Date post: | 17-Jan-2016 |
Category: |
Documents |
Upload: | mitchell-franklin |
View: | 212 times |
Download: | 0 times |
1
Security
2
Linux is not secure
• No computer system can ever be "completely secure".– make it increasingly difficult for someone to
compromise your system.
• The more secure your system, the more miserable you and your users will tend to be
• Security = 1/(1.072 * Convenience)
3
Example of Attacks
• Program Level Security– Non-malicious Program Errors: Buffer Overflow, Format String…– Malicious Codes: Trojan Horse, Logic Bomb, Virus, Worm…
• Network Attacks– Threat Precursors: Port Scan, Social Engineering, Reconnaissance, OS
and App. Fingerprinting– Protocol Flaws: Impersonation– Spoofing: Session Hijacking, Man-in-the-Middle– Message Confidentiality Threat– Message Integrity Threats– Denial of Service: Connection Flooding (Ping of Death, Smurf), Syn
Flood, DNS attack– Distributed Denial of Service
4
Security Attacks
5
Security Mechanisms
Intrusion Prevention(Encryption, Authentication,etc.): Not Enough
Weakest Point
IntrusionDetection
LayeredProtection
Security Failure
IntrusionTolerance
Access Control
6
Linux Security
• What level of threat the system needs to be protected against?– Analyze the system
• Packet Filtering• Turn off unnecessary services
– Be aware of what is happening on your system– Keep track the vulnerabilities - Software patches
• Backups– Recover effectively from a security incident
• User accounts– Minimal amount of privilege they need– Remove inactive accounts– The use of the same user-ID on all computers and networks is desirable
for the purpose of account maintenance– User account provides accountability
7
Linux Security
• Root Security– Only become root to do single specific tasks– Never use the rlogin/rsh/rexec suite of tools (called
the r- utilities) as root– Always be slow and deliberate running as root.
Your actions could affect a lot of things. Think before you type!
8
Password security and encryption
• Use shadow password
• Password checking and selection
• Pluggable Authentication Modules – PAM– man pam.d
9
Restricting access
• Control access to your system– TCP wrappers allows you to restrict access to
some services on your system• http://www.vtcif.telstra.com.au/pub/docs/security/
tcp_wrapper.txt
– /etc/hosts.deny• man hosts.deny
– /etc/hosts.allow• man hosts.allow
10
Miscellaneous Security Issues
• Remote event logging
• hosts.equiv and ~/.rhosts– Rshd, rlogind should be disabled
• fingerd
• Security and NIS– /etc/group, /etc/passwd, /etc/hosts…
• Security and NFS
• Security and sendmail
11
Security of NFS
• A client request will include the client user-id of the process making the request
• The server must decide whether to believe the client's user-ids.
• NFS provides a means to authenticate users and machines
• Recommend the use of globally unique UID and the root_squash
• Use /etc/hosts.deny and /etc/hosts.allow to grant access
12
Security Tools
• nmap
• nessus
• tripwire
• tcpd
• crack
• Other powerful tools
13
Security Preparation
• Make a full backup of your machine
• Keep track of your system accounting data
• Apply all new system updates
• Subscribe to mailing lists to get information about potential problems
14
Cryptographic Security Tools
• Kerberos– A secret key based service for providing authentication in a network– Improve traditional Linux password security:
• Never transmit unencrypted passwords on the network• Users do not have to type passwords repeatedly
– For more information:• http://web.mit.edu/kerberos/www/dialogue.html
• SSH– The secure shell to replace rlogin, rcp, and telnet– http://www.openssh.com/– Server side: sshd– Client side: ssh, scp– ssh-keygen
15
Firewall
• Filter-based
Should arriving packet be allowed
in? Departing packet let out?
• Proxy-basedFirewall
Externalclient
External HTTP/TCP connection
Proxy
Internal HTTP/TCP connection
Localserver
16
How iptables work
17
One iptables Example
18
Useful Websites
• http://www.cert.org
• http://www.sans.org/– http://www.sans.org/rr
• http://www.securityfocus.com/ http://www.phrack.org/