Basic Linux/System Security
19 Jun 2001
New Jersey Infragard
Physical Security
Physical access to machines Switches instead of hubs
19 Jun 2001
New Jersey Infragard
Principle of least privilege
Fewest accounts necessary Fewest open ports necessary Fewest running applications
19 Jun 2001
New Jersey Infragard
Root Account
Used as little as possible
Master key to a building Apps use other accounts, if possible People use su, sudo
http://www.ists.dartmouth.edu/IRIA/knowle dge_base/linuxinfo/sudo.v80.htm
19 Jun 2001
New Jersey Infragard
Passwords
>=7 characters Mixed case, letters and symbols Not names or words Keep private Dont leave them out in the open Change once a month to 6 months Passphrases http://www.ists.dartmouth.edu/IRIA/knowledge_b ase/linuxinfo/essential_host_security.htm
New Jersey Infragard 5
19 Jun 2001
Open ports
Close all unneeded applications
netstat anp or lsof to see whats open Ntsysv, linuxconf to shut down
Firewalls as a special case for a network Disable, or at least limit, file sharing http://www.ists.dartmouth.edu/IRIA/knowle dge_base/linuxinfo/essential_host_security. htm
19 Jun 2001 New Jersey Infragard 6
Plaintext network connections
Email, telnet, web traffic Sniffers http://www.ists.dartmouth.edu/IRIA/knowle dge_base/linuxinfo/ssh-intro.htm
19 Jun 2001
New Jersey Infragard
Encrypted network connections
Ssh
Terminal session File copying Other TCP connections
http://www.ists.dartmouth.edu/IRIA/knowledge_b ase/linuxinfo/ssh-techniques.v0.81.htm IPSec
All packets traveling between systems or networks http://www.freeswan.org
https web servers http://httpd.apache.org/related_projects.html
19 Jun 2001 New Jersey Infragard 8
Package updates
Available from Linux distribution vendor
Sign up for announcements list Use automated update tools: up2date, red carpet
http://www.ists.dartmouth.edu/IRIA/knowle dge_base/linuxinfo/essential_host_security. htm
19 Jun 2001
New Jersey Infragard
Intrusion Detection System
Snort
Reports on attack packets based on a regularly updated signature file Install inside the firewall
http://www.snort.org
19 Jun 2001
New Jersey Infragard
10
Advanced techniques
Audited OS: OpenBSD http://www.openbsd.org Stack overflow protected OS: Immunix http://www.immunix.org Chroot applications, capabilities Virtual machines: VMWare and UML http://www.vmware.com, http://www.user-modelinux.sourceforge.net TCFS http://tcfs.dia.unisa.it
19 Jun 2001 New Jersey Infragard 11
Resources
Distribution security announcements list ISTS Knowledgebase http://www.ists.dartmouth.edu/IRIA/knowledge_b ase/index.htm
Worm characterizations and removal tools Linux and network security papers covering many of todays topics
Ssh key installer ftp://ftp.stearns.org Sans training http://www.sans.org Bastille Linux http://www.bastille-linux.org
19 Jun 2001 New Jersey Infragard 12