anthony - shaieb.net
Download
Report
Transcript anthony - shaieb.net
Linux Security
Anthony Albrecht – Services &
Accounts
Praveen Bochetty – Filesystem security
& Logging
Seth Guenther – PAM & Kernel Tuning
Linux Run Levels
Linux starts, it calls a program named init, which
runs all subsequent startup tasks.
The very first services it executes are those located
in the /etc/rc.d directory tree.
Files in the /etc/rc.d are links to the actual
executable files located in /etc/init.d.
Run levels are the level of functionality in which the
operating system is running.
The levels range from level 1 to 6, and each level
has a different degree of functionality.
The run levels are specified within the /etc/inittab
file
Linux Run Levels
Run level 0 is halt.
Run level 1 is single user mode. Like safe
mode
Run level 2 is multiuser mode, but without
NFS.
Run level 3 is full multiuser mode or the
standard run level.
Run level 4 is typically unused.
Run level 5 is X11, or the X Window system.
Run level 6 is reboot
Disabling services
Within each /etc/rc.d/rc*.d directory, files
start with S or K
– S means start service
– K means kill (stop) service
chkconfig command can be used to disable
services
– Ex: chkconfig inetd off
Alernatively, use serviceconf for graphical
administration
Root Account
The root account is the most
privileged account on a Unix system
No security restrictions
Therefore it is easy, with a mistyped
command, to wipe out crucial system
files.
Never log in on your server as root
unless it is absolutely have to.
Root Account
-Set login time out for the root
account.
- make the bash shell automatically
logout after not being used for a
period of time.
-set the special variable of Linux
named TMOUT to the time in seconds
of no input before logout.
Root Account
Edit your profile file /etc/profile and add the
following line somewhere after the line that read
HISTFILESIZE= on this file: TMOUT=7200
Automatic logout after two hours of inactivity will
apply for all users on the system.
To control which users will be automatically logged
out and which ones not, you can set this variable in
their individual .bashrc file.
You must logout and login again as root for the
change to take effect
NFS-Network File System
allows machines to mount a disk
partition on a remote machine as if it
were on a local hard drive.
allows for fast, seamless sharing of
files across a network.
The “/etc/exports” file
If exporting file systems using NFS
service, be sure to configure this file
with the most restrictive access
possible.
The “/etc/exports” file
Edit the exports file (vi /etc/exports) and add:
As an example:
/dir/to/export host1.mydomain.com(ro,root_squash)
/dir/to/export host2.mydomain.com(ro,root_squash)
Where “/dir/to/export” is the directory you want to
export, host#.mydomain.com is the machine allowed to
log in this directory the <ro> option mean mounting
read-only and the <root_squash> option for not
allowing root write access.
For this change to take effect you will need to run the
following command on your terminal:
[root@deep]# /usr/sbin/exportfs -a
inetd/xinetd introduction
inetd.conf, a program that manages all the
incoming connections
Xinetd took the inetd design and
modularized it, meaning that each service
can be in its own configuration file.
Xinetd also added features like the TCP
wrappers, making configuration easier.
The modular configuration means that you
can distribute a service to several machines
by copying it to the xinetd.d directory, and
you can remove it similarly.
The inetd-/etc/inetd.conf file
Also called the "super server", it will load a network
program based upon a request from the network.
The “inetd.conf” file tells inetd which ports to listen
to and what server to start for each port.
Look at the “/etc/inetd.conf” file to see what
services are being offered by your inetd program.
Disable what you do not need by commenting them
out (by adding a # at the beginning of the line),
and then sending your inetd process a SIGHUP
command to update it.
– killall –HUP inetd
Disabling Steps
Change the permissions on this file to 600.
[root@deep /]#chmod 600 /etc/inetd.conf
Ensure that the owner is root
[root@deep /]# chown root /etc/inetd.conf
Edit the inetd.conf file (vi/etc/inetd.conf)
and disable services like:
ftp, telnet, shell, login, exec, talk, ntalk,
imap, pop-2, pop-3, finger, auth, etc.
