Transcript ppt

Linux Security
1
Linux is not secure
• No computer system can ever be "completely
secure".
– make it increasingly difficult for someone to
compromise your system.
• The more secure your system, the more
miserable you and your users will tend to be
• Security = 1/(1.072 * Convenience)
2
Linux Security
• What level of threat the system needs to be protected against?
– Analyze the system
• Packet Filtering
• Turn off unnecessary services
– Be aware of what is happening on your system
– Keep track the vulnerabilities - Software patches
• Backups
– Recover effectively from a security incident
• User accounts
– Minimal amount of privilege they need
– Remove inactive accounts
– The use of the same user-ID on all computers and networks is desirable
for the purpose of account maintenance
– User account provides accountability
3
Linux Security
• Root Security
– Only become root to do single specific tasks
– Never use the rlogin/rsh/rexec suite of tools (called
the r- utilities) as root
– Always be slow and deliberate running as root.
Your actions could affect a lot of things. Think
before you type!
4
Password security and encryption
• Use shadow password
• Password checking and selection
• Pluggable Authentication Modules – PAM
– man pam.d
5
Linux-PAM
• Linux Pluggable Authentication Modules
– Login, ftp, su, sudo, etc.
• Modules: /lib/security
• Configurations file: /etc/pam.d
– Determine the method to authenticate
– Contain a list (i.e., stack) of calls to the modules
• Pluggable: it is easy to add/remove modules
from an authentication stack
6
PAM example
• auth requisite pam_securetty.so
– To make sure the root user logs in from an allowed
terminal
• session required pam_limits.so
– Set up user limits according to
/etc/security/limits.conf
7
Restricting access
• Control access to your system
– /etc/hosts.deny
• man hosts.deny
– /etc/hosts.allow
• man hosts.allow
8
Miscellaneous Security Issues
• Remote event logging
• hosts.equiv and ~/.rhosts
– Rshd, rlogind should be disabled
• fingerd
• Security and NIS
– /etc/group, /etc/passwd, /etc/hosts…
• Security and NFS
• Security and sendmail
9
Security of NFS
• A client request will include the client user-id of the
process making the request
• The server must decide whether to believe the client's
user-ids.
• NFS provides a means to authenticate users and
machines
• Recommend the use of globally unique UID and the
root_squash
• Use /etc/hosts.deny and /etc/hosts.allow to grant
access
10
Security Tools
•
•
•
•
•
nmap
nessus
tripwire
crack
Other powerful tools
11
Security Preparation
•
•
•
•
Make a full backup of your machine
Keep track of your system accounting data
Apply all new system updates
Subscribe to mailing lists to get information
about potential problems
12
OpenSSH
• OpenSSH: http://www.openssh.com/
– Secure Network Communication
– A suite of secure tools that replaces telnet, rcp, ftp,
etc.
• SSH protocol version 2 (SSH2)
– Not compatible with SSH protocol version 1
• When OpenSSH starts
– Establish an encrypted connection
– Authenticate the user
– Client and server send information back and forth 13
SSH
• Use two key pairs
– Host key pair: a set of public/private keys that is
established when you install openssh-server
package
• /etc/ssh
– Session key pair: a set of public/private keys that
change hourly
• ./ssh
14
SSH
• First time when SSH client connects with SSH
server
– After verification, the client makes a copy of the
server’s public host key
• The client then generates a random key, which
is encrypted and sent to the server
15
Set up a Firewall under Ubuntu
• firestarter: a sophisticated, graphical tool for
building and maintaining a firewall
• ufw
– uncomplicated firewall
– Command-line intrface to iptables
• gufw (gufw.tuxfamily.org): a graphical interface to
ufw
• firestarter and gufw utilities are graphical front-ends
for iptables
• Iptables: Build and manipulate network packet
16
filtering rules in the Linux kernel
A Typical Firewall Setup
17
Ufw: the uncomplicated firewall
• sudo ufw allow ssh
• sudo ufw enable
– to turn on ufw
– By default, ufw starts with a default policy that
blocks all inbound traffic and allows outbound
traffic
• sudo ufw status verbose
• gufw
18
iptables
• Two components
– Netfilter
• Run in the kernel space
• A set of tables that hold rules that the kernel
uses to control network packet filtering
– Iptables
• Run in the user space
• Set up, maintain, and display the rules by
netfilter
19
iptables
• First rule: test whether a packet destination is port 23 and
drops the packet if it is
• Second rule: tests whether a packet is received from the IP
address 192.168.1.1 and alter the packet destination if it was
20
How iptables work
21
One iptables Example
22
Useful Websites
• http://www.cert.org
• http://www.sans.org/
– http://www.sans.org/rr
• http://www.securityfocus.com/
 http://www.phrack.org/
23