Threats, Vulnerabilities & Security measures in Linux
-
Upload
amitesh-bharti -
Category
Education
-
view
595 -
download
7
description
Transcript of Threats, Vulnerabilities & Security measures in Linux
By-
Ghulam JilaniAmitesh BhartiRahul Kumar
Gupta
Guide Name Mr Ganesh Kumar Wadhwani
Linux is a Kernel developed by Linus TorvaldsCombined with GNU project of Robert Stallman it is known as GNU-LINUX operating systemhellip initial version was released on 1991
-Unix like operating system-Open source-Freeware-GPL-Copy left-Many vendors(redhat susehellipetc)-Comparatively most secured than
other available OS
Most generic term can relate with the security need to protect us against intruders in real worldhellip That keeps us amp our assets safehellipSame in OS
- Most common security terminologies are-agt Assets -An asset is what wersquore trying to protecthellip
- People property and information
bgt Threats-A threat is what wersquore trying to protect against-Anything that can exploit the vulnerability
cgt Vulnerability-A vulnerability is a weakness or
gap in our protection effortssecurity program
dgt Attack - Sequence of actions of exploiting
a vulnerability
egt Risk-Risk is the intersection of assets
threats and vulnerabilities
ThreatsVulnerabilitiesSecurity measures
Linux helliphellipWhat are itrsquos threats
Trojan Horse- Sending information to third party without knowing to
you It allow a hacker to gain access to your machine called
Remote Access Trojans (RATs)
Phishing Threats- Trustworthy person steal your information
Hackers- Looking for credit card no or any other information for
their gain
Worms ndash Programs that replicates and spread Need not another program to propagate itself
Spyware- Send information about you and your system to somebody
else Monitors your online activities
Adware- It automatically plays displays or downloads your advertisement
to a computer Viruses ndash
It alter the way a computer operates It can not do anything unless you run it Types of viruses 1 Boot Sector Infectors2 File Infectors3 Macro viruses
Trojans Kaiten - LinuxBackdoorKaiten trojan horse Rexob - LinuxBackdoorRexob trojan Waterfall screensaver backdoor - on gnome-lookorg
Viruses Alaeda - VirusLinuxAlaeda Brundle Bukowski HAPPYNEWYEAR Coin Diesel - VirusLinuxDiesel ILOVEYOU Kagob a - VirusLinuxKagoba Kagob b - VirusLinuxKagobb
Worms Adm - Net-WormLinuxAdm Adore Cheese - Net-WormLinuxCheese Kork LinuxLupperworm Mighty - Net-WormLinuxMighty Millen - LinuxMillenWorm Slapper SSH Bruteforce
Linux What are itrsquos vulnerabilitieshelliphellip
TrapdoorLogic bombRootkitBuffer OverflowCross-platform virusesSocial Engineering
TrapdoorBack door Undocumented method Written by original programmer Used in both legal and illegal ways
Logic bombPiece of code intentionally inserted into
software system that will set off a malicious function when specified condition are met
RootkitA rootkit is a set of tools used by an intruder after cracking a computer system
help the attacker maintain his or her access to the system and use it for malicious purposes
Hides data that indicates an intruder has control of your system
Rootkits exist for a variety of operating systems such as Linux Solaris and Microsoft Windows
15
16
bull Root kitsbull Contain Trojan binary programs ready to be installed by
an intruder with root access to the systembull Attacker hide the tools used for later attacksbull Replace legitimate commands with Trojan programsbull Eg LRK5
bull Tool to check root kitsbull Root kit Hunterbull Chkrootkit
Vulnerabilities Continuehellip
17
bull Scan the system(s) for un-patched codemodule
bull Intruders usually focus on a small number of exploits
Once a intruder gain access to root next step for him is to make sure that he does not get caught
18
Trojan horse is a malicious program that is disguised as legitimate software Trojan horse programs bundled in
the form of ldquoRootkitsrdquo Originally written for Sunrsquos
Berkeley flavor of Unix (SunOS 4)
19
Get a program to scan binlogin and see if it has been corrupted Tools like Tripwrie can check the
Integrity of the file if an hash has been generated at install time
Identify and replace the files that have been modified Use md5 checksum to check for the
authenticity of the program
20
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Linux is a Kernel developed by Linus TorvaldsCombined with GNU project of Robert Stallman it is known as GNU-LINUX operating systemhellip initial version was released on 1991
-Unix like operating system-Open source-Freeware-GPL-Copy left-Many vendors(redhat susehellipetc)-Comparatively most secured than
other available OS
Most generic term can relate with the security need to protect us against intruders in real worldhellip That keeps us amp our assets safehellipSame in OS
- Most common security terminologies are-agt Assets -An asset is what wersquore trying to protecthellip
- People property and information
bgt Threats-A threat is what wersquore trying to protect against-Anything that can exploit the vulnerability
