Download ppt

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
Document related concepts

Piggybacking (Internet access) wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Lag wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Wireless security wikipedia , lookup

Deep packet inspection wikipedia , lookup

Computer security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript 
Linux Security
1
Linux is not secure
• No computer system can ever be "completely
secure".
– make it increasingly difficult for someone to
compromise your system.
• The more secure your system, the more
miserable you and your users will tend to be
• Security = 1/(1.072 * Convenience)
2
Linux Security
• What level of threat the system needs to be protected against?
– Analyze the system
• Packet Filtering
• Turn off unnecessary services
– Be aware of what is happening on your system
– Keep track the vulnerabilities - Software patches
• Backups
– Recover effectively from a security incident
• User accounts
– Minimal amount of privilege they need
– Remove inactive accounts
– The use of the same user-ID on all computers and networks is desirable
for the purpose of account maintenance
– User account provides accountability
3
Linux Security
• Root Security
– Only become root to do single specific tasks
– Never use the rlogin/rsh/rexec suite of tools (called
the r- utilities) as root
– Always be slow and deliberate running as root.
Your actions could affect a lot of things. Think
before you type!
4
Password security and encryption
• Use shadow password
• Password checking and selection
• Pluggable Authentication Modules – PAM
– man pam.d
5
Linux-PAM
• Linux Pluggable Authentication Modules
– Login, ftp, su, sudo, etc.
• Modules: /lib/security
• Configurations file: /etc/pam.d
– Determine the method to authenticate
– Contain a list (i.e., stack) of calls to the modules
• Pluggable: it is easy to add/remove modules
from an authentication stack
6
PAM example
• auth requisite pam_securetty.so
– To make sure the root user logs in from an allowed
terminal
• session required pam_limits.so
– Set up user limits according to
/etc/security/limits.conf
7
Restricting access
• Control access to your system
– /etc/hosts.deny
• man hosts.deny
– /etc/hosts.allow
• man hosts.allow
8
Miscellaneous Security Issues
• Remote event logging
• hosts.equiv and ~/.rhosts
– Rshd, rlogind should be disabled
• fingerd
• Security and NIS
– /etc/group, /etc/passwd, /etc/hosts…
• Security and NFS
• Security and sendmail
9
Security of NFS
• A client request will include the client user-id of the
process making the request
• The server must decide whether to believe the client's
user-ids.
• NFS provides a means to authenticate users and
machines
• Recommend the use of globally unique UID and the
root_squash
• Use /etc/hosts.deny and /etc/hosts.allow to grant
access
10
Security Tools
•
•
•
•
•
nmap
nessus
tripwire
crack
Other powerful tools
11
Security Preparation
•
•
•
•
Make a full backup of your machine
Keep track of your system accounting data
Apply all new system updates
Subscribe to mailing lists to get information
about potential problems
12
OpenSSH
• OpenSSH: http://www.openssh.com/
– Secure Network Communication
– A suite of secure tools that replaces telnet, rcp, ftp,
etc.
• SSH protocol version 2 (SSH2)
– Not compatible with SSH protocol version 1
• When OpenSSH starts
– Establish an encrypted connection
– Authenticate the user
– Client and server send information back and forth 13
SSH
• Use two key pairs
– Host key pair: a set of public/private keys that is
established when you install openssh-server
package
• /etc/ssh
– Session key pair: a set of public/private keys that
change hourly
• ./ssh
14
SSH
• First time when SSH client connects with SSH
server
– After verification, the client makes a copy of the
server’s public host key
• The client then generates a random key, which
is encrypted and sent to the server
15
Set up a Firewall under Ubuntu
• firestarter: a sophisticated, graphical tool for
building and maintaining a firewall
• ufw
– uncomplicated firewall
– Command-line intrface to iptables
• gufw (gufw.tuxfamily.org): a graphical interface to
ufw
• firestarter and gufw utilities are graphical front-ends
for iptables
• Iptables: Build and manipulate network packet
16
filtering rules in the Linux kernel
A Typical Firewall Setup
17
Ufw: the uncomplicated firewall
• sudo ufw allow ssh
• sudo ufw enable
– to turn on ufw
– By default, ufw starts with a default policy that
blocks all inbound traffic and allows outbound
traffic
• sudo ufw status verbose
• gufw
18
iptables
• Two components
– Netfilter
• Run in the kernel space
• A set of tables that hold rules that the kernel
uses to control network packet filtering
– Iptables
• Run in the user space
• Set up, maintain, and display the rules by
netfilter
19
iptables
• First rule: test whether a packet destination is port 23 and
drops the packet if it is
• Second rule: tests whether a packet is received from the IP
address 192.168.1.1 and alter the packet destination if it was
20
How iptables work
21
One iptables Example
22
Useful Websites
• http://www.cert.org
• http://www.sans.org/
– http://www.sans.org/rr
• http://www.securityfocus.com/
 http://www.phrack.org/
23
Related documents
powerpoint
powerpoint
Firewall Configuration
Firewall Configuration
E-business Website Development Lab
E-business Website Development Lab
REMOTE LOGIN PROTOCOLS
REMOTE LOGIN PROTOCOLS
Lab 1
Lab 1
Networks
Networks
Cisco Discovery 1 Module 08 Quiz Picture Descriptions
Cisco Discovery 1 Module 08 Quiz Picture Descriptions
Understanding and Installing Firewalls
Understanding and Installing Firewalls
Implementing iptables using a programmable
Implementing iptables using a programmable
Strengths and Potential of Swiss SSH Research with regard to
Strengths and Potential of Swiss SSH Research with regard to
ETC212 Linux Operating Systems and Mobile Devices 3 Credits
ETC212 Linux Operating Systems and Mobile Devices 3 Credits
I`ve found some time to write one more article for forum Exploit.in In
I`ve found some time to write one more article for forum Exploit.in In
Firewall configuration tools
Firewall configuration tools
Investigating Two Different Approaches for Encrypted Traffic
Investigating Two Different Approaches for Encrypted Traffic
Unix System Administration
Unix System Administration
Unix System Administration
Unix System Administration
iptables-1-updated
iptables-1-updated
Security Guide - A Guide to Securing Fedora Linux
Security Guide - A Guide to Securing Fedora Linux
Security Guide - A Guide to Securing Fedora Linux
Security Guide - A Guide to Securing Fedora Linux