1 / 4

CIS 290 LINUX Security

CIS 290 LINUX Security. User security Network Security. User Security. ALWAYS use /etc/shadow ( pwconv command) Password aging: get: chage -l userid set: chage -M 60 -m 7 -W 7 userid Lock/unlock and account passwd –l userid passwd –u userid Limit password reuse:

marcuscastellano
Télécharger la présentation

CIS 290 LINUX Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIS 290LINUX Security User security Network Security

  2. User Security • ALWAYS use /etc/shadow (pwconv command) • Password aging: get: chage -l userid set: chage -M 60 -m 7 -W 7 userid • Lock/unlock and account passwd –l userid passwd –u userid • Limit password reuse: vi /etc/pam.d/system-auth (RHEL/Fedora) vi /etc/pam.d/common-password (Ubuntu) Add: password sufficient pam_unix.so use_authtok md5 shadow remember=10 • Verify root ID’s: awk -F: '($3 == "0") {print}' /etc/passwd • Verify no password ID’s: awk -F: '($2 == "") {print $1 }' /etc/shadow | grep /etc/passwd Make sure they are /bin/nologin • No ROOT LOGIN, use su or sudo. • Disable ROOT login under FTP., SSH, GUI (procedures vary) • Configure pam_cracklib.so to enforce the password policy. • See defaults in /etc/login.defs for /etc/shadow values.

  3. sysctl.conf For network: # Enable IP spoofing protection • net.ipv4.conf.all.rp_filter=1 # Disable IP source routing • net.ipv4.conf.all.accept_source_route=0 # Ignoring broadcasts request • net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.icmp_ignore_bogus_error_messages=1 • # Make sure spoofed packets get logged net.ipv4.conf.all.log_martians = 1 • # disable IPv6 net.ipv6.conf.all.disable_ipv6=1 Kernel isolation (test carefully on test system): • Turn on execshield kernel.exec-shield=1 kernel.randomize_va_space=1

  4. Network services • Determine open services: netstat –tulpn -OR- nmap -sT -O localhost • Disable with chkconfig. And/or remove software. • Use TCP_WRAPPERS (xinetd) • Configure iptables • Remove Xwindows: yum groupremove "X Window System“ • Set initdefault to runlevel 3 • No cleartext services HTTP, TELNET, FTP, rcmd, (see gov’t requirements) - use SSH, SSL, SFTP. Restrict NFS/CIFS to local networks only.

More Related