Linux Security - Welcome to IOL E-mail
Download
Report
Transcript Linux Security - Welcome to IOL E-mail
Linux Security
Niall Richard Murphy
Ireland On-Line
(for HEAnet Security Seminar)
Jump to first page
What I’m going to talk
about
Model for understanding security
challenges
Ways in which Linux is notably
different from any other O.S.
Best practice (that I know!) for
securing
machines for which you
have complete political authority
securing machines for which you
have partial political authority
Jump to first page
What I’m not going to
talk about
Installation
Taxonomy of buffer overflows
Kerfuffle surrounding encryption
policies
Post-breakin recovery techniques
Physical security
Denial of service
Jump to first page
The Model
Ultimately a people problem, not a
technical problem (until formally
derived secure operating systems
become common)
Race between competencies
White hats, Black hats
Jump to first page
The Challenges
Keeping systems secure under
constraints of
Bad
Programming
Bad Design
Time
Money
“Better things to be doing”
Understanding tradeoffs between
convenience and security
Jump to first page
What can you do?
Keep yourself informed
BUGTRAQ
(+ other mailing lists)
Distribution updates
comp.unix.security
www.rootshell.org
Implement (and refine) your notion
of best practice
Jump to first page
What’s so special about
Linux?
Operating System
Underlying Philosophy
Jump to first page
Operating System
IP Fun
ipfwadm/ipchains
ip_masquerading
Sysctl tunables
syn
cookies
icmp_echoreply_rate
Misc
coda
(NFS replacement)
NTFS (and other FS) support
Jump to first page
Philosophy - Open
Source
You have the source … use it
Better
diagnosis capabilities
Useful Modifications
RSBAC
Anti
buffer-overflow patch
Security Tools
Trinux
HUNT
Slinux
distribution
Jump to first page
Best Practice
Philosophy
That
which is not expressly
permitted…
Defence in depth
Security partitioning
Implemented with tools
Jump to first page
Defense in Depth
ip firewalling
tcp wrappers
application access control
Jump to first page
Security Partitioning
‘root’ is overloaded & so is
‘nobody’
create users for each different
network
service
administrative task
Jump to first page
Useful Tools 1
Infrastructural
bind
8.2
System
ssh(d)
lsof
crack
Iplimit
Red Hat
rpmwatch
(et al)
Jump to first page
Useful Tools 2
Network
tcpdump
(& replay)
nmap
nessus
Services
qmail
LPRng
apache
Jump to first page
Common Questions
How do I secure a computer
center?
How do I secure a university?
Both aspects of “distributed
configuration management”
Political
elements must be adapted
to your situation
Jump to first page
Distributed
Configuration 1
Traditionally used straight file
copying
rdist
rcp
rsync
Drawbacks
Prone
to disaster!
Not very flexible
Jump to first page
Distributed
Configuration 2
cfengine is a very nice compromise
Features
‘batch’
editing of files
Normal file copying abilities
Built in parsers for important files
like
/etc/fstab
/etc/passwd
crontabs
Jump to first page
Distributed
Configuration 3
Suggested approach
Create
secure central
administration server
Implement cfengine script which
enforces security policy
Sit back and enjoy no breakins...
Jump to first page
Network Mapping 1
Perhaps political authority does not
stretch to proactive maintenance
Better to know than not to know
Scan your network and build a
picture of what is happening
nmap
nessus
saint
Don’t assume you know what’s
going on
Jump to first page
Network Mapping 2
Build up a picture of network
activies
Summarise activityrecord
nfr
tcpdump
(with parser)
Have a proactive stance
Jump to first page
Network Mapping 3
Trinux - secure Linux distribution
Has
latest security tools
Fits on 2/3 floppies
Can be used as a secure network
testing system
Jump to first page
A Salutary Lesson
Word macro virus
Firewall installation
No matter how “good” you are, are
you “good” enough?
Jump to first page
Useful Links 1
http://www.rootshell.org (general
exploits)
http://www.iu.hioslo.no/cfengine
(cfengine)
http://agn-www.informatik.unihamburg.de/people/1ott/rsbac/
(RSBAC)
http://www.nfr.net (nfr)
http://www.users.dircon.co.uk/~cry
pto (crack & lots of goodJump
papers)
to first page
Useful Links 2
http://www.trinux.org (Trinux)
http://www.freshmeat.net (New
software updates)
http://www.l0pht.org (misc.)
http://www.cri.cz/kra/index.html
(HUNT)
http://www.nessus.org (nessus)
http://www.wwdsi.com/saint/
(SAINT)
Jump to first page
Useful Links 3
http://www.slinux.cx (Secure Linux
distribution)
http://orthanc.kellogg.nwu.edu/~pc
ox/scripts/replay/index.html
(replay)
Jump to first page
Useful Books
Practical Unix & Internet Security:
Garfinkel/Spafford
Unix Security - a practical tutorial:
N. Derek Arnold
Jump to first page
Thank you!
[email protected]
http://www.iol.ie/~niallrm/
(version 1.01)
Jump to first page