Presentation is loading. Please wait.

Presentation is loading. Please wait.

Linux Security Anthony Albrecht – Services & Accounts

Similar presentations


Presentation on theme: "Linux Security Anthony Albrecht – Services & Accounts"— Presentation transcript:

1 Linux Security Anthony Albrecht – Services & Accounts
Praveen Bochetty – Filesystem security & Logging Seth Guenther – PAM & Kernel Tuning

2 Linux Run Levels Linux starts, it calls a program named init, which runs all subsequent startup tasks. The very first services it executes are those located in the /etc/rc.d directory tree. Files in the /etc/rc.d are links to the actual executable files located in /etc/init.d. Run levels are the level of functionality in which the operating system is running. The levels range from level 1 to 6, and each level has a different degree of functionality. The run levels are specified within the /etc/inittab file

3 Linux Run Levels Run level 0 is halt.
Run level 1 is single user mode. Like safe mode Run level 2 is multiuser mode, but without NFS. Run level 3 is full multiuser mode or the standard run level. Run level 4 is typically unused. Run level 5 is X11, or the X Window system. Run level 6 is reboot

4 Disabling services Within each /etc/rc.d/rc*.d directory, files start with S or K S means start service K means kill (stop) service chkconfig command can be used to disable services Ex: chkconfig inetd off Alernatively, use serviceconf for graphical administration

5 Root Account The root account is the most privileged account on a Unix system No security restrictions Therefore it is easy, with a mistyped command, to wipe out crucial system files. Never log in on your server as root unless it is absolutely have to.

6 Root Account -Set login time out for the root account.
- make the bash shell automatically logout after not being used for a period of time. -set the special variable of Linux named TMOUT to the time in seconds of no input before logout.

7 Root Account Edit your profile file /etc/profile and add the following line somewhere after the line that read HISTFILESIZE= on this file: TMOUT=7200 Automatic logout after two hours of inactivity will apply for all users on the system. To control which users will be automatically logged out and which ones not, you can set this variable in their individual .bashrc file. You must logout and login again as root for the change to take effect

8 NFS-Network File System
allows machines to mount a disk partition on a remote machine as if it were on a local hard drive. allows for fast, seamless sharing of files across a network.

9 The “/etc/exports” file
If exporting file systems using NFS service, be sure to configure this file with the most restrictive access possible.

10 The “/etc/exports” file
Edit the exports file (vi /etc/exports) and add: As an example: /dir/to/export host1.mydomain.com(ro,root_squash) /dir/to/export host2.mydomain.com(ro,root_squash) Where “/dir/to/export” is the directory you want to export, host#.mydomain.com is the machine allowed to log in this directory the <ro> option mean mounting read-only and the <root_squash> option for not allowing root write access. For this change to take effect you will need to run the following command on your terminal: /usr/sbin/exportfs -a

11 inetd/xinetd introduction
inetd.conf, a program that manages all the incoming connections Xinetd took the inetd design and modularized it, meaning that each service can be in its own configuration file. Xinetd also added features like the TCP wrappers, making configuration easier. The modular configuration means that you can distribute a service to several machines by copying it to the xinetd.d directory, and you can remove it similarly.

12 The inetd-/etc/inetd.conf file
Also called the "super server", it will load a network program based upon a request from the network. The “inetd.conf” file tells inetd which ports to listen to and what server to start for each port. Look at the “/etc/inetd.conf” file to see what services are being offered by your inetd program. Disable what you do not need by commenting them out (by adding a # at the beginning of the line), and then sending your inetd process a SIGHUP command to update it. killall –HUP inetd

13 Disabling Steps Change the permissions on this file to 600. /]#chmod 600 /etc/inetd.conf Ensure that the owner is root /]# chown root /etc/inetd.conf Edit the inetd.conf file (vi/etc/inetd.conf) and disable services like: ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth, etc.

14 The “/etc/host.conf” file
Linux uses a resolver library to obtain the IP address corresponding to a host name. This file specifies how names are resolved. The entries in the file tell the resolver library what services to use, and in what order, to resolve names.

15 The “/etc/host.conf” file
Edit the host.conf file (vi /etc/host.conf) and add the following lines: # Lookup names via DNS first then fall back to /etc/hosts. order bind,hosts # We have machines with multiple IP addresses. multi on # Check for IP address spoofing. nospoof on

16 The “/etc/host.conf” file
The order option indicates the order of services. The multi option determines whether a host in the “/etc/hosts” file can have multiple IP addresses The nospoof option indicates to take care of not permitting spoofing on this machine. IP Spoofing is a security exploit that works by tricking computers in a trust relationship that you are someone that you really aren't.

17 The “/etc/securetty” file
This file allows you to specify which TTY devices the “root” user is allowed to login on. Also this file is read by the login program (usually “/bin/login”). Its format is a list of the tty devices names allowed. Disable any tty that you do not need by commenting them out (# at the beginning of the line).

18 The “/etc/securetty” file
Which means root is only allowed to login on tty1. Allowing “root” to log in only on one tty device and use the “su” command to switch to “root” if you need more devices to log in as “root”.

19 Special Accounts Important to DISABLE ALL default vendor accounts that you don't use on your system . To delete user on your system, use the command: /# userdel username To delete group on your system, use the command: /# groupdel username

20 TCP_WRAPPERS By default Red Hat Linux allows all service requests.
Deny all hosts by putting ALL: PARANOID in the /etc/hosts.deny file Then explicitly list trusted hosts who are allowed to your machine in the /etc/hosts.allow file. TCP_WRAPPERS is controlled from two files and the search stops at the first match.

21 TCP_WRAPPERS Access will be granted when a daemon, client pair matches an entry in the /etc/hosts.allow file. Otherwise, access will be denied when a daemon, client pair matches an entry in the /etc/hosts.deny file. Otherwise, access will be granted. With the parameter PARANOID; If you intend to run telnet or ftp services on your server, you must add the client's machine name and IP address in your /etc/hosts file on the server or you can expect to wait several minutes for the DNS lookup to time out, before you get a login: prompt.

22 TCP_WRAPPERS The tcpdchk program is the tcpd wrapper configuration checker. It examines your tcp wrapper configuration and reports all potential and real problems it can find. After your configuration is done, run the program tcpdchk. /# tcpdchk

23 Lilo & Grub GNU GRUB is a Multiboot boot loader. It was derived from GRUB, GRand Unified Bootloader, which was originally designed and implemented by Erich Stefan Boleyn. Briefly, boot loader is the first software program that runs when a computer starts. It is responsible for loading and transferring control to the operating system kernel software such as Linux . The kernel, in turn, initializes the rest of the operating system (e.g. GNU).

24 Lilo & Grub LILO is the most commonly used boot loader for Linux.
It manages the boot process and can boot Linux kernel images from floppy disks, hard disks or can even act as a boot manager for other operating systems. The most important configuration file of LILO is the lilo.conf file, which resides under the /etc directory.

25 Lilo & Grub Three important options to improve the security of Lilo.
Adding: timeout=00 Controls how long in seconds LILO waits for user input before booting to the default selection. Adding: restricted This option asks for a password only, if parameters are specified on the command line (e.g. linux single). The option restricted can only be used together with the password option. Adding: password=<password> This option asks the user for a password when trying to load the Linux system in single mode. Passwords are always case-sensitive, also make sure the /etc/lilo.conf file is no longer world readable, or any user will be able to read the password.


Download ppt "Linux Security Anthony Albrecht – Services & Accounts"

Similar presentations


Ads by Google