cgt Vulnerability-A vulnerability is a weakness or
gap in our protection effortssecurity program
dgt Attack - Sequence of actions of exploiting
a vulnerability
egt Risk-Risk is the intersection of assets
threats and vulnerabilities
ThreatsVulnerabilitiesSecurity measures
Linux helliphellipWhat are itrsquos threats
Trojan Horse- Sending information to third party without knowing to
you It allow a hacker to gain access to your machine called
Remote Access Trojans (RATs)
Phishing Threats- Trustworthy person steal your information
Hackers- Looking for credit card no or any other information for
their gain
Worms ndash Programs that replicates and spread Need not another program to propagate itself
Spyware- Send information about you and your system to somebody
else Monitors your online activities
Adware- It automatically plays displays or downloads your advertisement
to a computer Viruses ndash
It alter the way a computer operates It can not do anything unless you run it Types of viruses 1 Boot Sector Infectors2 File Infectors3 Macro viruses
Trojans Kaiten - LinuxBackdoorKaiten trojan horse Rexob - LinuxBackdoorRexob trojan Waterfall screensaver backdoor - on gnome-lookorg
Viruses Alaeda - VirusLinuxAlaeda Brundle Bukowski HAPPYNEWYEAR Coin Diesel - VirusLinuxDiesel ILOVEYOU Kagob a - VirusLinuxKagoba Kagob b - VirusLinuxKagobb
Worms Adm - Net-WormLinuxAdm Adore Cheese - Net-WormLinuxCheese Kork LinuxLupperworm Mighty - Net-WormLinuxMighty Millen - LinuxMillenWorm Slapper SSH Bruteforce
Linux What are itrsquos vulnerabilitieshelliphellip
TrapdoorLogic bombRootkitBuffer OverflowCross-platform virusesSocial Engineering
TrapdoorBack door Undocumented method Written by original programmer Used in both legal and illegal ways
Logic bombPiece of code intentionally inserted into
software system that will set off a malicious function when specified condition are met
RootkitA rootkit is a set of tools used by an intruder after cracking a computer system
help the attacker maintain his or her access to the system and use it for malicious purposes
Hides data that indicates an intruder has control of your system
Rootkits exist for a variety of operating systems such as Linux Solaris and Microsoft Windows
15
16
bull Root kitsbull Contain Trojan binary programs ready to be installed by
an intruder with root access to the systembull Attacker hide the tools used for later attacksbull Replace legitimate commands with Trojan programsbull Eg LRK5
bull Tool to check root kitsbull Root kit Hunterbull Chkrootkit
Vulnerabilities Continuehellip
17
bull Scan the system(s) for un-patched codemodule
bull Intruders usually focus on a small number of exploits
Once a intruder gain access to root next step for him is to make sure that he does not get caught
18
Trojan horse is a malicious program that is disguised as legitimate software Trojan horse programs bundled in
the form of ldquoRootkitsrdquo Originally written for Sunrsquos
Berkeley flavor of Unix (SunOS 4)
19
Get a program to scan binlogin and see if it has been corrupted Tools like Tripwrie can check the
Integrity of the file if an hash has been generated at install time
Identify and replace the files that have been modified Use md5 checksum to check for the
authenticity of the program
20
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
-Unix like operating system-Open source-Freeware-GPL-Copy left-Many vendors(redhat susehellipetc)-Comparatively most secured than
other available OS
Most generic term can relate with the security need to protect us against intruders in real worldhellip That keeps us amp our assets safehellipSame in OS
- Most common security terminologies are-agt Assets -An asset is what wersquore trying to protecthellip
- People property and information
bgt Threats-A threat is what wersquore trying to protect against-Anything that can exploit the vulnerability
cgt Vulnerability-A vulnerability is a weakness or
gap in our protection effortssecurity program
dgt Attack - Sequence of actions of exploiting
a vulnerability
egt Risk-Risk is the intersection of assets
threats and vulnerabilities
ThreatsVulnerabilitiesSecurity measures
Linux helliphellipWhat are itrsquos threats
Trojan Horse- Sending information to third party without knowing to
you It allow a hacker to gain access to your machine called
Remote Access Trojans (RATs)
Phishing Threats- Trustworthy person steal your information
Hackers- Looking for credit card no or any other information for
their gain
Worms ndash Programs that replicates and spread Need not another program to propagate itself
Spyware- Send information about you and your system to somebody
else Monitors your online activities
Adware- It automatically plays displays or downloads your advertisement
to a computer Viruses ndash
It alter the way a computer operates It can not do anything unless you run it Types of viruses 1 Boot Sector Infectors2 File Infectors3 Macro viruses
