1 / 6

CIS 290 LINUX Security

CIS 290 LINUX Security. Application and Network Security Part 1. SSH. /etc/ ssh / sshd_config AllowTcpForwarding no AllowAgentForwarding No DenyUsers , AllowUsers , DenyGroups , AllowGroups AllowTcpForwarding No Banner No ChrootDirectory No ClientAliveInterval 600

bian
Télécharger la présentation

CIS 290 LINUX Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIS 290LINUX Security Application and Network Security Part 1

  2. SSH • /etc/ssh/sshd_config AllowTcpForwarding no AllowAgentForwarding No DenyUsers, AllowUsers, DenyGroups, AllowGroups AllowTcpForwarding No Banner No ChrootDirectory No ClientAliveInterval 600 ClientAliveCountMax 0 ForceCommand HostbasedAuthentication no IgnoreRhosts yes ListenAddress LoginGraceTime MaxAuthTries MaxSessions MaxStartups PermitEmptyPasswords no PermitRootLogin No PermitTunnel No Port Protocol 2,1 SubSystem (see SFTP chroot jail) UseDNS UsePAM – if yes, disable PasswordAuthentication or ChallengeREsponse Authentication X11Forwarding no

  3. Original Sentry Tools (Psionic) • Logcheck (still an RPM) • Portsentry http://sourceforge.net/projects/sentrytools/ • Tcplogd • See also netstat –an or ss -a

  4. Network Security • TCP Wrappers – hosts.allow, hosts.deny • /etc/security/access.conf • Iptables 2.4 - formerly ipfwadm <2.0, ipchains, 2.1) • /etc/sysctl.conf: net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_messages = 0 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1

  5. Firewall - Iptables • /etc/sysconfig/iptables • Commands: iptables, iptables-save, iptables-restore • There are total 4 chains: INPUT - The default chain is used for packets addressed to the system. Use this to open or close incoming ports (such as 80,25, and 110 etc) and ip addresses / subnet (such as 202.54.1.20/29). OUTPUT - The default chain is used when packets are generating from the system. Use this open or close outgoing ports and ip addresses / subnets. FORWARD - The default chains is used when packets send through another interface. Usually used when you setup Linux as router. For example, eth0 connected to ADSL/Cable modem and eth1 is connected to local LAN. Use FORWARD chain to send and receive traffic from LAN to the Internet. RH-Firewall-1-INPUT - This is a user-defined custom chain. It is used by the INPUT, OUTPUT and FORWARD chains.

  6. iptables • Packet Matching Rules Each packet starts at the first rule in the chain. A packet proceeds until it matches a rule. If a match found, then control will jump to the specified target (such as REJECT, ACCEPT, DROP). • Target Meanings The target ACCEPT means allow packet. The target REJECT means to drop the packet and send an error message to remote host. The target DROP means drop the packet and do not send an error message to remote host or sending host.

More Related