Professional Documents
Culture Documents
NSM 09
NSM 09
Cristian-Mihai AMARANDEI
Email: cristian-mihai.amarandei@academic.tuiasi.ro
”Network Service Management” – Course Notes
System security
●
The security of a Linux server depends on the actions of
system administrator
– Eliminating potential security risk – remove all services and
applications that are not needed
– Make a list of potential sources of attack, internal or external
– It is recommended to disconnect the network before securing a
Linux server
System security
●
BIOS
– Use access password
– Do not allow boot from the floppy, optical drives, USB drives,
etc.
– It should be considered that these measures can not be
considered if there is physical access to the server
System security
●
Security Policy
– a list of what is allowed an what is not – upon which decision
are made
●
Any security policy is based on a certain degree of
paranoia:
– you must achieve a balance between allowing users access to
necessary information and complete blocking of access to the
system.
System security
●
Choose right passwords
– !!!! all passwords can be broken - either by brute force or social
engineering methods
– there must be a way to block weak passwords
– Rules:
●
Passwords must be at least 6 characters, preferably 8 and contain at least one
number or special character (/etc/login.defs)
●
Must have a validity period.
●
If passwords were entered incorrectly a certain number of times, then the access
to the account must be blocked.
System security
●
Single-user mode
– Use a password to block access to the boot manager options
●
For grub:
– Add a line like the following one
password --md5 $1$bgGCL/$4yF3t0py.IjU0LU.q7YfB1
– enerate passwords using the command:
grub-md5-crypt
●
For grub2:
– grub2-mkpasswd-pbkdf2 - Generate a PBKDF2 password hash.
– grub2-setpassword - Generate the user.cfg file containing the hashed grub bootloader password.
●
How to Set Password for Grub Menu (Debian, Ubuntu, CentOS): https://linoxide.com/linux-how-to/set-grub-password/
– Change the file /etc/inittab and add the following line
~~:S:wait:/sbin/sulogin
●
Disable Ctrl-Alt-Delete
– add “#” in the file /etc/inittab :
System security
●
Root
– Do not allow direct login as root: edit the file /etc/securetty defining consoles
where direct root login is allowed
● $ echo “ “ > /etc/securetty
– Set login timeout
●
add: TMOUT=7200 (in seconds - 2h)
– into the file /etc/profile for all users
– into .bashrc for each user you want
– Set history size
● HISTFILESIZE=....
● in the file /etc/profile
● HISTFILESIZE=0 – remove .bash_history file at logout
System security
● /etc/exports
– controls which file systems are exported to remote hosts using
NFS and specifies options
– configure the file with the most restrictive access possible
● Option no_root_squash
– root users on client is the same as root on server
– http://nfs.sourceforge.net/nfs-howto/ar01s03.html
System security
●
Limit the number of virtual consoles
– the default is 6
– edit /etc/inittab file to look like
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6
● Run the command /sbin/init q to restart de init process (the parameter q or Q tells to the init
process to read the inittab file again)
System security
● file /etc/services
– maps port numbers to named services.
●
Only root shoud modify this file
– Set the immutable attribute on the file to prevent accidental
deletion (including root)
● chattr +i /etc/services
● chattr -i /etc/services – unset immutable flag
System security
●
Special user accounts
– Various applications have a special account in which they run
●
If these applications are not installed, the account should be removed
– Also delete related groups
– Check that after upgrades have not appeared again in the
system.
– Set immutable flag on files:
/etc/passwd, /etc/shadow, /etc/group, /etc/gshadow
System security
●
Partitions mount options
– In the file /etc/fstab, the following options can be added:
● defaults - Allow everything (quota, read-write, suid) on this partition.
● noquota - Do not set users quotas on this partition.
● nosuid - Do not set SUID/SGID access on this partition.
● nodev - Do not set character or special devices access on this partition.
● noexec - Do not set execution of any binaries on this partition.