Trojans Kaiten - LinuxBackdoorKaiten trojan horse Rexob - LinuxBackdoorRexob trojan Waterfall screensaver backdoor - on gnome-lookorg
Viruses Alaeda - VirusLinuxAlaeda Brundle Bukowski HAPPYNEWYEAR Coin Diesel - VirusLinuxDiesel ILOVEYOU Kagob a - VirusLinuxKagoba Kagob b - VirusLinuxKagobb
Worms Adm - Net-WormLinuxAdm Adore Cheese - Net-WormLinuxCheese Kork LinuxLupperworm Mighty - Net-WormLinuxMighty Millen - LinuxMillenWorm Slapper SSH Bruteforce
Linux What are itrsquos vulnerabilitieshelliphellip
TrapdoorLogic bombRootkitBuffer OverflowCross-platform virusesSocial Engineering
TrapdoorBack door Undocumented method Written by original programmer Used in both legal and illegal ways
Logic bombPiece of code intentionally inserted into
software system that will set off a malicious function when specified condition are met
RootkitA rootkit is a set of tools used by an intruder after cracking a computer system
help the attacker maintain his or her access to the system and use it for malicious purposes
Hides data that indicates an intruder has control of your system
Rootkits exist for a variety of operating systems such as Linux Solaris and Microsoft Windows
15
16
bull Root kitsbull Contain Trojan binary programs ready to be installed by
an intruder with root access to the systembull Attacker hide the tools used for later attacksbull Replace legitimate commands with Trojan programsbull Eg LRK5
bull Tool to check root kitsbull Root kit Hunterbull Chkrootkit
Vulnerabilities Continuehellip
17
bull Scan the system(s) for un-patched codemodule
bull Intruders usually focus on a small number of exploits
Once a intruder gain access to root next step for him is to make sure that he does not get caught
18
Trojan horse is a malicious program that is disguised as legitimate software Trojan horse programs bundled in
the form of ldquoRootkitsrdquo Originally written for Sunrsquos
Berkeley flavor of Unix (SunOS 4)
19
Get a program to scan binlogin and see if it has been corrupted Tools like Tripwrie can check the
Integrity of the file if an hash has been generated at install time
Identify and replace the files that have been modified Use md5 checksum to check for the
authenticity of the program
20
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Most generic term can relate with the security need to protect us against intruders in real worldhellip That keeps us amp our assets safehellipSame in OS
- Most common security terminologies are-agt Assets -An asset is what wersquore trying to protecthellip
- People property and information
bgt Threats-A threat is what wersquore trying to protect against-Anything that can exploit the vulnerability
cgt Vulnerability-A vulnerability is a weakness or
gap in our protection effortssecurity program
dgt Attack - Sequence of actions of exploiting
a vulnerability
egt Risk-Risk is the intersection of assets
threats and vulnerabilities
ThreatsVulnerabilitiesSecurity measures
Linux helliphellipWhat are itrsquos threats
Trojan Horse- Sending information to third party without knowing to
you It allow a hacker to gain access to your machine called
Remote Access Trojans (RATs)
Phishing Threats- Trustworthy person steal your information
Hackers- Looking for credit card no or any other information for
their gain
Worms ndash Programs that replicates and spread Need not another program to propagate itself
Spyware- Send information about you and your system to somebody
else Monitors your online activities
Adware- It automatically plays displays or downloads your advertisement
to a computer Viruses ndash
It alter the way a computer operates It can not do anything unless you run it Types of viruses 1 Boot Sector Infectors2 File Infectors3 Macro viruses
Trojans Kaiten - LinuxBackdoorKaiten trojan horse Rexob - LinuxBackdoorRexob trojan Waterfall screensaver backdoor - on gnome-lookorg
Viruses Alaeda - VirusLinuxAlaeda Brundle Bukowski HAPPYNEWYEAR Coin Diesel - VirusLinuxDiesel ILOVEYOU Kagob a - VirusLinuxKagoba Kagob b - VirusLinuxKagobb
Worms Adm - Net-WormLinuxAdm Adore Cheese - Net-WormLinuxCheese Kork LinuxLupperworm Mighty - Net-WormLinuxMighty Millen - LinuxMillenWorm Slapper SSH Bruteforce
Linux What are itrsquos vulnerabilitieshelliphellip
TrapdoorLogic bombRootkitBuffer OverflowCross-platform virusesSocial Engineering
TrapdoorBack door Undocumented method Written by original programmer Used in both legal and illegal ways
Logic bombPiece of code intentionally inserted into
software system that will set off a malicious function when specified condition are met
RootkitA rootkit is a set of tools used by an intruder after cracking a computer system
help the attacker maintain his or her access to the system and use it for malicious purposes
Hides data that indicates an intruder has control of your system
Rootkits exist for a variety of operating systems such as Linux Solaris and Microsoft Windows
15
16
bull Root kitsbull Contain Trojan binary programs ready to be installed by
an intruder with root access to the systembull Attacker hide the tools used for later attacksbull Replace legitimate commands with Trojan programsbull Eg LRK5
