Presentation is loading. Please wait.

Presentation is loading. Please wait.

Linux Security An overview notes from Linux Network Security HowTO.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Linux Security An overview notes from Linux Network Security HowTO."— Presentation transcript:

1 Linux Security An overview notes from Linux Network Security HowTO

2 Basic Approach Focus on OSI model Most initial probes are service-level attacks –enter through a port –try to compromise the server –use the “server” to gain access to other info and accounts One of the fundamental security policies is to limit the number of services offered.

3 Basic Linux Approaches tcp wrappers firewall software –ipfwadm –ipchains application security login security –kerberos, etc

4 tcp wrappers Used in conjunction with inetd services not managed by inetd are NOT protected by this approach Generally a simple approach host.allow and host.deny files control access

5 How tcp wrappers works client SERVER tcp wrapper software host.allow and host.deny 2. Check for authorization 1. Request service server 3. Launch server if ok 4. Client connects

6 inetd.conf format finger stream tcp nowait root /usr/sbin/tcpd in.fingerd as before Actually invokes tcp_wrapper daemon to check and tcpd launches the service (finger in this case) if OKed.

7 hosts.allow and hosts.deny in /etc Two files configure the tcpd rules entry servicelist: hostlist [:shellcmd] ftpd ALL ALL except ftpd 137.155.2.1 defender.pcs.cnu.edu.pcs.cnu.edu LOCAL (no. in name ALL ALL except LOCAL,... traps

8 hosts.allow and hosts.deny Which comes first? hosts.allow takes precedence –if this file grants access, the client gets access in spite of the info in hosts.deny hosts.deny will stop if match exists there if neither matches, service is granted. Example: in.tftpd, in.fingerd: ALL EXCEPT LOCAL,.your.domain (in hosts.deny and nothing in hosts.allow) only local hosts and xxx.your.domain can tftp or finger

9 Remember! ONLY WORKS for INETD launched services! Check for others with netstat!

10 Proactive measures Many services do a reverse DNS verification to authenticate machines. ident is a service which will track which users are using specific services. Examine your own machines for vulnerabilities –use SATAN and similar network scanners –find ports providing services and review.

11 Replace insecure services with secure versions: qmail for sendmail Keep up-to-date versions of your software to handle problems like –SYN flooding fixed in kernel updates –Pentium FOOF reboot (in a cgi etc) reboots machine but fixed in kernel update –ping floods : stop at firewall –ping o’ death with response too large for kernel makes machine hang or crash, fixed in update Proactive measures

12 NFS –file system running over RPC..tcp/ip –allows you to mount file systems –an unknown machine can mount and the root from that machine can have root access map external root user to a nobody user be conservative with permissions you offer NIS … use NIS+ Proactive measures

13 Other Concepts VPNs ipfwadm (ip firewall administration) –older version of the software –not typically used ipchains –similar to ipfwadm –allows for much more complex rules more on ipfwadm and ipchains

14 Application Security Applications (servers) are also independently configurable –wuftpd –apache only used when –firewall passed AND –tcp wrappers allows Covered with specific services

15 Password Security and Encryption Shadow passwords Kerberos and PGP SSL and S-HTTP ssh IPSEC - secure tunnels / VPN PAM plugable authentication modules separates the process from applications, like ODBC and databases CIPE encrypyts at network level CFS crypotgraphic file system

Download ppt "Linux Security An overview notes from Linux Network Security HowTO."

Similar presentations

Network Security.

Network Security.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN 0-07-212773-2.

Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Vulnerability Analysis Borrowed from the CLICS group.

Vulnerability Analysis Borrowed from the CLICS group.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
NIS Consistent configuration across the network. Why NIS? Primary reason is to provide same user configuration across the network Users go any machine.

NIS Consistent configuration across the network. Why NIS? Primary reason is to provide same user configuration across the network Users go any machine.
Linux Security 資管研究生 劉順德. Outline General Security –Account –Local –Network –Patch Services Security –Sendmail –BIND/DNS –Apache –FTP Recent Linux security.

Linux Security 資管研究生 劉順德. Outline General Security –Account –Local –Network –Patch Services Security –Sendmail –BIND/DNS –Apache –FTP Recent Linux security.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.

Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Linux Security Configuration TCP Wrappers. At the machine level Check Request Server.

Linux Security Configuration TCP Wrappers. At the machine level Check Request Server.
TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.

TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

Similar presentations

Ads by Google