Presentation is loading. Please wait.

Presentation is loading. Please wait.

RHCE-III Part Durgesh Tomar

Published byGordon Jefferson Modified over 7 years ago

Similar presentations

Presentation on theme: "RHCE-III Part Durgesh Tomar"— Presentation transcript:

1 RHCE-III Part Durgesh Tomar
Welcome! RHCE-III Part Durgesh Tomar

2 Security Concerns and Policy

3 Understanding Security
A network is only as secure as the most open system in that network. Although no system can be 100 percent secure, you can follow certain basic host measures to enhance the security on any given system and, consequently, your network. When devising security measures, you have to plan for two types of security violations: user accidents and break-ins. Accidents happen because users lack adequate training or are unwilling to follow procedures. If security is too burdensome, productivity may suffer, and your users will try to get around your rules. Password security falls into this category. When a cracker breaks into your system, some crackers may be looking for secrets such as credit card information. Others may just want to bring down your system.

4 Understanding Security
Types of Security Network ( External ) Local ( Internal ) Physical

5 Hacker versus Cracker A hacker is someone who programs creatively and usually for the pure enjoyment of it (most programmers who work on Linux are hackers in this sense). The correct term for someone who breaks into computer systems is a cracker. There are many types of crackers, ranging from professional computer criminals to the hobbyist types that break into computers for the thrill. The growth of the cracker problem has kept pace with the growth of the Internet. A new, younger generation of cracker is emerging. These teenage pseudo- crackers do not have all the knowledge and skill of their true cracker counterparts, but they have access to a growing number of cracker tools that automate the breaking of a system's security.

6 Understanding Attack Techniques
Attacks on computing systems take on different forms, depending on the goal and resources of the attacker. Some attackers desire to be disruptive, while others desire to infiltrate your machines and utilize the resources for their own nefarious purposes. Still others are targeting your data for financial gain or blackmail. Here are three major categories of attacks: Denial of Service (DOS) Distributed Denial of Service (DDOS) Intrusion attacks

7 Denial of Service (DOS)
The easiest attacks to perpetrate are Denial of Service attacks. The primary purpose of these attacks is to disrupt the activities of a remote site by overloading it with irrelevant data. DOS attacks can be as simple as sending thousands of page requests per second at a Web site. These types of attacks are easy to perpetrate and easy to protect against. Once you have a handle on where the attack is coming from, a simple phone call to the perpetrator's ISP will get the problem solved.

8 Distributed Denial of Service (DDOS)
More advanced DOS attacks are called Distributed Denial of Service attacks. DDOS attacks are much harder to perpetrate and nearly impossible to stop. In this form of attack, an attacker takes control of hundreds or even thousands of weakly secured Internet connected computers. The attacker then directs them in unison to send a stream of irrelevant data to a single Internet host. The result is that the power of one attacker is magnified thousands of times. Instead of an attack coming from one direction, as is the case in a normal DOS, it comes from thousands of directions at once. The best defense against DDOS attack is to contact your ISP to see if it can filter traffic at its border routers.

9 Intrusion attacks To remotely use the resources of a target machine, attackers must first look for an opening to exploit. In the absence of inside information such as passwords or encryption keys, they must scan the target machine to see what services are offered. Perhaps one of the services is weakly secured and the attacker can use some known exploit to finagle his way in.

10 Diagnostic Utilities Port Scanners Packet Sniffers
Show what services are available on a system nmap Packet Sniffers Stores and analyzes all network traffic tcpdump ethereal

11 SELinux

12 getenforce setenforce 0 setenforce 1 /etc/sysconfig/selinux SELINUX=disabled getsebool –a | gep ftp On access, off deny chcon –t vikas_t directory/file name : change context value To see the context values: ls –Z Identity : object roll : type enforecement Policy: Targeted: on specific file or directory Strict: on all sestatus -v

13 Securing Networks Using Firewall ( IPTables )

14 What is Firewall? Information security is commonly thought of as a process and not a product. However, standard security implementations usually employ some form of dedicated mechanism to control access privileges and restrict network resources to users who are authorized, identifiable, and traceable. Red Hat Enterprise Linux includes several powerful tools to assist administrators and security engineers with network-level access control issues

15 What is Firewall? Firewalls are one of the core components of a network security implementation. Several vendors market firewall solutions catering to all levels of the marketplace: from home users protecting one PC to data center solutions safeguarding vital enterprise information. Firewalls can be standalone hardware solutions, such as firewall appliances by Cisco, Nokia, and Sonicwall. There are also proprietary software firewall solutions developed for home and business markets by vendors such as Checkpoint, McAfee, and Symantec. Apart from the differences between hardware and software firewalls, there are also differences in the way firewalls function that separate one solution from another

