Presentation is loading. Please wait.

Presentation is loading. Please wait.

Host Security Overview Onion concept of security Defense in depth How secure do you need to be? You can only reduce risk Tradeoffs - more security means:

Published byDoreen Harrington Modified over 9 years ago

Similar presentations

Presentation on theme: "Host Security Overview Onion concept of security Defense in depth How secure do you need to be? You can only reduce risk Tradeoffs - more security means:"— Presentation transcript:

1 Host Security Overview Onion concept of security Defense in depth How secure do you need to be? You can only reduce risk Tradeoffs - more security means: harder access more work

2 Verify what services are running netstat or lsof nmap for remote check Turn off unnecessary services Lock-down running services

3 ssh Several approaches to making this more secure restrict users  only 'users' who need access should have it protocol 2 only changing default port no root access with passwd  login as 'user' and then sudo no passwd access – use keys only Restrictions apply to scp, sftp, rsync etc

4 ftp No user account access passwords in the clear anonymous logins OK Do you allow uploads? consider isolating upload dir Could you use other protocols for downloads? http, sftp, scp

5 Other services These will be covered later Apache2 DNS

6 Firewalls - are they necessary on a server? Yes/No Problems (most attack vectors aimed at open services) False sense of security Useful to protect others from _you_ Useful (in some cases) in case of DDoS attacks Your provider is your real defense

7 iptables Basics Installing iptables tools in Ubuntu A very simple ruleset Flushing, saving rules Verifying that rules start at system boot

8 Logging Critical and often overlooked syslog syslog-ng rsyslogd - reliable and extended syslogd Can collect information from many different hosts e.g. servers, routers, switches in one location Must have accurate clocks across systems using NTP

9 Swatch The swatch utility can assist with logfile analysis, providing immediate notification if log entries matching a regular expression are spotted, or to review logfiles for unknown data There are other options!

10 User security Strong passwords e.g. qcE8SmQA R2(e{M8T Is shell access necessary? Are user accounts necessary (virtual mailboxes) Use quotas or isolate /home

11 Filesystem security Options for filesystems: nosuid - Do not set SUID/SGID access on this partition nodev - Do not allow character or special devices on this partition noexec - Do not allow execution of any binaries on this partition ro - Mount file system as readonly quota - Enable disk quota

12 Filesystem security Consider separate disk partitions for: /home - Set option nosuid, and nodev with diskquota option /usr - Set option nodev /tmp - Set option nodev, nosuid, noexec /var - Set option nodev, nosuid

Download ppt "Host Security Overview Onion concept of security Defense in depth How secure do you need to be? You can only reduce risk Tradeoffs - more security means:"

Similar presentations

Basic Unix system administration

Basic Unix system administration
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
BSD Security Fundamentals Sean Lewis Sean Lewis

BSD Security Fundamentals Sean Lewis Sean Lewis
2000 Copyrights, Danielle S. Lahmani UNIX Tools G22.2245-001, Fall 2000 Danielle S. Lahmani Lecture 12.

2000 Copyrights, Danielle S. Lahmani UNIX Tools G , Fall 2000 Danielle S. Lahmani Lecture 12.
Linux Security 資管研究生 劉順德. Outline General Security –Account –Local –Network –Patch Services Security –Sendmail –BIND/DNS –Apache –FTP Recent Linux security.

Linux Security 資管研究生 劉順德. Outline General Security –Account –Local –Network –Patch Services Security –Sendmail –BIND/DNS –Apache –FTP Recent Linux security.
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
Voyager Server Security and Monitoring Best practices and tools.

Voyager Server Security and Monitoring Best practices and tools.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
AfChix 2011 Blantyre, Malawi Log management. Log management and monitoring ■ What is log management and monitoring ? ● It's about keeping your logs in.

AfChix 2011 Blantyre, Malawi Log management. Log management and monitoring ■ What is log management and monitoring ? ● It's about keeping your logs in.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
Linux System Administration LINUX SYSTEM ADMINISTRATION.

Linux System Administration LINUX SYSTEM ADMINISTRATION.
Telnet/SSH: Connecting to Hosts Internet Technology1.

Telnet/SSH: Connecting to Hosts Internet Technology1.
CIS 193A – Lesson10 Protecting Your Network. CIS 193A – Lesson10 Focus Question What information contained in packets can be used as matching criteria.

CIS 193A – Lesson10 Protecting Your Network. CIS 193A – Lesson10 Focus Question What information contained in packets can be used as matching criteria.
Va-scanCopyright 2002, Marchany Securing Solaris Servers Randy Marchany.

Va-scanCopyright 2002, Marchany Securing Solaris Servers Randy Marchany.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
CLI modes Accessing the configuration Basic configuration (hostname and DNS) Authentication and authorization (AAA) Log collection Time Synchronization.

CLI modes Accessing the configuration Basic configuration (hostname and DNS) Authentication and authorization (AAA) Log collection Time Synchronization.
SSH. Review 1-minute exercise: Find the open ports on you own VM [Good] nmap 127.0.0.1 [Better] netstat -lpunt.

SSH. Review 1-minute exercise: Find the open ports on you own VM [Good] nmap [Better] netstat -lpunt.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.

Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.

Similar presentations

Ads by Google