Linux Security - Welcome to IOL E-mail

Download Report

Transcript Linux Security - Welcome to IOL E-mail 

Linux Security
Niall Richard Murphy
Ireland On-Line
(for HEAnet Security Seminar)
Jump to first page
What I’m going to talk
about



Model for understanding security
challenges
Ways in which Linux is notably
different from any other O.S.
Best practice (that I know!) for
 securing
machines for which you
have complete political authority
 securing machines for which you
have partial political authority
Jump to first page
What I’m not going to
talk about






Installation
Taxonomy of buffer overflows
Kerfuffle surrounding encryption
policies
Post-breakin recovery techniques
Physical security
Denial of service
Jump to first page
The Model



Ultimately a people problem, not a
technical problem (until formally
derived secure operating systems
become common)
Race between competencies
White hats, Black hats
Jump to first page
The Challenges

Keeping systems secure under
constraints of
 Bad
Programming
 Bad Design
 Time
 Money
 “Better things to be doing”

Understanding tradeoffs between
convenience and security
Jump to first page
What can you do?

Keep yourself informed
 BUGTRAQ
(+ other mailing lists)
 Distribution updates
 comp.unix.security
 www.rootshell.org

Implement (and refine) your notion
of best practice
Jump to first page
What’s so special about
Linux?


Operating System
Underlying Philosophy
Jump to first page
Operating System

IP Fun
 ipfwadm/ipchains
 ip_masquerading

Sysctl tunables
 syn
cookies
 icmp_echoreply_rate

Misc
 coda
(NFS replacement)
 NTFS (and other FS) support
Jump to first page
Philosophy - Open
Source

You have the source … use it
 Better
diagnosis capabilities
 Useful Modifications
 RSBAC
 Anti

buffer-overflow patch
Security Tools
 Trinux
 HUNT
 Slinux
distribution
Jump to first page
Best Practice

Philosophy
 That
which is not expressly
permitted…
 Defence in depth
 Security partitioning

Implemented with tools
Jump to first page
Defense in Depth



ip firewalling
tcp wrappers
application access control
Jump to first page
Security Partitioning


‘root’ is overloaded & so is
‘nobody’
create users for each different
 network
service
 administrative task
Jump to first page
Useful Tools 1

Infrastructural
 bind

8.2
System
 ssh(d)
 lsof
 crack
 Iplimit

Red Hat
 rpmwatch
(et al)
Jump to first page
Useful Tools 2

Network
 tcpdump
(& replay)
 nmap
 nessus

Services
 qmail
 LPRng
 apache
Jump to first page
Common Questions



How do I secure a computer
center?
How do I secure a university?
Both aspects of “distributed
configuration management”
 Political
elements must be adapted
to your situation
Jump to first page
Distributed
Configuration 1

Traditionally used straight file
copying
 rdist
 rcp
 rsync

Drawbacks
 Prone
to disaster!
 Not very flexible
Jump to first page
Distributed
Configuration 2


cfengine is a very nice compromise
Features
 ‘batch’
editing of files
 Normal file copying abilities
 Built in parsers for important files
like
 /etc/fstab
 /etc/passwd
 crontabs
Jump to first page
Distributed
Configuration 3

Suggested approach
 Create
secure central
administration server
 Implement cfengine script which
enforces security policy
 Sit back and enjoy no breakins...
Jump to first page
Network Mapping 1



Perhaps political authority does not
stretch to proactive maintenance
Better to know than not to know
Scan your network and build a
picture of what is happening
 nmap
 nessus
 saint

Don’t assume you know what’s
going on
Jump to first page
Network Mapping 2


Build up a picture of network
activies
Summarise activityrecord
 nfr
 tcpdump

(with parser)
Have a proactive stance
Jump to first page
Network Mapping 3

Trinux - secure Linux distribution
 Has
latest security tools
 Fits on 2/3 floppies
 Can be used as a secure network
testing system
Jump to first page
A Salutary Lesson



Word macro virus
Firewall installation
No matter how “good” you are, are
you “good” enough?
Jump to first page
Useful Links 1





http://www.rootshell.org (general
exploits)
http://www.iu.hioslo.no/cfengine
(cfengine)
http://agn-www.informatik.unihamburg.de/people/1ott/rsbac/
(RSBAC)
http://www.nfr.net (nfr)
http://www.users.dircon.co.uk/~cry
pto (crack & lots of goodJump
papers)
to first page
Useful Links 2






http://www.trinux.org (Trinux)
http://www.freshmeat.net (New
software updates)
http://www.l0pht.org (misc.)
http://www.cri.cz/kra/index.html
(HUNT)
http://www.nessus.org (nessus)
http://www.wwdsi.com/saint/
(SAINT)
Jump to first page
Useful Links 3


http://www.slinux.cx (Secure Linux
distribution)
http://orthanc.kellogg.nwu.edu/~pc
ox/scripts/replay/index.html
(replay)
Jump to first page
Useful Books


Practical Unix & Internet Security:
Garfinkel/Spafford
Unix Security - a practical tutorial:
N. Derek Arnold
Jump to first page
Thank you!



[email protected]
http://www.iol.ie/~niallrm/
(version 1.01)
Jump to first page