Transcript Slide 1
Windows Desktop Security
Assign a good & difficult administrator password.
Don’t ever enable the password remember option.
If a machine is cracked/lost, change all passwords.
Use & update Anti-virus s/w (e.g. AVG) regularly
Set up automatic updating on a regular basis
Schedule Virus Scans automatically.
Use Good spy removal software
Microsoft antispy or Spybot destroyer
Take the backup of Registry. Run regedit
Control Panel Add / Rem S/w remove
my Search Bar, Date manager
weather tool, Bonzy Buddy etc,
Windows Desktop Security
Keep OS up to date
Visit http://windowsupdate.microsoft.com regularly
Start Settings Control Panel Automatic Updates
Install & run 'Critical Update Notification' patch.
Automatically checks and notifies about patches.
Keep your applications updated:
Update Web browsers and word processing applns.
Decide if the upgrade is appropriate for your h/w.
Backup your files:
Have critical files on any machine which is backed up.
Back up the entire system on a regular basis.
WDS - Risk of File Sharing
Reduce sharing files thru floppies.
Don’t open doubtful (.scr,.pif,.exe) attachments in mails.
Accessing a file over a n/w neighborhood.
Keep physical control of m/c & limit access to your system
Disable File and Print sharing button
Control Panel N/w LAN Prop F & P Sharing
Don't ever share the entire C: drive.
Share only the folder having files to be shared.
Establish a good password for shared access.
Enable sharing on IPX/SPX protocol instead of TCP/IP.
N/w Prop F&P Shg Install Protocol IPX
N/w Prop Advanced Advanced Settings Adapters
& Bindings F&P Shg IPX/SPX
http://www.tifr.res.in/~cc/ipx.htm
Windows Desktop Security
DO NOT say yes to all questions while browsing.
Use Personal firewalls :
Norton internet security,
Zone Alarm or
Sygate personal firewall etc
Check what all Ports your PC is listening.
Usually 10-15 TCP/UDP ports will be listening.
Unusual: Series of high no. ports opening to some
particular IP Sign of Virus/Spy
Remove the application not installed by you.
Download and run Microsoft's BSA
Ref: Google ”Securing windows”
C:\>netstat -an |more
Active Connections
Proto
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
Local Address
Foreign Address
0.0.0.0:7
0.0.0.0:0
0.0.0.0:9
0.0.0.0:0
0.0.0.0:13
0.0.0.0:0
0.0.0.0:17
0.0.0.0:0
0.0.0.0:19
0.0.0.0:0
0.0.0.0:135
0.0.0.0:0
0.0.0.0:1025
0.0.0.0:0
0.0.0.0:1035
0.0.0.0:0
0.0.0.0:1730
0.0.0.0:0
0.0.0.0:1731
0.0.0.0:0
0.0.0.0:5000
0.0.0.0:0
127.0.0.1:1027
0.0.0.0:0
127.0.0.1:1031
0.0.0.0:0
127.0.0.1:10110
0.0.0.0:0
State
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
Proto
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
UDP
Local Address Foreign Address State
0.0.0.0:7
*:*
0.0.0.0:9
*:*
0.0.0.0:13
*:*
0.0.0.0:17
*:*
0.0.0.0:19
*:*
0.0.0.0:500
*:*
0.0.0.0:1028
*:*
0.0.0.0:1029
*:*
0.0.0.0:1058
*:*
0.0.0.0:1289
*:*
127.0.0.1:123
*:*
127.0.0.1:1900
*:*
127.0.0.1:2282
*:*
158.144.49.8:123
*:*
158.144.49.8:1900
*:*
Overview
Advantage Linux
Threats to Linux machines.
Securing Linux better.
Advantage Linux
User vs. administrator
Only root can install software or change
system settings.
More difficult for viruses to spread.
Commands, utilities, even the desktop run
separately from the Kernel.
Security updates are easier, quicker to
deploy.
Threats to Linux machines
Reasons for Break-in.
Loose Passwords
Improper Permissions
Careless Security
Unwanted Vulnerable Services
Brute force password attacks
Buffer overflows in network services.
int main () {int buffer[10];
buffer[20]=10;}
Aim: overwrite some control information to
change the flow of control in the program.
Securing Linux
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Secure the console
Set good passwords
Set right permissions
Secure the network connection
Restrict Access
Iptables
Firewalls, Ports & Services
Handling / Restricting Services
Adding security to desktop
Keep the system up to date
Securing the console
Physical Security
Password protect the screensaver.