16 iptables IPTABLES a front-end tool to manage netfilter(integrated in linux kernel), which is the actual firewall. netfilter provide filtering of tcp/ip and UDP based packets, so that we can filter inbound, outbound, and route traffic from our system. It helps to keep intruders from other networks from getting into your LAN and compromising your systems or data. The firewall does this by allowing some traffic to flow between your network and the Internet while blocking other traffic by sitting between your network and the outside world. Before you design a firewall strategy, you should sit down and think about what you want to protect and how you are going to do it. If you are working for a company, you should prepare a company security policy. You start by talking to users (or their managers), you can then make decisions on what kinds of services you will let go through the firewall. IPTables can be used to allow or deny packets based on numerous factors including their destination, their source, which port they are trying to access, the user ID of the process that created the packet, and more.

17 iptables iptables has three built-in tables, which cannot be deleted, these are:

18 iptables

19 iptables filter table: A packet filter is a piece of software which looks at the header of packets as they pass through, and decides the fate of the entire packet. It contains the built-in chains INPUT (for packets coming into the box itself), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets). nat table: This table is consulted when a packet that creates a new connection is encountered. Packets in a stream only traverse this table once. The first packet of a stream is allowed. The rest of the packets in the stream will not go through this table again, but instead they will automatically have the same actions taken to them as the first packet in the stream. This is one reason why filtering should be avoided using this table. It consists of three built-ins: PREROUTING (is used to altering packets as soon as they come in), OUTPUT (is used to altering locally-generated packets before routing), and POSTROUTING (is used to altering packets as they are about to go out).

20 iptables mangle table: This table is used for packet alteration. PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally- generated packets before routing) INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are about to go out).

21 iptables

22 IPTables Command Iptables –t table (Action / Direction ) ( Packet Pattern ) –j ( fate ) Tables : filter ( default ) , nat , mangle Actions : -A append, -D delete, -L list, -F flush Direction : - INPUT, OUTPUT, FORWARD Packet Pattern: -s Source IP-Address –d Destination IP-Address Fate: DROP, ACCEPT, REJECT

23 IPTables Commands Examples :
iptables -A INPUT -s /24 -j REJECT iptables -A INPUT -s p icmp -j DROP iptables -A INPUT -m mac --mac-source 12:34:56:89:90:ab -j ACCEPT iptables -A OUTPUT -d j REJECT

24 tcpwrapper

25 What is TCP Wrappers ? An important part of maintaining another level of security computer, with TCP Wrappers; you can also restrict access to your system by remote hosts by using list of hosts are kept in the /etc/hosts.allow and /etc/hosts.deny files. TCP Wrappers stand guard between an incoming request and the requested service.

26 Configuration Files When a client connects to a “ tcp wrapped” service, the access control list /etc/hosts.allow and /etc/hosts.deny are examined. The server will then either choose to accept or drop the connection, depending on the control list configuration. Policies can be specified for individual services and are usually configured in terms of the clients IP-Address. Both files have same basic syntax to allow or deny clients list Service List : Client List

27 Configuration Files Three stages of access checking
Is access explicitly permitted? Otherwise, is access is explicitly denied? Otherwise, by default, permit access! Configuration stored in two files Permissions in /etc/hosts.allow Denials in /etc/hosts.deny

28 Configuration Files Examples: sshd: .example.com
sshd: ALL EXCEPT .cracker.org sshd: ALL EXCEPT .cracker.org EXCEPT trusted.cracker.org ALL EXCEPT sshd: ALL ALL EXCEPT sshd: ALL EXCEPT .cracker.org ALL EXCEPT sshd: ALL EXCEPT .cracker.org EXCEPT trusted.cracker.org

29 TCP Wrappers & Connection Banners
Displaying a suitable banner when users connect to a service is a good way to let potential attackers know that the system administrator is being vigilant. Banner for vsftpd. Create a banner file. It can be anywhere on the system, but it must have same name as the daemon. /etc/banners/vsftpd and contains the following line: 220-Hello, %c 220-All activity on ftp.example.com is logged. 220-Inappropriate use will result in your access privileges being removed. The %c token supplies a variety of client information, such as the username and hostname, or the username and IP address. For this banner to be displayed to incoming connections, add the following line to the /etc/hosts.allow file: vsftpd : ALL : banners /etc/banners/

30 TCP Wrappers & Enhanced Logging
If certain types of connections are of more concern than others, the log level can be elevated for that service using the severity option. Anyone attempting to connect to port 23 (the Telnet port) on an FTP server is a cracker. To denote this, place an emerg flag in the log files instead of the default flag, info, and deny the connection. To do this, place the following line in /etc/hosts.deny: in.telnetd : ALL : severity emerg This uses the default authpriv logging facility, but elevates the priority from the default value of info to emerg, which posts log messages directly to the console.

