1
Linux Security
2
Linux is not secure
• No computer system can ever be "completely secure".– make it increasingly difficult for someone to
compromise your system.
• The more secure your system, the more miserable you and your users will tend to be
• Security = 1/(1.072 * Convenience)
3
Linux Security
• What level of threat the system needs to be protected against?– Analyze the system
• Packet Filtering• Turn off unnecessary services
– Be aware of what is happening on your system– Keep track the vulnerabilities - Software patches
• Backups– Recover effectively from a security incident
• User accounts– Minimal amount of privilege they need– Remove inactive accounts– The use of the same user-ID on all computers and networks is desirable
for the purpose of account maintenance– User account provides accountability
4
Linux Security
• Root Security– Only become root to do single specific tasks– Never use the rlogin/rsh/rexec suite of tools (called
the r- utilities) as root– Always be slow and deliberate running as root.
Your actions could affect a lot of things. Think before you type!
5
Password security and encryption
• Use shadow password
• Password checking and selection
• Pluggable Authentication Modules – PAM– man pam.d
Linux-PAM
• Linux Pluggable Authentication Modules– Login, ftp, su, sudo, etc.
• Modules: /lib/security
• Configurations file: /etc/pam.d– Determine the method to authenticate– Contain a list (i.e., stack) of calls to the modules
• Pluggable: it is easy to add/remove modules from an authentication stack
6
PAM example
• auth requisite pam_securetty.so– To make sure the root user logs in from an allowed
terminal
• session required pam_limits.so– Set up user limits according to
/etc/security/limits.conf
7
8
Restricting access
• Control access to your system– /etc/hosts.deny
• man hosts.deny
– /etc/hosts.allow• man hosts.allow
9
Miscellaneous Security Issues
• Remote event logging
• hosts.equiv and ~/.rhosts– Rshd, rlogind should be disabled
• fingerd
• Security and NIS– /etc/group, /etc/passwd, /etc/hosts…
• Security and NFS
• Security and sendmail
10
Security of NFS
• A client request will include the client user-id of the process making the request
• The server must decide whether to believe the client's user-ids.
• NFS provides a means to authenticate users and machines
• Recommend the use of globally unique UID and the root_squash
• Use /etc/hosts.deny and /etc/hosts.allow to grant access
11
Security Tools
• nmap
• nessus
• tripwire
• crack
• Other powerful tools
12
Security Preparation
• Make a full backup of your machine
• Keep track of your system accounting data
• Apply all new system updates
• Subscribe to mailing lists to get information about potential problems
OpenSSH• OpenSSH: http://www.openssh.com/
– Secure Network Communication– A suite of secure tools that replaces telnet, rcp, ftp, etc.
• SSH protocol version 2 (SSH2)– Not compatible with SSH protocol version 1
• When OpenSSH starts– Establish an encrypted connection– Authenticate the user– Client and server send information back and forth
13
SSH
• Use two key pairs– Host key pair: a set of public/private keys that is
established when you install openssh-server package
• /etc/ssh
– Session key pair: a set of public/private keys that change hourly
• ./ssh
14
SSH
• First time when SSH client connects with SSH server– After verification, the client makes a copy of the
server’s public host key
• The client then generates a random key, which is encrypted and sent to the server
15
Set up a Firewall under Ubuntu• firestarter: a sophisticated, graphical tool for building and
maintaining a firewall
• ufw– uncomplicated firewall– Command-line intrface to iptables
• gufw (gufw.tuxfamily.org): a graphical interface to ufw
• firestarter and gufw utilities are graphical front-ends for iptables
• Iptables: Build and manipulate network packet filtering rules in the Linux kernel
16
A Typical Firewall Setup
17
Ufw: the uncomplicated firewall
• sudo ufw allow ssh
• sudo ufw enable– to turn on ufw– By default, ufw starts with a default policy that
blocks all inbound traffic and allows outbound traffic
• sudo ufw status verbose
• gufw
18
iptables
• Two components– Netfilter
• Run in the kernel space• A set of tables that hold rules that the kernel
uses to control network packet filtering– Iptables
• Run in the user space• Set up, maintain, and display the rules by
netfilter
19
iptables
• First rule: test whether a packet destination is port 23 and drops the packet if it is
• Second rule: tests whether a packet is received from the IP address 192.168.1.1 and alter the packet destination if it was
20
21
How iptables work
22
One iptables Example
23
Useful Websites
• http://www.cert.org
• http://www.sans.org/– http://www.sans.org/rr
• http://www.securityfocus.com/ http://www.phrack.org/