Basic-Linux-Security

Download Report

Transcript Basic-Linux-Security

Basic Linux/System Security
Bill Stearns, Senior Research Engineer
Institute for Security Technology Studies,
Investigative Research for Infrastructure Assurance
Dartmouth College
19 Jun 2001
New Jersey Infragard
1
Physical Security
• Physical access to machines
• Switches instead of hubs
19 Jun 2001
New Jersey Infragard
2
Principle of least privilege
• Fewest accounts necessary
• Fewest open ports necessary
• Fewest running applications
19 Jun 2001
New Jersey Infragard
3
Root Account
• Used as little as possible
– Master key to a building
– Apps use other accounts, if possible
– People use su, sudo
• http://www.ists.dartmouth.edu/IRIA/knowle
dge_base/linuxinfo/sudo.v80.htm
19 Jun 2001
New Jersey Infragard
4
Passwords
•
•
•
•
•
•
•
•
>=7 characters
Mixed case, letters and symbols
Not names or words
Keep private
Don’t leave them out in the open
Change once a month to 6 months
Passphrases
http://www.ists.dartmouth.edu/IRIA/knowledge_b
ase/linuxinfo/essential_host_security.htm
19 Jun 2001
New Jersey Infragard
5
Open ports
• Close all unneeded applications
– “netstat –anp” or lsof to see what’s open
– Ntsysv, linuxconf to shut down
• Firewalls as a special case for a network
• Disable, or at least limit, file sharing
• http://www.ists.dartmouth.edu/IRIA/knowle
dge_base/linuxinfo/essential_host_security.
htm
19 Jun 2001
New Jersey Infragard
6
Plaintext network connections
• Email, telnet, web traffic
• Sniffers
• http://www.ists.dartmouth.edu/IRIA/knowle
dge_base/linuxinfo/ssh-intro.htm
19 Jun 2001
New Jersey Infragard
7
Encrypted network connections
• Ssh
– Terminal session
– File copying
– Other TCP connections
• http://www.ists.dartmouth.edu/IRIA/knowledge_b
ase/linuxinfo/ssh-techniques.v0.81.htm
• IPSec
– All packets traveling between systems or networks
– http://www.freeswan.org
• https web servers
http://httpd.apache.org/related_projects.html
19 Jun 2001
New Jersey Infragard
8
Package updates
• Available from Linux distribution vendor
– Sign up for announcements list
– Use automated update tools: up2date, red carpet
• http://www.ists.dartmouth.edu/IRIA/knowle
dge_base/linuxinfo/essential_host_security.
htm
19 Jun 2001
New Jersey Infragard
9
Intrusion Detection System
• Snort
– Reports on attack packets based on a regularly
updated signature file
– Install inside the firewall
• http://www.snort.org
19 Jun 2001
New Jersey Infragard
10
Advanced techniques
• Audited OS: OpenBSD http://www.openbsd.org
• Stack overflow protected OS: Immunix
http://www.immunix.org
• Chroot applications, capabilities
• Virtual machines: VMWare and UML
• http://www.vmware.com, http://www.user-modelinux.sourceforge.net
• TCFS http://tcfs.dia.unisa.it
19 Jun 2001
New Jersey Infragard
11
Resources
• Distribution security announcements list
• ISTS Knowledgebase
http://www.ists.dartmouth.edu/IRIA/knowledge_b
ase/index.htm
– Worm characterizations and removal tools
– Linux and network security papers covering many of
today’s topics
• Ssh key installer ftp://ftp.stearns.org
• Sans training http://www.sans.org
• Bastille Linux http://www.bastille-linux.org
19 Jun 2001
New Jersey Infragard
12
Thanks
• Les Morton, PSEG and Jim O’Neill NJ
InfraGard for inviting me
• ISTS and George Cybenko for sponsoring
the presentation
19 Jun 2001
New Jersey Infragard
13
Contact
• http://www.ists.dartmouth.edu/IRIA/
• William Stearns
[email protected]
• Questions?
19 Jun 2001
New Jersey Infragard
14