bull Tool to check root kitsbull Root kit Hunterbull Chkrootkit
Vulnerabilities Continuehellip
17
bull Scan the system(s) for un-patched codemodule
bull Intruders usually focus on a small number of exploits
Once a intruder gain access to root next step for him is to make sure that he does not get caught
18
Trojan horse is a malicious program that is disguised as legitimate software Trojan horse programs bundled in
the form of ldquoRootkitsrdquo Originally written for Sunrsquos
Berkeley flavor of Unix (SunOS 4)
19
Get a program to scan binlogin and see if it has been corrupted Tools like Tripwrie can check the
Integrity of the file if an hash has been generated at install time
Identify and replace the files that have been modified Use md5 checksum to check for the
authenticity of the program
20
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
cgt Vulnerability-A vulnerability is a weakness or
gap in our protection effortssecurity program
dgt Attack - Sequence of actions of exploiting
a vulnerability
egt Risk-Risk is the intersection of assets
threats and vulnerabilities
ThreatsVulnerabilitiesSecurity measures
Linux helliphellipWhat are itrsquos threats
Trojan Horse- Sending information to third party without knowing to
you It allow a hacker to gain access to your machine called
Remote Access Trojans (RATs)
Phishing Threats- Trustworthy person steal your information
Hackers- Looking for credit card no or any other information for
their gain
Worms ndash Programs that replicates and spread Need not another program to propagate itself
Spyware- Send information about you and your system to somebody
else Monitors your online activities
Adware- It automatically plays displays or downloads your advertisement
to a computer Viruses ndash
It alter the way a computer operates It can not do anything unless you run it Types of viruses 1 Boot Sector Infectors2 File Infectors3 Macro viruses
Trojans Kaiten - LinuxBackdoorKaiten trojan horse Rexob - LinuxBackdoorRexob trojan Waterfall screensaver backdoor - on gnome-lookorg
Viruses Alaeda - VirusLinuxAlaeda Brundle Bukowski HAPPYNEWYEAR Coin Diesel - VirusLinuxDiesel ILOVEYOU Kagob a - VirusLinuxKagoba Kagob b - VirusLinuxKagobb
Worms Adm - Net-WormLinuxAdm Adore Cheese - Net-WormLinuxCheese Kork LinuxLupperworm Mighty - Net-WormLinuxMighty Millen - LinuxMillenWorm Slapper SSH Bruteforce
Linux What are itrsquos vulnerabilitieshelliphellip
TrapdoorLogic bombRootkitBuffer OverflowCross-platform virusesSocial Engineering
TrapdoorBack door Undocumented method Written by original programmer Used in both legal and illegal ways
Logic bombPiece of code intentionally inserted into
software system that will set off a malicious function when specified condition are met
RootkitA rootkit is a set of tools used by an intruder after cracking a computer system
help the attacker maintain his or her access to the system and use it for malicious purposes
Hides data that indicates an intruder has control of your system
Rootkits exist for a variety of operating systems such as Linux Solaris and Microsoft Windows
15
16
bull Root kitsbull Contain Trojan binary programs ready to be installed by
an intruder with root access to the systembull Attacker hide the tools used for later attacksbull Replace legitimate commands with Trojan programsbull Eg LRK5
bull Tool to check root kitsbull Root kit Hunterbull Chkrootkit
Vulnerabilities Continuehellip
17
bull Scan the system(s) for un-patched codemodule
bull Intruders usually focus on a small number of exploits
Once a intruder gain access to root next step for him is to make sure that he does not get caught
18
Trojan horse is a malicious program that is disguised as legitimate software Trojan horse programs bundled in
the form of ldquoRootkitsrdquo Originally written for Sunrsquos
Berkeley flavor of Unix (SunOS 4)
19
Get a program to scan binlogin and see if it has been corrupted Tools like Tripwrie can check the
Integrity of the file if an hash has been generated at install time
Identify and replace the files that have been modified Use md5 checksum to check for the
authenticity of the program
20
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
ThreatsVulnerabilitiesSecurity measures
Linux helliphellipWhat are itrsquos threats
Trojan Horse- Sending information to third party without knowing to
you It allow a hacker to gain access to your machine called
Remote Access Trojans (RATs)
Phishing Threats- Trustworthy person steal your information
Hackers- Looking for credit card no or any other information for
their gain
Worms ndash Programs that replicates and spread Need not another program to propagate itself
Spyware- Send information about you and your system to somebody
else Monitors your online activities
Adware- It automatically plays displays or downloads your advertisement
to a computer Viruses ndash
It alter the way a computer operates It can not do anything unless you run it Types of viruses 1 Boot Sector Infectors2 File Infectors3 Macro viruses
