1

Linux Security

2

Linux is not secure

• No computer system can ever be "completely secure".– make it increasingly difficult for someone to

compromise your system.

• The more secure your system, the more miserable you and your users will tend to be

• Security = 1/(1.072 * Convenience)

3

Linux Security

• What level of threat the system needs to be protected against?– Analyze the system

• Packet Filtering• Turn off unnecessary services

– Be aware of what is happening on your system– Keep track the vulnerabilities - Software patches

• Backups– Recover effectively from a security incident

• User accounts– Minimal amount of privilege they need– Remove inactive accounts– The use of the same user-ID on all computers and networks is desirable

for the purpose of account maintenance– User account provides accountability

4

Linux Security

• Root Security– Only become root to do single specific tasks– Never use the rlogin/rsh/rexec suite of tools (called

the r- utilities) as root– Always be slow and deliberate running as root.

Your actions could affect a lot of things. Think before you type!

5

Password security and encryption

• Use shadow password

• Password checking and selection

• Pluggable Authentication Modules – PAM– man pam.d

Linux-PAM

• Linux Pluggable Authentication Modules– Login, ftp, su, sudo, etc.

• Modules: /lib/security

• Configurations file: /etc/pam.d– Determine the method to authenticate– Contain a list (i.e., stack) of calls to the modules

• Pluggable: it is easy to add/remove modules from an authentication stack

6

PAM example

• auth requisite pam_securetty.so– To make sure the root user logs in from an allowed

terminal

• session required pam_limits.so– Set up user limits according to

/etc/security/limits.conf

7

8

Restricting access

• Control access to your system– /etc/hosts.deny

• man hosts.deny

– /etc/hosts.allow• man hosts.allow

9

Miscellaneous Security Issues

• Remote event logging

• hosts.equiv and ~/.rhosts– Rshd, rlogind should be disabled

• fingerd

• Security and NIS– /etc/group, /etc/passwd, /etc/hosts…

• Security and NFS

• Security and sendmail

10

Security of NFS

• A client request will include the client user-id of the process making the request

• The server must decide whether to believe the client's user-ids.

• NFS provides a means to authenticate users and machines

• Recommend the use of globally unique UID and the root_squash

• Use /etc/hosts.deny and /etc/hosts.allow to grant access

11

Security Tools

• nmap

• nessus

• tripwire

• crack

• Other powerful tools

12

Security Preparation

• Make a full backup of your machine

• Keep track of your system accounting data

• Apply all new system updates

• Subscribe to mailing lists to get information about potential problems

OpenSSH• OpenSSH: http://www.openssh.com/

– Secure Network Communication– A suite of secure tools that replaces telnet, rcp, ftp, etc.

• SSH protocol version 2 (SSH2)– Not compatible with SSH protocol version 1

• When OpenSSH starts– Establish an encrypted connection– Authenticate the user– Client and server send information back and forth

13

SSH

• Use two key pairs– Host key pair: a set of public/private keys that is

established when you install openssh-server package

• /etc/ssh

– Session key pair: a set of public/private keys that change hourly

• ./ssh

14

SSH

• First time when SSH client connects with SSH server– After verification, the client makes a copy of the

server’s public host key

• The client then generates a random key, which is encrypted and sent to the server

15

Set up a Firewall under Ubuntu• firestarter: a sophisticated, graphical tool for building and

maintaining a firewall

• ufw– uncomplicated firewall– Command-line intrface to iptables

• gufw (gufw.tuxfamily.org): a graphical interface to ufw

• firestarter and gufw utilities are graphical front-ends for iptables

• Iptables: Build and manipulate network packet filtering rules in the Linux kernel

16

A Typical Firewall Setup

17

Ufw: the uncomplicated firewall

• sudo ufw allow ssh

• sudo ufw enable– to turn on ufw– By default, ufw starts with a default policy that

blocks all inbound traffic and allows outbound traffic

• sudo ufw status verbose

• gufw

18

iptables

• Two components– Netfilter

• Run in the kernel space• A set of tables that hold rules that the kernel

uses to control network packet filtering– Iptables

• Run in the user space• Set up, maintain, and display the rules by

netfilter

19

iptables

• First rule: test whether a packet destination is port 23 and drops the packet if it is

• Second rule: tests whether a packet is received from the IP address 192.168.1.1 and alter the packet destination if it was

20

21

How iptables work

22

One iptables Example

23

Useful Websites

• http://www.cert.org

• http://www.sans.org/– http://www.sans.org/rr

• http://www.securityfocus.com/ http://www.phrack.org/