31 Understanding and Managing xinetd daemon

32 What is xinetd daemon? The xinetd (which stands for Extended Internet Services Daemon) program can start a number of these server daemons simultaneously. The xinetd program listens for connection requests for all of the active servers with scripts in the /etc/xinetd.d directory. There's a generic configuration file for xinetd services, /etc/xinetd.conf. The scripts in the /etc/xinetd.d directory also function as service specific configuration files.

33 Generic xinetd Configuration
Each file in the /etc/xinetd.d directory specifies a particular service you want to allow xinetd to manage. By default, scripts in this directory are disabled. xinetd provides its own set of access control functions hosts based time based

34 Sample configuration { disable = yes flags = REUSE
service telnet { disable = yes flags = REUSE socket_type = stream wait = no user = root only_from = /24 no_access = access_times = 08:00-16:00 server = /usr/sbin/in.telnetd log_on_failure += USERID }

35 Understanding and Managing NFS Server

36 What is NFS? A Network File System (NFS) allows remote hosts to mount file systems over a network and interact with those file systems as though they are mounted locally. This enables system administrators to consolidate resources onto centralized servers on the network. The Network File System (NFS) is the standard for sharing files on a directory with Linux and Unix computers. It was originally developed by Sun Microsystems in the mid-1980s. You can create shared NFS directories directly by editing the /etc/exports configuration file, or you can create them with Red Hat's NFS Configuration tool.

37 NFS:- Benefits and Problems
-> DFS(distributed file system) that allows local access to remote files. -> Uses standard client/server architecture. -> Using NFS the server “export” his data to other clients. -> Provide centralize storage solution. -> Users get their data irrespective of physical location. Problems: -> Network congestion. -> Heavy disk activity on NFS server. -> Its design assume a trusted environment, not a hostile environment. -> NFS is based on RPC (Remote Procedural Call) which is easy to exploit. -> For Security reasons – NFS cannot be used over Internet.

38 NFS Services portmap : Map calls made from other machines
nfs : Translates NFS requests in requests on the local system rpc.mountd : Mounts and Unmounts filessystems

39 Server Configuration : Sharing Files
Exported files are defined in main configuration file /etc/exports Examples : - vi /etc/exports /data *.example.com(ro,sync) station1.cracker.org(rw,sync)‏ /data / (ro,sync)‏ Then After Exporting Files service portmap start service nfs start chkconfig level portmap on chkconfig level nfs on

40 Client Configuration : Mounting Shares
Mounting can be done by using following methods Mount command [ Temporary ] mount -t nfs :/data /mnt /etc/fstab file [ Permanent ] :/data /mnt nfs defaults Mounting NFS share on two directories on same system First mount to /home/data mount -t nfs x.x.x.x:/data /home/data Now bind /home/data to /backup mount --bind /home/data /backup

41 NFS Commands showmount -e :shows the available shares
exportfs -v :Displays a list of shares files and options on a server exportfs -a :Exports all shares listed in /etc/exports ,or given name exportfs -u :Unexports all shares listed in /etc/exports ,or given name exportfs -r :Refresh the server’s list after modifying /etc/exports NFS & TCP Wrappers: Two services are required for TCP wrappers - mountd portmap

42 Understanding and Managing NIS Server

43 What is NIS? Work on the concept of DOMAIN.
Used to distribute information that needs to be shared thurout a Linux network. Developed by SUN-Microsystems and known as “Yellow Pages”. Mainly used to distribute user database & authentication information like: /etc/passwd /etc/group

44 What is NIS? NIS services require at least one NIS master server. This is where the centralized NIS database files, known as maps, are stored. NIS changes require an update to the map on the master server. You can have only one NIS master server per NIS domain. For larger networks, you may also want an NIS slave server. NIS slaves take copies of the NIS maps from the master server. NIS clients can then get their configuration files from either the master server or a slave server. You can have multiple NIS slave servers on a network. NIS clients are systems that use information from an NIS server. NIS clients don't store any information that is contained in the NIS databases; whenever that information is needed, it is retrieved from a server.