Trojans Kaiten - LinuxBackdoorKaiten trojan horse Rexob - LinuxBackdoorRexob trojan Waterfall screensaver backdoor - on gnome-lookorg
Viruses Alaeda - VirusLinuxAlaeda Brundle Bukowski HAPPYNEWYEAR Coin Diesel - VirusLinuxDiesel ILOVEYOU Kagob a - VirusLinuxKagoba Kagob b - VirusLinuxKagobb
Worms Adm - Net-WormLinuxAdm Adore Cheese - Net-WormLinuxCheese Kork LinuxLupperworm Mighty - Net-WormLinuxMighty Millen - LinuxMillenWorm Slapper SSH Bruteforce
Linux What are itrsquos vulnerabilitieshelliphellip
TrapdoorLogic bombRootkitBuffer OverflowCross-platform virusesSocial Engineering
TrapdoorBack door Undocumented method Written by original programmer Used in both legal and illegal ways
Logic bombPiece of code intentionally inserted into
software system that will set off a malicious function when specified condition are met
RootkitA rootkit is a set of tools used by an intruder after cracking a computer system
help the attacker maintain his or her access to the system and use it for malicious purposes
Hides data that indicates an intruder has control of your system
Rootkits exist for a variety of operating systems such as Linux Solaris and Microsoft Windows
15
16
bull Root kitsbull Contain Trojan binary programs ready to be installed by
an intruder with root access to the systembull Attacker hide the tools used for later attacksbull Replace legitimate commands with Trojan programsbull Eg LRK5
bull Tool to check root kitsbull Root kit Hunterbull Chkrootkit
Vulnerabilities Continuehellip
17
bull Scan the system(s) for un-patched codemodule
bull Intruders usually focus on a small number of exploits
Once a intruder gain access to root next step for him is to make sure that he does not get caught
18
Trojan horse is a malicious program that is disguised as legitimate software Trojan horse programs bundled in
the form of ldquoRootkitsrdquo Originally written for Sunrsquos
Berkeley flavor of Unix (SunOS 4)
19
Get a program to scan binlogin and see if it has been corrupted Tools like Tripwrie can check the
Integrity of the file if an hash has been generated at install time
Identify and replace the files that have been modified Use md5 checksum to check for the
authenticity of the program
20
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Linux helliphellipWhat are itrsquos threats
Trojan Horse- Sending information to third party without knowing to
you It allow a hacker to gain access to your machine called
Remote Access Trojans (RATs)
Phishing Threats- Trustworthy person steal your information
Hackers- Looking for credit card no or any other information for
their gain
Worms ndash Programs that replicates and spread Need not another program to propagate itself
Spyware- Send information about you and your system to somebody
else Monitors your online activities
Adware- It automatically plays displays or downloads your advertisement
to a computer Viruses ndash
It alter the way a computer operates It can not do anything unless you run it Types of viruses 1 Boot Sector Infectors2 File Infectors3 Macro viruses
Trojans Kaiten - LinuxBackdoorKaiten trojan horse Rexob - LinuxBackdoorRexob trojan Waterfall screensaver backdoor - on gnome-lookorg
Viruses Alaeda - VirusLinuxAlaeda Brundle Bukowski HAPPYNEWYEAR Coin Diesel - VirusLinuxDiesel ILOVEYOU Kagob a - VirusLinuxKagoba Kagob b - VirusLinuxKagobb
Worms Adm - Net-WormLinuxAdm Adore Cheese - Net-WormLinuxCheese Kork LinuxLupperworm Mighty - Net-WormLinuxMighty Millen - LinuxMillenWorm Slapper SSH Bruteforce
Linux What are itrsquos vulnerabilitieshelliphellip
TrapdoorLogic bombRootkitBuffer OverflowCross-platform virusesSocial Engineering
TrapdoorBack door Undocumented method Written by original programmer Used in both legal and illegal ways
Logic bombPiece of code intentionally inserted into
software system that will set off a malicious function when specified condition are met
RootkitA rootkit is a set of tools used by an intruder after cracking a computer system
help the attacker maintain his or her access to the system and use it for malicious purposes
Hides data that indicates an intruder has control of your system
Rootkits exist for a variety of operating systems such as Linux Solaris and Microsoft Windows
15
16
bull Root kitsbull Contain Trojan binary programs ready to be installed by
an intruder with root access to the systembull Attacker hide the tools used for later attacksbull Replace legitimate commands with Trojan programsbull Eg LRK5
bull Tool to check root kitsbull Root kit Hunterbull Chkrootkit
Vulnerabilities Continuehellip
17
bull Scan the system(s) for un-patched codemodule
bull Intruders usually focus on a small number of exploits
Once a intruder gain access to root next step for him is to make sure that he does not get caught
18
Trojan horse is a malicious program that is disguised as legitimate software Trojan horse programs bundled in
the form of ldquoRootkitsrdquo Originally written for Sunrsquos
Berkeley flavor of Unix (SunOS 4)
19
