How to Secure Linux

Last updated: 30 Oct 2008

Overview
Overview of computer and network security and Linux tools; hands-on experience with securing Linux; testing security configuration
Seminar Duration
2 hrs.
Student Prerequisites
how to administer a computer
Student Provides
Lab Provides
  1. computer with Fedora Linux installed
  2. root and ituser accounts and passwords
Preparation
  1. Updated installation of Linux to x cloned disks
  2. Disk drives inserted and locked into computers
  3. Setup root account with password
Delivery
  1. Overview of Computer and Network Security
    1. Security is relative, not absolute
    2. What can happen in 5 minutes?

      Besides 1 trillion instructions executed?

      • passwords copied
      • keystroke sniffer installed
      • privileges elevated
      • total control of computer for later use
      • denial of use of computer or network
      • use of your computer to pirate software, music, etc.
      • use of your computer to compromise other computers
      • deletion or modification of information on computer
      • impersonation of anything virtual, including email
    3. any input can be a "vector" (a point of entry)

      Most common:

      • keyboard (both authorized and unauthorized people)
      • removable media
      • network
      • stolen/lost/damaged device (e.g., cellphone, laptop, thumb drive)
    4. any output can provide information to unauthorized people

      Most common:

      • display (both authorized and unauthorized people)
      • removable media
      • network
      • stolen/lost/damaged device (e.g., cellphone, laptop, thumb drive)
    5. What can be done?
      • deter: make it more difficult (obstruct, hide, fortify, complicate, etc.)
      • probe: look for where vulnerabilities are
      • monitor: look for suspicious activity
      • defend: block attack, remove or weaken attacker, minimize theft/damage
    6. What does that translate to for administering computers?
      • Prevent physical access to your computer or data.

        Lock it up; unplug from network; turn it off

      • Install OS and service packs offline
      • Back up data (encrypted) and store backups elsewhere to lessen data loss.
      • Keep up to date with latest patches for OS and applications.

        This fortifies your computer, hopefully plugging more holes than it creates.

      • Encrypt sensitive data always.
      • Block other computers from connecting to yours.

        firewall

      • Allow only authorized users on your computer, and restrict their access.
      • Be wary of inserting media from any source.
      • Be wary of visiting web sites, clicking on web links in email.
      • Don't share accounts and passwords.
      • Watch system activity through logs and process monitors.
      • Become familiar with security tools.
      • Use strong passwords, and change them regularly.
      • Perform regular checks for vulnerabilities.
  2. LinuxSecurity Tools
    1. update system (yum)
    2. Linux Tools

      Be very careful about trusting results:

      1. Basic
        • Deter/Prevent:

          yum, ntp (network time protocol), iptables, route, su, tar, dump

        • Probe/Monitor/Inspect:

          cat /etc/passwd; cat /etc/group; look at logs in /var/log (logwatch, sec.pl); look at info in /proc; top; selinux; monitor (e.g., nagios; Big Brother); file integrity (tripwire, osiris); chkrootkit

        • Defend/Fix:

          restore; tar; use of file permissions and roles

      2. Network tools

        netstat -an; fuser -n tcp [port]; ping; traceroute; arp; ifconfig; route

      3. File

        ls -la; ls -lt; ls -l --time=ctime --sort=time; grep; chmod/chown

      4. Services

        service [servicename] start/stop/status; ls /etc/init.d; chkconfig --list [servicename]; less /etc/inittab; grep disable /etc/xinetd.d/*

      5. Process

        ps aux; kill -KILL [pid]; crontab -l [user]; ls -la /etc/cron.[time]

    3. Firewall

      iptables

      ingress and egress; whitelists vs. blacklists

    4. Antivirus

      none builtin; clamav?

    5. Encryption

      TrueCrypt; ssh; ssl

      data at rest and in motion

    6. Vulnerability

      Nessus; nmap; metasploit (dangerous!)

    7. Helix (www.e-fense.com), Knoppix, OS rescue CDs, SysRescue, FireCD
  3. Hands-on Time
    1. Update Linux via yum
    2. Install and configure clamav
    3. Use tar to backup/restore
    4. Look at /var/log/messages and /var/log/secure
    5. Show tasks
    6. Show scheduled tasks
    7. Show services and accounts that they logon as
    8. Show network and which process owns what port
    9. Show files, hidden included
    10. Set groups and file permissions
Cleanup
  1. Clone the disk drives back to master