45 Configuring NIS Server
Packages needed: portmap [ installed by default ] ypserv [ to be installed ] Main Configuration files of NIS SERVER: /etc/ypserv.conf /etc/yp.conf Step-1. nisdomainname RHCE Cross check -- vi /etc/sysconfig/network NISDOMAIN=RHCE nisdomainname service portmap restart service ypserv restart

46 Configuring NIS Server
Step-2. Make NIS MAP – Make something for NIS to serve. /usr/lib/yp/ypinit -m Step-3. Secure Communication [optional ] vi /var/yp/securenets Step-4. rpcinfo -p localhost service ypserv start service portmap start service yppasswdd start Step-5. Check status of YP rpcinfo -p

47 Configuring NIS Client
Step-1. Install YPBIND and PORTMAP service. Step-2. authconfig [CLI / GUI] Step-3. /etc/yp.conf just to confirm ypserver x.x.x.x domain RHCE broadcast domain RHCE server x.x.x.x Step-4. Check /etc/sysconfig/network to confirm NISDOMAINNAME=RHCE Step-5. /etc/host.conf just to confirm order hosts,nis,bind

48 Configuring NIS Client
Step-6. /etc/nsswitch.conf just to confirm passwd: files nis shadow: files nis group: files nis hosts: files nis Step -7. Check NISDOMAIN ypcat passwd getent passwd

49 Automounting /home folders
Server SIDE Configuration Step 1: Modify /etc/exports file vi /etc/exports /home *(rw,sync)‏ Step 2: Start portmap and nfs services service portmap start service nfs start chkconfig --level portmap on chkconfig --level nfs on

50 Automounting /home folders
Client SIDE Configuration Step 1: Modify /etc/auto.master file vi /etc/auto.master /home /etc/auto.home --timeout=60 Step 2: Modify /etc/auto.home file you have specified vi /etc/auto.home * -fstype=nfs :/home/& Step 3: Start autofs service umount /home service autofs restart chkconfig level autofs on

51 Understanding and Managing PAM Authentication

52 What is PAM? The Pluggable Authentication Modules (PAM) system to check for authorized users. PAM includes a group of dynamically loadable library modules that govern how individual applications verify their users. You can modify PAM configuration files to suit your needs. The PAM provides a generic way for applications to implement support for authentication and authorization. A PAM-enabled application calls libpam functions to perform all authentication test for it.

53 PAM Operation PAM works with the help of Modules and Service files to maintain the security. PAM Modules are stored in following directory /lib/security PAM Service files are stored in following directory /etc/pam.d

54 PAM Tests PAM actually organized tests into four management groups which are checked independently by different libpam library functions. auth : This management group is used by PAM functions which authenticate users. account : This management group is used to verify that an account is valid at this time and passwords have not expired. password : This management group is used to control password changes. session : This management group is called by PAM at the start and at the end of a session.

55 PAM Control Values PAM uses control values to determine how each test affects groups overall result. required : Must pass, keep testing even if fails requisite : as required, except stop testing on fail sufficient : if passing so far, return success now if fails, ignore test and keep checking optional : whether test passes or fails is irrelevant

56 Using PAM to Limiting NIS Users

57 Limiting NIS Users For Security reasons, some of the users managed by the NIS server should be allowed to use the NIS client, but some should not.

58 Limiting NIS Users Step 1: On your NIS client Modify /etc/pam.d/system-auth vi /etc/pam.d/system-auth account required pam_unix.so account sufficient pam_succeed_if.so uid < quiet account required /lib/security/$ISA/pam_localuser.so account sufficient /lib/security/$ISA/pam_listfile.so item=user sense=allow file=/etc/nisusers onerr=fail account required pam_permit.so

59 Limiting NIS Users You still have to create /etc/nisusers on your NIS client. Each line in that file should be a non-local user to whom we want to grant access. Step 1: Create / Modify /etc/nisusers file vi /etc/nisusers nisuser1

60 ? Questions

61 Thank You !!!

Download ppt "RHCE-III Part Durgesh Tomar"

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
NETWORK FILE SYSTEM (NFS) By Ameeta.Jakate. NFS NFS was introduced in 1985 as a means of providing transparent access to remote file systems. NFS Architecture.

NETWORK FILE SYSTEM (NFS) By Ameeta.Jakate. NFS NFS was introduced in 1985 as a means of providing transparent access to remote file systems. NFS Architecture.
Network File System CIS 238. NFS (Network File System) The most commercially successful and widely available remote file system protocol Designed and.

Network File System CIS 238. NFS (Network File System) The most commercially successful and widely available remote file system protocol Designed and.
1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.

1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Lecture – Single Login NIS and Winbind. NIS Network Information Service (NIS) is the traditional directory service on UNIX platforms Still widely used.

Lecture – Single Login NIS and Winbind. NIS Network Information Service (NIS) is the traditional directory service on UNIX platforms Still widely used.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
1 Network File Sharing. 2 Module - Network File Sharing ♦ Overview This module focuses on configuring Network File System (NFS) for servers and clients.

1 Network File Sharing. 2 Module - Network File Sharing ♦ Overview This module focuses on configuring Network File System (NFS) for servers and clients.

Similar presentations

Ads by Google