. Asymmetric Rivest, Shamir, and Adleman (RSA) is based on factoring large numbers into their prime values. RSA supports key-lengths from 1,024 to 4,096 bits. Digital Signature Algorithm (DSA) is a United States Government encryption standard often used for digital signing. DSA currently supports Secure Hashing Algorithm-1 (SHA-1), which uses key lengths between 160 and 256 bits, or SHA-2, which uses key lengths between 256 and 1024 bits. Diffie-Hellman Key Exchange was developed by Whitfield Diffie and Martin Hellman. It is a key agreement protocol that generates symmetric keys simultaneously at sender and recipient sites over non-secure channels. The Diffie-Hellman key exchange: Provides for key distribution and does not provide any cryptographic services. Is based on calculating discreet logarithms in a finite field. Is used in many algorithms and standards. Is subject to man-in-the-middle attacks and requires strong authentication to validate the endpoints.
- Secure Shell (SSH) port tunneling encrypts data from non-secure protocols before sending the data over a network. Non-secure protocols, such as email and X server traffic, can be tunneled through SSH.
- Public key authentication uses a public key instead of a username and password to authenticate an SSH connection.
- Gnu Privacy Guard (GnuPG) is an encryption tool that encrypts and digitally signs email and also encrypts files. GnuPG is an implementation of the Pretty Good Privacy (PGP) protocol. It uses public/private key encryption to secure information.