● quota - Allow users quotas on this partition.
● ro - Allow read-only on this partition.
● rw - Allow read-write on this partition.
● suid - Allow SUID/SGID access on this partition.
System security
● /usr – can be mounted read-only (static data)
● /etc/init.d
– Only root should have full access (chmod 700)
● /etc/cron.daily/
– Change access rights from 750 to 550
System security
●
find all files with SUID or SGID bit set and eliminate as
many of them
– !!!! Not all of them; your system needs some suid root programs
to work properly, so be careful (i.e. /usr/bin/passwd).
find / -type f \( -perm -04000 -o -perm -02000 \) -exec ls -l {} \;
System security
●
Don’t let internal machines tell the server what their MAC
address is
– add them manually to the ARP entries of the Linux server
– If someone change the IP address, the server simply won't talk
to them
● #arp -s 207.35.78.3 00:50:DA:C6:D3:FF
● #arp -s 192.168.1.11 00:50:DA:C6:D3:09
● #arp
System security
●
look everywhere on the system for unusual or hidden files
●
Unusual filenames can be used to hide informations:
”...”, “.. “, “..^G”
● find / -name ".. " -print -xdev
● find / -name ".*" -print -xdev | cat –v
System security
●
Find group and world writable files and directories
find / -type f \( -perm -2 -o -perm -20 \) -exec ls -lg {} \;
find / -type d \( -perm -2 -o -perm -20 \) -exec ls -ldg {} \;
●
Find all unowned files
find / -nouser -o -nogroup
System security
●
Find .rhosts files
– you should not have any .rhosts files on your system after a new install
● find /home -name .rhosts
●
Use a cron job to periodically check for, report the contents of, and delete .rhosts files
– As root create the file /etc/cron.daily/rhosts.cron
#!/bin/sh
/usr/bin/find /home -name .rhosts | (cat <<EOF
This is an automated report of possible existent ..rhosts files on
the server deep.openna.com, generated by the find utility command.
New detected ..rhosts. files under the ./home/. directory include:
EOF
cat
) | /bin/mail -s "Content of .rhosts file audit report" root
– chmod 550 /etc/cron.daily/rhosts.cron
– chown 0.0 /etc/cron.daily/rhosts.cron
System security
●
Use specialized utility for checking system integrity
– Host-based Intrusion Detection System or Host Integrity Monitoring System
●
Tripwire https://github.com/Tripwire/tripwire-open-source
●
AIDE https://aide.github.io/
●
OSSEC https://www.ossec.net
●
SAMHAIN https://la-samhna.de/samhain/
– Use rpm features to verify the integrity of existing applications
●
rpm -Va > /root/rpm_chk.txt &
– Sentry Tools: http://sourceforge.net/projects/sentrytools/
Reading assignment
●
Red Hat Enterprise Linux 7 System Administrator’s Guide
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/pdf/system_administrators_guide/Red_Hat_Enterprise_Linux-7-
System_Administrators_Guide-en-US.pdf
– Chapter 26 (grub2)
●
Red Hat Enterprise Linux 7 Security Guide
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/pdf/security_guide/Red_Hat_Enterprise_Linux-7-Security_Guide-en-US.pdf
– Chapter 4, 6
●
Red Hat Enterprise Linux 8 Security hardening
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/pdf/security_hardening/Red_Hat_Enterprise_Linux-8-Security_hardening-en-
US.pdf
– Chapter 7 (AIDE)
●
Securing & Optimizing Linux: Red Hat Edition (v.1.3) - http://www.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3.pdf
– Chapter 3
●
Kurt Seifried, Linux Administrator’ Security Guide
– http://www.unixy.pl/forum/art/pdf/lasg-0-1-7.pdf
References
This presentation is intended for lecturing purposes only and it is based on the references listed below. Therefore, the students are encouraged to (and they should) read
thoroughly the original documents listed below in order to improve their skills.