Security Strategies in Linux

Platforms and Applications

Lesson 6
Every Service Is a Potential Risk

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
 Learning Objective
 Describe vulnerabilities in Linux services
and the appropriate steps to mitigate the
risks.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 2
All rights reserved.
 Key Concepts
 Commonly installed Linux services
 Bastion hosts
 Bastion host hardening
 Disabling unneeded services and removing
unneeded packages
 chroot jails

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 3
All rights reserved.
 DISCOVER: CONCEPTS

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 4
All rights reserved.
 Service Scripts in /etc/init.d/

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 5
All rights reserved.
 Vulnerabilities in Linux Services
 Denial of Service (DoS)
 Buffer overflows and misconfigured servers
 Unpatched servers and rootkits
 Web applications
 Default settings and weak passwords

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 6
All rights reserved.
 Bastion Servers in the DMZ

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 7
All rights reserved.
 Bastion Hosts
Only has access to the Web Server
H
one server and service
Black-hat hacker
exploits a bug in the
Simple Mail Transfer
Protocol (SMTP)
Server
Database Server

Now has Bastion Hosts

access to all the
server services

SMTP Server

Multipurpose Server

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 8
All rights reserved.
 DISCOVER: PROCESS

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 9
All rights reserved.
 Configuring a Bastion Host

Install an administrative service like SSH

Start with minimal Linux installation

Set up at least basic IPv4 networking

Remove unnecessary services

Remove unnecessary packages

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 10
All rights reserved.
 Active Services in Runlevel 3
Start with “S”

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 11
All rights reserved.
 Getting Rid of Unneeded
Services

• Use yum or apt-get

Uninstall • Watch for dependencies

• Stop a service
Deactivate • Kill a PID
• Change service defaults

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 12
All rights reserved.
 Dependency Processing

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 13
All rights reserved.
 Mitigating Other Service Risks

 Turn off the X Display Manager Control

Protocol (XDMCP).
 Keep only those productivity tools that are
necessary.
 Don't run any network services that are not
needed.
 Run the logwatch tool to monitor any
attempted access to the Linux system.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 14
All rights reserved.
 DISCOVER: ROLES

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 15
All rights reserved.
 Linux System Administrator
 Turns off or uninstalls unused services.
 Ensures services do not run as root.
 Runs services in chroot jail when appropriate.
 Restricts access to services only to necessary
users and applications.
 Uses bastion hosts for server services and
keeps services updated with latest security
fixes.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 16
All rights reserved.
 DISCOVER: CONTEXTS

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 17
All rights reserved.
 chroot Jail
Use chroot jail:
 To enable an application access its own set of
libraries and directory structure
 To restrict access to users on a system
 To run software such as Berkeley Internet
Name Domain (BIND)

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 18
All rights reserved.
 DISCOVER: RATIONALE

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 19
All rights reserved.
 Benefits of Disabling or
Uninstalling Unneeded Services
 To eliminate the possibility of a black-hat
hacker exploiting a vulnerability to a service
when the service is not running
 To improve system performance by running
only the required services
 To save hard drive space by uninstalling
 To eliminate the need to update or patch a
service when security vulnerabilities are
discovered
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Security Strategies in Linux Platforms and Applications www.jblearning.com Page 20
All rights reserved.
 Summary
 Commonly installed Linux services
 Bastion hosts
 Bastion host hardening
 Disabling unneeded services and removing
unneeded packages
 chroot jails

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 21
All rights reserved.
 Virtual Lab
 Hardening Security for Linux Services and
Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 22
All rights reserved.
 OPTIONAL SLIDES

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 23
All rights reserved.
 Aptitude as a Package Browser

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 24
All rights reserved.
 Categories of Red Hat
Development Tools

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 25
All rights reserved.
 Categories of Ubuntu
Development Tools

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 26
All rights reserved.
 The elinks Web Browser

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Strategies in Linux Platforms and Applications www.jblearning.com Page 27
All rights reserved.