Set a password on the boot loader (lilo / grub).
Use xlock or xautolock while away.
Do NOT normally login as root in own machine.
Set BIOS Password.
Machine in safe location.
Set boot hierarchy to HDD first (not CD,HDD).
Restrict Remote access.
Set up an idle timeout, to logout idle users.
Passwords
Use strong, unique passwords (especially for root)
Must have a minimum length of 8 characters.
Must be alpha-numeric not based on dictionary
words.
Password must be changed every 30 days.
Account will be locked out after 3 consecutive
unsuccessful login attempts.
Don’t write down passwords or User-id & password.
Passwords must contain multiple characters (Lower
/ Upper Case, numbers, punctuation etc.)
Root password should be very hard to crack.
Permissions
Correct permissions & ownerships on all directories &
files.
Never make files world-writable / world readable.
Search for world-writable files in pwd
find . -perm -2 -print
Improper file permissions in /dev : read/write directly to
hardware like hard disks and network interfaces.
/dev files should only be writable by root & readable only
by their group
Exception : /dev/tty, /dev/pty, /dev/null, /dev/zero.
find /dev -perm -2 -print
chmod -R 700 /etc/rc.d/init.d/*
Lock the /etc/services file so that no one can modify it
Securing the Network
Remove all unwanted users and groups.
Enable nospoof option in /etc/host.conf.
Don't create /etc/hosts.equiv or a .rhosts file
Don't run rlogind or rshd. (pw in plain text)
Run sshd to allow remote access via SSH
Use TCP Wrappers “tcpd”
Use /etc/hosts.deny & /etc/hosts.allow
hosts.allow overrides hosts.deny
Disable unwanted services thru xinetd.conf also
Ref: man hosts_access
http://linux.about.com/od/commands/l/blcmdl5_hostsal.htm
http://www.userlocal.com/security/securinginetdetc.php
More of /etc/access.[allow|deny]
/etc/hosts.deny
Only Local host allowed access
ALL:ALL
/etc/hosts.allow
sshd: ALL @.tifr.res.in
ALL: .tifr.res.in EXCEPT xyz.tifr.res.in
Allow localhost
ALL : 127.0.0.1
Allow another m/c to connect to any service
ALL : 192.168.1.2
Let all ssh except 192.168.1.3 and 192.168.1.4
sshd: ALL EXCEPT 192.168.1.3, 192.168.1.4
Firewalls
Hardware firewall - A device between Internet & LAN.
Software firewall: Software on a desktop/server that
rejects certain types of network traffic.
Consider implementing a firewall. man iptables
Restrict n/w traffic to a machine or network segment.
Improves security and network performance.
Why do I need a software firewall?
Protects the m/c even if the h/w firewall is
compromised.
Protects the m/c against compromised m/c s on n/w.
When can't one use a firewall?
Some services (like Samba) may use unspecified ports.
Some applications want to use arbitrary ports.
Iptables
System Settings > Security Level
System Settings > Server Settings > Services
Activate iptables in runlevels 3 & 5
Chains: INPUT, OUTPUT,FORWARD.
Effects : ACCEPT, DENY, DROP
List all iptables rules
# iptables –L
# iptables -A INPUT -s <SIP> -j DROP
# iptables -D <Chain name> <Rule no>
Iptables (Contd…)
Drop all incoming telnet packets
# iptables -A INPUT -j DROP -p tcp --destination-port
telnet
Block any incoming tcp packets on 2nd Eth card (eth1)
# iptables -A INPUT -j DROP -p tcp -i eth1
Drop incoming sync ie. anything not initiated by our PC
# iptables -A INPUT -p tcp --syn -j DROP
Block by mac address
iptables -A INPUT --mac-source 00:0B:DB:45:56:42 -j DROP
Ref:
http://www.cae.wisc.edu/site/public/?title=liniptables
http://www.redhat.com/docs/manuals/enterprise/RHE
L4Manual/refguide/chiptables.html
Ports
What are ports?
Network connection analogous to a lane highway.
Each type of traffic needs to be in its own lane
A port is analogous to a lane on the highway; different
types of traffic (http, ftp, ssh, etc.) use different ports
(80,21,22 etc)
What ports need to be open?
Open the ports for services you need to use and/or
offer others.