Get a program to scan binlogin and see if it has been corrupted Tools like Tripwrie can check the
Integrity of the file if an hash has been generated at install time
Identify and replace the files that have been modified Use md5 checksum to check for the
authenticity of the program
20
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Trojan Horse- Sending information to third party without knowing to
you It allow a hacker to gain access to your machine called
Remote Access Trojans (RATs)
Phishing Threats- Trustworthy person steal your information
Hackers- Looking for credit card no or any other information for
their gain
Worms ndash Programs that replicates and spread Need not another program to propagate itself
Spyware- Send information about you and your system to somebody
else Monitors your online activities
Adware- It automatically plays displays or downloads your advertisement
to a computer Viruses ndash
It alter the way a computer operates It can not do anything unless you run it Types of viruses 1 Boot Sector Infectors2 File Infectors3 Macro viruses
Trojans Kaiten - LinuxBackdoorKaiten trojan horse Rexob - LinuxBackdoorRexob trojan Waterfall screensaver backdoor - on gnome-lookorg
Viruses Alaeda - VirusLinuxAlaeda Brundle Bukowski HAPPYNEWYEAR Coin Diesel - VirusLinuxDiesel ILOVEYOU Kagob a - VirusLinuxKagoba Kagob b - VirusLinuxKagobb
Worms Adm - Net-WormLinuxAdm Adore Cheese - Net-WormLinuxCheese Kork LinuxLupperworm Mighty - Net-WormLinuxMighty Millen - LinuxMillenWorm Slapper SSH Bruteforce
Linux What are itrsquos vulnerabilitieshelliphellip
TrapdoorLogic bombRootkitBuffer OverflowCross-platform virusesSocial Engineering
TrapdoorBack door Undocumented method Written by original programmer Used in both legal and illegal ways
Logic bombPiece of code intentionally inserted into
software system that will set off a malicious function when specified condition are met
RootkitA rootkit is a set of tools used by an intruder after cracking a computer system
help the attacker maintain his or her access to the system and use it for malicious purposes
Hides data that indicates an intruder has control of your system
Rootkits exist for a variety of operating systems such as Linux Solaris and Microsoft Windows
15
16
bull Root kitsbull Contain Trojan binary programs ready to be installed by
an intruder with root access to the systembull Attacker hide the tools used for later attacksbull Replace legitimate commands with Trojan programsbull Eg LRK5
bull Tool to check root kitsbull Root kit Hunterbull Chkrootkit
Vulnerabilities Continuehellip
17
bull Scan the system(s) for un-patched codemodule
bull Intruders usually focus on a small number of exploits
Once a intruder gain access to root next step for him is to make sure that he does not get caught
18
Trojan horse is a malicious program that is disguised as legitimate software Trojan horse programs bundled in
the form of ldquoRootkitsrdquo Originally written for Sunrsquos
Berkeley flavor of Unix (SunOS 4)
19
Get a program to scan binlogin and see if it has been corrupted Tools like Tripwrie can check the
Integrity of the file if an hash has been generated at install time
Identify and replace the files that have been modified Use md5 checksum to check for the
authenticity of the program
20
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Worms ndash Programs that replicates and spread Need not another program to propagate itself
Spyware- Send information about you and your system to somebody
else Monitors your online activities
Adware- It automatically plays displays or downloads your advertisement
to a computer Viruses ndash
It alter the way a computer operates It can not do anything unless you run it Types of viruses 1 Boot Sector Infectors2 File Infectors3 Macro viruses
Trojans Kaiten - LinuxBackdoorKaiten trojan horse Rexob - LinuxBackdoorRexob trojan Waterfall screensaver backdoor - on gnome-lookorg
Viruses Alaeda - VirusLinuxAlaeda Brundle Bukowski HAPPYNEWYEAR Coin Diesel - VirusLinuxDiesel ILOVEYOU Kagob a - VirusLinuxKagoba Kagob b - VirusLinuxKagobb
Worms Adm - Net-WormLinuxAdm Adore Cheese - Net-WormLinuxCheese Kork LinuxLupperworm Mighty - Net-WormLinuxMighty Millen - LinuxMillenWorm Slapper SSH Bruteforce
Linux What are itrsquos vulnerabilitieshelliphellip
TrapdoorLogic bombRootkitBuffer OverflowCross-platform virusesSocial Engineering
TrapdoorBack door Undocumented method Written by original programmer Used in both legal and illegal ways
Logic bombPiece of code intentionally inserted into
software system that will set off a malicious function when specified condition are met
RootkitA rootkit is a set of tools used by an intruder after cracking a computer system
help the attacker maintain his or her access to the system and use it for malicious purposes
Hides data that indicates an intruder has control of your system
Rootkits exist for a variety of operating systems such as Linux Solaris and Microsoft Windows
15
16
bull Root kitsbull Contain Trojan binary programs ready to be installed by
