Download presentation
Presentation is loading. Please wait.
Published byJayson Lamb Modified over 8 years ago
1
Securing the Linux Operating System Erik P. Friebolin
2
Introduction Security is not something that is achieved as a final end goal; it is not a finished state. Rather, it’s a way of setting up, maintaining, and running an operating system, network, or environment. It’s a state of mind and a way of life. It depends on the day to day actions of the users and system administrators. It also depends on the security not being so intrusive that it encourages users and administrators to “work around it”.
3
Security Breaches Exposure –A form of possible loss or harm in a computing system. Vulnerability –Weakness that might be exploited to cause loss or harm. Threats –Circumstances that have the potential to cause loss or harm.
4
Security Goals Confidentiality –The assets of a computing system are accessible only by authorized parties. Integrity –Assets can be modified only by authorized parties or only in authorized ways. Availability –Assets are accessible to authorized parties.
5
Steps to Security To decide how to secure your systems, you need to decide how you intend to use them. Decide what services a system is intended to use. Decide what services a system is intended to provide locally. Decide what services a system is intended to provide globally Develop a security policy based on the needs of the system which are to be secured.
6
Physical Security –Rebooting the system from other media such as floppy disk, CD-ROM, external SCSI drives and so on –Removing the case, and removing the BIOS battery to get around any BIOS restrictions –Using a default BIOS password to gain access to the BIOS –Rebooting the system and passing boot arguments to LILO –Installing physical monitoring devices such as KeyGhost –Stealing the system’s disk(s) –Unplug the server, or turn the power bar off (a very effective DoS), if done several times this can lead to file system corruption
7
Console Security LILO Security –Prevent attacker from using single user mode. boot=/dev/had map=/boot/map install=/boot/boot.b prompttimeout=50 message=/boot/message Linear default=linux password=thisisapassword restricted
8
Console Security (cont’) image=/boot/vmlinuz-2.2.18 label=linux read-only root=/dev/hda1 image=/boot/vmlinuz-2.2.17 label=linux-old read-only root=/dev/hda1 Prevent changes to lilo.conf file. –chattr +i /sbin/lilo.conf
9
Critical System Config Files /etc/directory - contains the majority of the system and application configuration files and many critical startup scripts /etc/passwd - contains the mappings of username, user ID and the primary group ID that person belongs to. /etc/shadow/ - The shadow file holds the username and password pairs, as well as account information such as expiry date, and any other special fields.
10
Critical System Config Files /etc/groups/ - The groups file contains all the group membership information, and optional items such as group password /etc/gshadow/ - Similar to the password shadow file, this file contains the groups, password and members /etc/shells/ - The shells file contains a list of valid shells
11
File System Encryption TCFS – kernel level data encryption utility (http://www.tcfs.it)http://www.tcfs.it BestCrypt – disk encryption program available for Windows and Linux. (http://www.jetico.com)http://www.jetico.com PPDD - uses a partition which is encrypted and mounted using the PPDD driver (http://linux01.gwdg.de/~alatham/)http://linux01.gwdg.de/~alatham/
12
FTP Services If you are running anonymous FTP, watch permissions closely. Do not permit anonymous FTP both read and write access to any files or directories. If you are not running anonymous FTP, make sure you are not.
13
WEB Services Do not install any example CGI scripts or applications you do not need. Do not allow common users to install arbitrary CGI scripts. Do not allow unrestricted server-side includes. Do not permit client access forms or chat systems to insert arbitrary HTML into web pages.
14
E-Mail Services If you are not providing remote access to mailbox accounts, make sure that POP and IMAP are not enabled. If you are providing POP or IMAP access to mailbox accounts, consider switching to SSL enabled versions of both clients and servers. Limit spam abuse by limiting mail relaying.
15
Operating Securely Never operate routinely as root. Do not use root, “super”, or “sudo” in place of proper group permissions and membership. Do not use a browser or chat program as root. Do not allow/use easily guessable passwords Avoid HTML enabled e-mail capable of responding to active content.
16
Security Tools/Enhancements Use Secure Shell (ssh) for remote access. Enable long passwords, MD5 hashing of passwords, and shadow password files. Periodically run a scanning tool (Internet Scanner or Nessus). Install an Intrusion Detection System (Abacus or tcpdump). Enable firewall code.
17
Bastille Linux Attempts to “harden” or “tighten” the Linux operating system. Currently supports Red Hat and Mandrake systems (other versions coming soon). http://www.bastille-linux.org/
18
References http://www.sans.org/linux.htm http://www.sans.org/linux.htm http://www.seifried.org/lasg/ http://www.seifried.org/lasg/ http://www.tldp.org/LDP/solrhe/Securing- Optimizing-Linux-RH-Edition-v1.3/ http://www.tldp.org/LDP/solrhe/Securing- Optimizing-Linux-RH-Edition-v1.3/ http://www.linuxsecurity.com/ http://www.linuxsecurity.com/ http://www.tldp.org/HOWTO/Security- HOWTO/ http://www.tldp.org/HOWTO/Security- HOWTO/
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.