SSH (remote access to your machine): 22
FTP (file sharing server): 21
Web server: 80
X (display graphics on remote machines): 6000
See /etc/services for an exhaustive list.
Close unused ports/terminate unwanted services.
Services / Daemons
Services :
Special applications that start before any login
Web server (httpd or Apache)
File services (samba, NFS, ftpd)
Print services (lpd, CUPS)
Remote access (telnetd, sshd, vncserver)
Management tools (crond, rhnsd)
Why can services be dangerous?
Many services offer themselves to local & remote m/c s
If a flaw exists in the program providing the service, an
attacker can exploit this flaw and break into the machine
RULE: don't run any services you don't need.
RULE: if you're running a service, restrict access possible.
Handling Services
How services work ?
1 -- singleuser mode
2 -- multi-user without networking
3 -- normal multi-user text mode
4 -- custom runlevel, not normally used
5 -- normal multi-user, graphical desktop
Default level is chosen in /etc/inittab
How are Services started ?
/etc/inittab (startup configuration file)
/etc/rc.d/rc.sysinit (configuration file)
/etc/rc.d/rcN.d
xinetd (service that starts network services as u need)
Identify running services using redhatconfigservices
OR /usr/sbin/ntsysv OR /sbin/chkconfig list
Restricting Services
What services are unnecessary & how to stop ?
Use ssh instead of the r* services (rlogin, rsh, etc.)
telnet, ftp, NFSrelated services (portlock, nfslock,
netfs)
Substitute for ftp -- use scp and sftp
sendmail – can use SMTP server (mailhost.tifr.res.in)
redhatconfigservices : Highlight service & Stop
Uncheck the service not required for each run level.
Use /usr/sbin/ntsysv OR
/etc/rc.d/init.d/servicename stop OR
/sbin/chkconfig service off commands.
Secure each service using its configuration files.
Adding Security to Desktop
Prevent remote root login.
Login as a real user and then su to root.
/etc/securetty has no entry starting "ttyp" / "pts".
/etc/sshd_config change PermitRootLogin "no".
Insert StrictHostKeycheck in /etc/sshd_config.
Turn off / uninstall all unwanted services
chkconfig --list | grep on
Turn off boot time “ON” of unwanted services
e.g.: exec, finger, ftp, httpd, login, lpd, nfs, ntalk, rexd,
sendmail, shell, talk, telnet, tftp, uucp etc
chkconfig uucp off
Use SSH rather than the "r*" commands
ssh -l id remotehost : secure remote login (rlogin / telnet).
ssh -l id remotehost command :issue remote command (rsh).
scp localfile id@remotehost:remotefile : secure copy (rcp).
Adding Security to Desktop (Contd..)
Disable unwanted suid and sgid files
find -type -perm -04000 -o perm 02000.
Eg.: gpasswd, wall, and traceroute
Install sxid to keep an eye on suid and sgid scripts.
http://linux.cudeso.be/linuxdoc/sxid.php
Install libsafe
Protects against Buffer Overflow Attacks in Process stacks
Install tmpwatch to delete the unused files from /tmp
Check for unwanted scripts in /root, /usr/local,
/var/spool/mbox.
Adding Security to Desktop (Contd..)
Check your machine's uptime: uptime
Linux doesn't crash or reboot under normal conditions.
If rebooted, try to find out the actual reason behind it
Take regular backups
Use rpm -Va to find out if an rpm is modified.
Apply security patches / upgrade vulnerable software
patch -p1 < patch file
Check system logs (eg: /var/log/messages, /var/log/secure)
Detect Intrusions with proper tools
Use Tripwire / aide to detect unauthorized changes to
files.
System logs should be checked regularly for any trouble.
Install a log-checking tool. Freeware: webalizer, awstats
Do penetration test with tools like nessus, nikto, and nmap
and see how well your machine is secured.
System up2date
Install system updates as soon as they become available.
Register system with RedHat N/w: /usr/sbin/rhn_register
Config up2date :: up2date-config
update up2date itself :: up2date u up2date
Update a package using up2date u “packagename”
Updating Everything :: up2date update
Create a cron job to run up2date every night.
# mkdir /redhat to mount the Red Hat mirror.
Automount redhat mirror at boot in /etc/fstab
linuxserver:/redhat /redhat nfs intr, bg 0 0
Run script /usr/sbin/getupdates in crontab Monday
midnight
0 0 * * 1 /usr/sbin/getupdates
0 min 0 hr All months