Presentation is loading. Please wait.

Presentation is loading. Please wait.

Basic Linux Desktop Security © Konrad Rosenbaum this presentation is protected by the GNU General Public License version 2 or any newer.

Published byHarry Bell Modified over 8 years ago

Similar presentations

Presentation on theme: "Basic Linux Desktop Security © Konrad Rosenbaum this presentation is protected by the GNU General Public License version 2 or any newer."— Presentation transcript:

1 Basic Linux Desktop Security © Konrad Rosenbaum this presentation is protected by the GNU General Public License version 2 or any newer

2 Think Security: 5Q 1) What is the problem? 2) What is the proposed solution? 3) What is the cost? 4) Is it effective? 5) What are the collateral damages? ➔ Worth it? (from: Schneier “Beyond Fear”)

3 Think Security: SPoF ● Never design a single point of failure! ● Design as layers of security. System

4 Think Security: Trust? ● Design a threat model: – What are you concerned about? – What components/people do you trust? – How far do you trust them? – With what do you trust them? – Are you sure?

5 Distribution ● Chose a “distribution” that is designed for what you want to do. ●...one you can trust. ● Find its security mail list. – eg. Debian: debian-security-announce (AT) lists.debian.org ● Find out how things are done with it. ● Keep updating! (at least once/week)

6 Passwords ● Chose secure passwords: – mix upper-/lower-case letters, special characters and digits – don't use words from any dictionary – make it long enough (about 8 characters) – eg. use a sentence that you can remember, use the first letter of each word, replace some letters by digits ● Remember: Passwords are unsafe.

7 Get rid of Junk ● Shutdown/uninstall anything you don't need. – Do you need CUPS? (printer?) – Do you need Apache? (is this a web-server?) – Do you really need FTP? – Do you really need five different databases? – Do you need GCC? (Are you a developer?)

8 Configure Securely ● Default config is often insecure. ● Don't allow open mail relay. ● Don't allow open web proxies. ● SSH: – Don't open it to outside network if not necessary. – Don't use password-authentication.

9 Restrict Users ● NEVER WORK AS ROOT!!! ● Don't give users rights they don't need. ● Don't give anyone your password. There is no excuse! No Admin will ever need it! ● Use different passwords on different systems. (Or groups of systems.)

10 Firewalls ● Every system has a right to its own firewall! ● Never connect an unprotected system to any network. ● Make the firewall as tight as possible. – Opening up later is easier than cleaning up an incident. ● Whenever possible: block both directions. ● Don't forget IPv6!

11 Random Thoughts ● Alteration Detection: Tripwire ● Intrusion Detection: Snort ● Rootkit Scanner: Tiger ● etc.pp.

12 IP-Tables ● Tables: – filter - the actual firewall part – nat - network address translation ● filter chains – INPUT, FORWARD, OUTPUT ● nat chains – PREROUTING, POSTROUTING, OUTPUT

13 IP-Tables: filtering ● Use tools: iptables-save/-restore ● Policy: DROP/REJECT ● Divide Traffic per Interface. *filter :INPUT DROP :FORWARD DROP :OUTPUT DROP :netw - :netout - :rootout - #Incoming Traffic #accept loopback: -A INPUT -i lo -j ACCEPT #filter all others -A INPUT -j netw #paranoid droppings: -A INPUT -j DROP #This is not a router: -A FORWARD -j DROP #Outgoing Traffic #accept loopback -A OUTPUT -o lo -j ACCEPT #filter all others -A OUTPUT -j netout #reject remainder -A OUTPUT -j REJECT

14 IP-Tables: INPUT ● Accept what you requested. ● Accept legitimate users. ● Reject everything else. #accept ICMP -A netw -p icmp -j ACCEPT # accept DNS (see query_source in /etc/bin/named.conf) -A netw -p udp -m udp --sport 53 -j ACCEPT -A netw -p tcp -m tcp --sport 53 -j ACCEPT # XNTP -A netw -p udp -m udp --dport 123 -j ACCEPT # accept SSH -A netw -p tcp -m tcp --dport 22 -j ACCEPT # accept TCP when established from local ## filter SYN -A netw -p tcp -m tcp --syn -j DROP ## accept TCP above 1024 (denies communication with priv. ports) -A netw -p tcp -m tcp --dport 1024: -j ACCEPT

