Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing services in a unix-based environment

Published byThomasine Fitzgerald Modified over 6 years ago

Similar presentations

Presentation on theme: "Securing services in a unix-based environment"— Presentation transcript:

1 Securing services in a unix-based environment
Ports and Packets Securing services in a unix-based environment

2 Overview Why Linux and not Windows? Why is this important?
What are some things we can do to be more secure? Firewalling TCP Wrappers Port Knocking Mitigating weaknesses Conclusion

3 Why Linux and not Windows?
Short answer: Most internet/web services operate out of UNIX-based environments Different approaches to client and server security.

4 Why is this important? There is a lot of attack surface
Various businesses and entities rely on web accessible services There is a necessity for both accessibility and security Balance We don’t personally code everything we run

5 Good security policies
Know what you’re securing Who needs access? AV/ AV filtering Run light

6 Firewall Iptables Fairly easy to manage
Built into almost every recent Linux kernel. Fairly easy to manage Made up of “Chains” with different types and rules Rules can be made for one IP, many IPs, based on connection state, port, TCP vs UDP, etc.

7 Firewall -- Set Default Behaviours
Iptables --policy INPUT DROP Request timed out Iptables --policy OUTPUT ACCEPT Reply from * Iptables --policy FORWARD REJECT Destination not reachable

8 Iptables isn’t perfect
Don’t keep logs on their own Can falsely reject if not careful Can falsely accept if not careful Accountability

9 Enter: The TCP Wrappers
So close to being a firewall… Keep logs Fairly easy to make rules Requires programs are specially compiled against libwrap Broad rules Transparent to user for the most part

10 TCP wrapping isn’t perfect either
Act upon data POST-entry VERY broad rules

11 Port Knocking Desired port is closed
Packets are sent to a specific sequence of ports When the port-knocking software detects that the correct sequence is entered, desired port opens for connections Pretty cool, huh? There are ports!

12 Sample Knockd Configuration
[openSSH] sequence = 7000,8000,9000 seq_timeout = 5 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 9000,8000,7000 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 –j DROP

13 Getting in and out of SSH
To open SSH port for x in ; do nmap -Pn --host_timeout max-retries 0 -p $x ; done To close the SSH port for x in ; do nmap -Pn --host_timeout max-retries 0 -p $x ; done Or you can use a utility called knock ;)

14 The problem with port knocking
Vulnerable to discovery by traffic analysis Not cryptographically sound Programmatically breaking in with port knocking alone is easy, and just a little time consuming. Any port can be described with 16 bits. Or 2 bytes. That’s 2 ASCII characters. Or one Unicode character. Being that most people who use port knocking only use 3 ports, that means around 6 ASCII characters need to be guessed, essentially.

15 DMZ Networking Public facing servers separate from more sensitive servers Stricter firewalling and security on non-DMZ servers/services Often explained with casino analogy

16 So is there no way to be safe?
Conclusion: Layer security Maintain high security standards Watch logs Use log management software, automation, ing, etc. Fail2Ban Be paranoid

17 Bibliography Hansteen, Peter N. "Why Not Use Port Knocking." That Grumpy BSD Guy. N.p., 11 Apr Web. 20 Feb < port-knocking.html>. "Web Server Survey." Security Space. E-Soft Inc., 1 Dec Web. 20 Feb < "OS/Linux Distributions using Apache." Security Space. E-Soft Inc., 1 Dec Web. 20 Feb < .

18

19

20 How can we be safe? Paid services Free/open-source software Experience
Baseline procedures Customer precautions 5

21 Updating Pretty simple: stay up to date!
Subscribe to vulnerability sites and social media Patch problems ASAP Backups Backups of backups Offsite backups of the backups of the backups… 6

22

23 Title and Content Layout with List
Click to edit Master text styles Second level Third level Fourth level Fifth level

24 Title and Content Layout with Chart

25 Two Content Layout with Table
First bullet point here Second bullet point here Third bullet point here Group 1 Group 2 Class 1 82 95 Class 2 76 88 Class 3 84 90

26 Title and Content Layout with SmartArt
Step 1 Title Task description Step 2 Title Step 3 Title

Download ppt "Securing services in a unix-based environment"

Similar presentations

IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.

Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.
Ipchains A packet-filtering Firewalls supported by Linux distributions.

Ipchains A packet-filtering Firewalls supported by Linux distributions.
Www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.

Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Port Scanning 0x470~0x480 Presenter SangDuk Seo 1.

Port Scanning 0x470~0x480 Presenter SangDuk Seo 1.
Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.

Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
NETWORK SECURITY USING IPTABLES. TOPICS OF DISCUSSION NETWORK TRAFFIC IN PRESENT SCENARIO !! WHY WE NEED SECURITY ? T TYPE OF ATTACKS & WAYS TO TACKLE.

NETWORK SECURITY USING IPTABLES. TOPICS OF DISCUSSION NETWORK TRAFFIC IN PRESENT SCENARIO !! WHY WE NEED SECURITY ? T TYPE OF ATTACKS & WAYS TO TACKLE.

Similar presentations

Ads by Google