Linux Security An overview notes from Linux Network Security HowTO.

Slides:

Advertisements

Similar presentations

Network Security.

Advertisements

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN

System and Network Security Practices COEN 351 E-Commerce Security.

Vulnerability Analysis Borrowed from the CLICS group.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

NIS Consistent configuration across the network. Why NIS? Primary reason is to provide same user configuration across the network Users go any machine.

Linux Security 資管研究生劉順德. Outline General Security –Account –Local –Network –Patch Services Security –Sendmail –BIND/DNS –Apache –FTP Recent Linux security.

Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.

Lesson 19: Configuring Windows Firewall

Linux Security Configuration TCP Wrappers. At the machine level Check Request Server.

TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Intranet, Extranet, Firewall. Intranet and Extranet.

PSeries Technical Conference L19 Brian Dolan-Goecke Atlanta, GeorgiaOctober 8-12, 2001 Linux VPN.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

CSCE 815 Network Security Lecture 23 Jails and such April 15, 2003.

SATAN Presented By Rick Rossano 4/10/00. OUTLINE What is SATAN? Why build it? How it works Capabilities Why use it? Dangers of SATAN Legalities Future.

ITI-481: Unix Administration Meeting 3. Today’s Agenda Hands-on exercises with booting and software installation. Account Management Basic Network Configuration.

Module 11: Remote Access Fundamentals

Inetd...Server of Servers Looks at a number of ports Determines when a service is needed on any of those ports Calls the appropriate server Restarts new.

Single Sign-on with Kerberos 1 Chris Eberle Ryan Thomas RC Johnson Kim-Lan Tran CS-591 Fall 2008.

Linux Services Muhammad Amer. 2 xinetd Programs  In computer networking, xinetd, the eXtended InterNET Daemon, is an open-source super-server daemon.

NETWORK SECURITY USING IPTABLES. TOPICS OF DISCUSSION NETWORK TRAFFIC IN PRESENT SCENARIO !! WHY WE NEED SECURITY ? T TYPE OF ATTACKS & WAYS TO TACKLE.

Linux Networking Security Sunil Manhapra & Ling Wang Project Report for CS691X July 15, 1998.

Linux Networking and Security

Firewalls and Info Services Prevent unathorized access between nets Most of the protection is based upon examination of the IP packets There is always.

 FreeBSD firewalls › ipfw -- IP firewall and traffic shaper control program  ipfw(8) › ipf (IP Filter) - alters packet filtering lists for IP packet.

CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.

CHAPTER 9 Sniffing.

Linux Security. Module 13 – Linux Security ♦ Overview Linux is more prone today to security loopholes and attacks, both inside and outside the network.

1 Security Bo Ye, Quanhua Lu 2 Overview 4 Unix vs. Security 4 Basic Unix Security Issues 4 How to Secure Linux Box 4 Other Security Issues 4 Security.

1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.

Dictionary Attack Chien-Chung Shen

Internet Services.  Basically, an Internet Service can be defined as any service that can be accessed through TCP/IP based networks, whether an internal.

1 Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise your system.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

1 Network Information System (NIS). 2 Module – Network Information System (NIS) ♦ Overview This module focuses on configuring and managing Network Information.

1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.

Module 10: Windows Firewall and Caching Fundamentals.

Unix network Services. Configuring a network interface In Unix there are essentially two commands that are used to enable TCP/IP. ifconfig route.

Quiz 2 -> Exam Topics Fall Chapter 10a - Firewalls Simple Firewall - drops packets based on IP, port Stateful - Keeps track of connections, set.

Joe Budzyn Jeff Goeke-Smith Jeff Utter. Risk Analysis  Match the technologies used with the security need  Spend time and resources covering the most.

Enumeration. Definition Scanning identifies live hosts and running services Enumeration probes the identified services more fully for known weaknesses.

Module 8 Implementing Security Using Group Policy.

Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.

Vmware 2V0-621D Vmware Exam Questions & Answers VMware Certified Professional 6 Presents

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

Working at a Small-to-Medium Business or ISP – Chapter 8

Chapter 6 Application Hardening

Remote Access Lecture 2.

LINUX ADMINISTRATION

Overview of Unix Jagdish S. Gangolly School of Business

– Chapter 3 – Device Security (B)

Chapter 27: System Security

LINUX SECURITY Dongmei Wu ID: /25/00.

Single Sign-on with Kerberos

Computer Security Distributed System Security

– Chapter 3 – Device Security (B)

Linux Security.

Agenda Create certificates for the GlobalProtect Portal, internal gateway, and external gateway. Attach certificates to a SSL-TLS Service Profile. Configure.

Presentation transcript:

Linux Security An overview notes from Linux Network Security HowTO

Basic Approach Focus on OSI model Most initial probes are service-level attacks –enter through a port –try to compromise the server –use the “server” to gain access to other info and accounts One of the fundamental security policies is to limit the number of services offered.

Basic Linux Approaches tcp wrappers firewall software –ipfwadm –ipchains application security login security –kerberos, etc

tcp wrappers Used in conjunction with inetd services not managed by inetd are NOT protected by this approach Generally a simple approach host.allow and host.deny files control access

How tcp wrappers works client SERVER tcp wrapper software host.allow and host.deny 2. Check for authorization 1. Request service server 3. Launch server if ok 4. Client connects

inetd.conf format finger stream tcp nowait root /usr/sbin/tcpd in.fingerd as before Actually invokes tcp_wrapper daemon to check and tcpd launches the service (finger in this case) if OKed.

hosts.allow and hosts.deny in /etc Two files configure the tcpd rules entry servicelist: hostlist [:shellcmd] ftpd ALL ALL except ftpd defender.pcs.cnu.edu.pcs.cnu.edu LOCAL (no. in name ALL ALL except LOCAL,... traps

hosts.allow and hosts.deny Which comes first? hosts.allow takes precedence –if this file grants access, the client gets access in spite of the info in hosts.deny hosts.deny will stop if match exists there if neither matches, service is granted. Example: in.tftpd, in.fingerd: ALL EXCEPT LOCAL,.your.domain (in hosts.deny and nothing in hosts.allow) only local hosts and xxx.your.domain can tftp or finger

Remember! ONLY WORKS for INETD launched services! Check for others with netstat!

Proactive measures Many services do a reverse DNS verification to authenticate machines. ident is a service which will track which users are using specific services. Examine your own machines for vulnerabilities –use SATAN and similar network scanners –find ports providing services and review.

Replace insecure services with secure versions: qmail for sendmail Keep up-to-date versions of your software to handle problems like –SYN flooding fixed in kernel updates –Pentium FOOF reboot (in a cgi etc) reboots machine but fixed in kernel update –ping floods : stop at firewall –ping o’ death with response too large for kernel makes machine hang or crash, fixed in update Proactive measures

NFS –file system running over RPC..tcp/ip –allows you to mount file systems –an unknown machine can mount and the root from that machine can have root access map external root user to a nobody user be conservative with permissions you offer NIS … use NIS+ Proactive measures

Other Concepts VPNs ipfwadm (ip firewall administration) –older version of the software –not typically used ipchains –similar to ipfwadm –allows for much more complex rules more on ipfwadm and ipchains

Application Security Applications (servers) are also independently configurable –wuftpd –apache only used when –firewall passed AND –tcp wrappers allows Covered with specific services

Password Security and Encryption Shadow passwords Kerberos and PGP SSL and S-HTTP ssh IPSEC - secure tunnels / VPN PAM plugable authentication modules separates the process from applications, like ODBC and databases CIPE encrypyts at network level CFS crypotgraphic file system