15 IP-Tables: OUTPUT ● Allow desired services. ● Allow some users. ● Reject everything else. #Allow ICMP -A netout -p icmp -j ACCEPT #Allow DNS in both directions -A netout -p tcp -m tcp --dport 53 -j ACCEPT -A netout -p udp -m udp --dport 53 -j ACCEPT #Allow XNTP -A netout -p udp -m udp --sport 123 -j ACCEPT ##Owner exceptions #root -A netout -p tcp -m owner --uid-owner 0 -j rootout ##Filter TCP SYN -A netout -p tcp -m tcp --syn -j REJECT #allow remainder (established) of TCP -A netout -p tcp -m tcp -j ACCEPT ##Filter all UDP -A netout -p udp -m udp -j REJECT

16 IP-Tables: users ● Allow only needed services. ● Prevents broken systems from doing more harm. ### Root (apt-get) #update.pureserver.info: -A rootout -p tcp -m tcp -d 195.20.242.2 --dport 80 -j ACCEPT #security.debian.org -A rootout -p tcp -m tcp -d 128.101.240.212 --dport 80 -j ACCEPT -A rootout -p tcp -m tcp -d 212.211.132.32 --dport 80 -j ACCEPT -A rootout -p tcp -m tcp -d 212.211.132.250 --dport 80 -j ACCEPT

17 IP-Tables: chain-design ● Policy: don't allow anything. ● Start at bottom: reject everything. ● Move upwards: – allow wanted services – make exceptions – become more specific

18 ? Questions?

Download ppt "Basic Linux Desktop Security © Konrad Rosenbaum this presentation is protected by the GNU General Public License version 2 or any newer."

Similar presentations

IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
Firewalls: General Principles & Configuration (in Linux)

Firewalls: General Principles & Configuration (in Linux)
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)

1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.
IPTables Tips and Tricks: More Than Just ACCEPT and DROP

IPTables Tips and Tricks: More Than Just ACCEPT and DROP
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
07/11/2012 www.eej.ulst.ac.uk/~ian/modules/COM342/COM342_L10.ppt L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: 90 366364 voice.

07/11/ L10/1/63 COM342 Networks and Data Communications Ian McCrumRoom 5B18 Tel: voice.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
SCSC 455 Computer Security Network Security. Control access to system Access control mechanisms in specific network programs  e.g. 1, wu-FTP server support.

SCSC 455 Computer Security Network Security. Control access to system Access control mechanisms in specific network programs  e.g. 1, wu-FTP server support.
Firewalls A device that screens incoming and outgoing network traffic and allows or disallows traffic based on a set of rules The “device” –Needs at least.

Firewalls A device that screens incoming and outgoing network traffic and allows or disallows traffic based on a set of rules The “device” –Needs at least.
NETWORK SECURITY USING IPTABLES. TOPICS OF DISCUSSION NETWORK TRAFFIC IN PRESENT SCENARIO !! WHY WE NEED SECURITY ? T TYPE OF ATTACKS & WAYS TO TACKLE.

NETWORK SECURITY USING IPTABLES. TOPICS OF DISCUSSION NETWORK TRAFFIC IN PRESENT SCENARIO !! WHY WE NEED SECURITY ? T TYPE OF ATTACKS & WAYS TO TACKLE.
Firewalling With Netfilter/Iptables. What Is Netfilter/Iptables? Improved successor to ipchains available in linux kernel 2.4/2.6. Netfilter is a set.

Firewalling With Netfilter/Iptables. What Is Netfilter/Iptables? Improved successor to ipchains available in linux kernel 2.4/2.6. Netfilter is a set.

Similar presentations

Ads by Google