an intruder with root access to the systembull Attacker hide the tools used for later attacksbull Replace legitimate commands with Trojan programsbull Eg LRK5
bull Tool to check root kitsbull Root kit Hunterbull Chkrootkit
Vulnerabilities Continuehellip
17
bull Scan the system(s) for un-patched codemodule
bull Intruders usually focus on a small number of exploits
Once a intruder gain access to root next step for him is to make sure that he does not get caught
18
Trojan horse is a malicious program that is disguised as legitimate software Trojan horse programs bundled in
the form of ldquoRootkitsrdquo Originally written for Sunrsquos
Berkeley flavor of Unix (SunOS 4)
19
Get a program to scan binlogin and see if it has been corrupted Tools like Tripwrie can check the
Integrity of the file if an hash has been generated at install time
Identify and replace the files that have been modified Use md5 checksum to check for the
authenticity of the program
20
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Trojans Kaiten - LinuxBackdoorKaiten trojan horse Rexob - LinuxBackdoorRexob trojan Waterfall screensaver backdoor - on gnome-lookorg
Viruses Alaeda - VirusLinuxAlaeda Brundle Bukowski HAPPYNEWYEAR Coin Diesel - VirusLinuxDiesel ILOVEYOU Kagob a - VirusLinuxKagoba Kagob b - VirusLinuxKagobb
Worms Adm - Net-WormLinuxAdm Adore Cheese - Net-WormLinuxCheese Kork LinuxLupperworm Mighty - Net-WormLinuxMighty Millen - LinuxMillenWorm Slapper SSH Bruteforce
Linux What are itrsquos vulnerabilitieshelliphellip
TrapdoorLogic bombRootkitBuffer OverflowCross-platform virusesSocial Engineering
TrapdoorBack door Undocumented method Written by original programmer Used in both legal and illegal ways
Logic bombPiece of code intentionally inserted into
software system that will set off a malicious function when specified condition are met
RootkitA rootkit is a set of tools used by an intruder after cracking a computer system
help the attacker maintain his or her access to the system and use it for malicious purposes
Hides data that indicates an intruder has control of your system
Rootkits exist for a variety of operating systems such as Linux Solaris and Microsoft Windows
15
16
bull Root kitsbull Contain Trojan binary programs ready to be installed by
an intruder with root access to the systembull Attacker hide the tools used for later attacksbull Replace legitimate commands with Trojan programsbull Eg LRK5
bull Tool to check root kitsbull Root kit Hunterbull Chkrootkit
Vulnerabilities Continuehellip
17
bull Scan the system(s) for un-patched codemodule
bull Intruders usually focus on a small number of exploits
Once a intruder gain access to root next step for him is to make sure that he does not get caught
18
Trojan horse is a malicious program that is disguised as legitimate software Trojan horse programs bundled in
the form of ldquoRootkitsrdquo Originally written for Sunrsquos
Berkeley flavor of Unix (SunOS 4)
19
Get a program to scan binlogin and see if it has been corrupted Tools like Tripwrie can check the
Integrity of the file if an hash has been generated at install time
Identify and replace the files that have been modified Use md5 checksum to check for the
authenticity of the program
20
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Worms Adm - Net-WormLinuxAdm Adore Cheese - Net-WormLinuxCheese Kork LinuxLupperworm Mighty - Net-WormLinuxMighty Millen - LinuxMillenWorm Slapper SSH Bruteforce
Linux What are itrsquos vulnerabilitieshelliphellip
TrapdoorLogic bombRootkitBuffer OverflowCross-platform virusesSocial Engineering
TrapdoorBack door Undocumented method Written by original programmer Used in both legal and illegal ways
Logic bombPiece of code intentionally inserted into
software system that will set off a malicious function when specified condition are met
RootkitA rootkit is a set of tools used by an intruder after cracking a computer system
help the attacker maintain his or her access to the system and use it for malicious purposes
Hides data that indicates an intruder has control of your system
Rootkits exist for a variety of operating systems such as Linux Solaris and Microsoft Windows
15
16
bull Root kitsbull Contain Trojan binary programs ready to be installed by
an intruder with root access to the systembull Attacker hide the tools used for later attacksbull Replace legitimate commands with Trojan programsbull Eg LRK5
bull Tool to check root kitsbull Root kit Hunterbull Chkrootkit
Vulnerabilities Continuehellip
17
bull Scan the system(s) for un-patched codemodule
bull Intruders usually focus on a small number of exploits
Once a intruder gain access to root next step for him is to make sure that he does not get caught
18
Trojan horse is a malicious program that is disguised as legitimate software Trojan horse programs bundled in
the form of ldquoRootkitsrdquo Originally written for Sunrsquos
Berkeley flavor of Unix (SunOS 4)
19
Get a program to scan binlogin and see if it has been corrupted Tools like Tripwrie can check the