The “/etc/host.conf” file
Linux uses a resolver library to obtain
the IP address corresponding to a host
name.
This file specifies how names are
resolved.
The entries in the file tell the resolver
library what services to use, and in
what order, to resolve names.
The “/etc/host.conf” file
Edit the host.conf file (vi /etc/host.conf)
and add the following lines:
# Lookup names via DNS first then fall
back to /etc/hosts.
order bind,hosts
# We have machines with multiple IP
addresses.
multi on
# Check for IP address spoofing.
nospoof on
The “/etc/host.conf” file
The order option indicates the order of
services.
The multi option determines whether a
host in the “/etc/hosts” file can have
multiple IP addresses
The nospoof option indicates to take care
of not permitting spoofing on this machine.
IP Spoofing is a security exploit that works
by tricking computers in a trust relationship
that you are someone that you really aren't.
The “/etc/securetty” file
This file allows you to specify which TTY
devices the “root” user is allowed to login
on.
Also this file is read by the login program
(usually “/bin/login”). Its format is a list of
the tty devices names allowed.
Disable any tty that you do not need by
commenting them out (# at the beginning
of the line).
The “/etc/securetty” file
tty1
#tty2
#tty3
#tty4
#tty5
#tty6
#tty7
#tty8
Which means root is only allowed to login on tty1. Allowing
“root” to log in only on one tty device and use the “su”
command to switch to “root” if you need more devices to log
in as “root”.
Special Accounts
Important to DISABLE ALL default vendor
accounts that you don't use on your system .
To delete user on your system, use the
command:
[root@deep] /# userdel username
To delete group on your system, use the
command:
[root@deep] /# groupdel username
TCP_WRAPPERS
By default Red Hat Linux allows all service
requests.
Deny all hosts by putting ALL: ALL@ALL,
PARANOID in the /etc/hosts.deny file
Then explicitly list trusted hosts who are
allowed to your machine in the
/etc/hosts.allow file.
TCP_WRAPPERS is controlled from two files
and the search stops at the first match.
TCP_WRAPPERS
Access will be granted when a daemon, client pair
matches an entry in the /etc/hosts.allow file.
Otherwise, access will be denied when a daemon,
client pair matches an entry in the /etc/hosts.deny
file. Otherwise, access will be granted.
With the parameter PARANOID; If you intend to run
telnet or ftp services on your server, you must add the
client's machine name and IP address in your /etc/hosts
file on the server or you can expect to wait several
minutes for the DNS lookup to time out, before you get a
login: prompt.
TCP_WRAPPERS
The tcpdchk program is the tcpd
wrapper configuration checker. It
examines your tcp wrapper
configuration and reports all potential
and real problems it can find. After
your configuration is done, run the
program tcpdchk.
[root@deep] /# tcpdchk
Lilo & Grub
GNU GRUB is a Multiboot boot loader. It was
derived from GRUB, GRand Unified
Bootloader, which was originally designed
and implemented by Erich Stefan Boleyn.
Briefly, boot loader is the first software
program that runs when a computer starts.
It is responsible for loading and transferring
control to the operating system kernel
software such as Linux .
The kernel, in turn, initializes the rest of the
operating system (e.g. GNU).
Lilo & Grub
LILO is the most commonly used boot
loader for Linux.
It manages the boot process and can boot
Linux kernel images from floppy disks, hard
disks or can even act as a boot manager for
other operating systems.
The most important configuration file of
LILO is the lilo.conf file, which resides under
the /etc directory.
Lilo & Grub
Three important options to improve the security of Lilo.
Adding: timeout=00
Controls how long in seconds LILO waits for user input before
booting to the default selection.
Adding: restricted
This option asks for a password only, if parameters are specified on
the command line (e.g. linux single). The option restricted can only
be used together with the password option.
Adding: password=<password>
This option asks the user for a password when trying to load the
Linux system in single mode. Passwords are always case-sensitive,
also make sure the /etc/lilo.conf file is no longer world readable, or
any user will be able to read the password.