Integrity of the file if an hash has been generated at install time
Identify and replace the files that have been modified Use md5 checksum to check for the
authenticity of the program
20
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Linux What are itrsquos vulnerabilitieshelliphellip
TrapdoorLogic bombRootkitBuffer OverflowCross-platform virusesSocial Engineering
TrapdoorBack door Undocumented method Written by original programmer Used in both legal and illegal ways
Logic bombPiece of code intentionally inserted into
software system that will set off a malicious function when specified condition are met
RootkitA rootkit is a set of tools used by an intruder after cracking a computer system
help the attacker maintain his or her access to the system and use it for malicious purposes
Hides data that indicates an intruder has control of your system
Rootkits exist for a variety of operating systems such as Linux Solaris and Microsoft Windows
15
16
bull Root kitsbull Contain Trojan binary programs ready to be installed by
an intruder with root access to the systembull Attacker hide the tools used for later attacksbull Replace legitimate commands with Trojan programsbull Eg LRK5
bull Tool to check root kitsbull Root kit Hunterbull Chkrootkit
Vulnerabilities Continuehellip
17
bull Scan the system(s) for un-patched codemodule
bull Intruders usually focus on a small number of exploits
Once a intruder gain access to root next step for him is to make sure that he does not get caught
18
Trojan horse is a malicious program that is disguised as legitimate software Trojan horse programs bundled in
the form of ldquoRootkitsrdquo Originally written for Sunrsquos
Berkeley flavor of Unix (SunOS 4)
19
Get a program to scan binlogin and see if it has been corrupted Tools like Tripwrie can check the
Integrity of the file if an hash has been generated at install time
Identify and replace the files that have been modified Use md5 checksum to check for the
authenticity of the program
20
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
TrapdoorLogic bombRootkitBuffer OverflowCross-platform virusesSocial Engineering
TrapdoorBack door Undocumented method Written by original programmer Used in both legal and illegal ways
Logic bombPiece of code intentionally inserted into
software system that will set off a malicious function when specified condition are met
RootkitA rootkit is a set of tools used by an intruder after cracking a computer system
help the attacker maintain his or her access to the system and use it for malicious purposes
Hides data that indicates an intruder has control of your system
Rootkits exist for a variety of operating systems such as Linux Solaris and Microsoft Windows
15
16
bull Root kitsbull Contain Trojan binary programs ready to be installed by
an intruder with root access to the systembull Attacker hide the tools used for later attacksbull Replace legitimate commands with Trojan programsbull Eg LRK5
bull Tool to check root kitsbull Root kit Hunterbull Chkrootkit
Vulnerabilities Continuehellip
17
bull Scan the system(s) for un-patched codemodule
bull Intruders usually focus on a small number of exploits
Once a intruder gain access to root next step for him is to make sure that he does not get caught
18
Trojan horse is a malicious program that is disguised as legitimate software Trojan horse programs bundled in
the form of ldquoRootkitsrdquo Originally written for Sunrsquos
Berkeley flavor of Unix (SunOS 4)
19
Get a program to scan binlogin and see if it has been corrupted Tools like Tripwrie can check the
Integrity of the file if an hash has been generated at install time
Identify and replace the files that have been modified Use md5 checksum to check for the
authenticity of the program
20
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
TrapdoorBack door Undocumented method Written by original programmer Used in both legal and illegal ways
Logic bombPiece of code intentionally inserted into
software system that will set off a malicious function when specified condition are met
RootkitA rootkit is a set of tools used by an intruder after cracking a computer system
help the attacker maintain his or her access to the system and use it for malicious purposes
Hides data that indicates an intruder has control of your system
Rootkits exist for a variety of operating systems such as Linux Solaris and Microsoft Windows
15
16
bull Root kitsbull Contain Trojan binary programs ready to be installed by
an intruder with root access to the systembull Attacker hide the tools used for later attacksbull Replace legitimate commands with Trojan programsbull Eg LRK5
bull Tool to check root kitsbull Root kit Hunterbull Chkrootkit
Vulnerabilities Continuehellip
17
bull Scan the system(s) for un-patched codemodule
bull Intruders usually focus on a small number of exploits
Once a intruder gain access to root next step for him is to make sure that he does not get caught
18
Trojan horse is a malicious program that is disguised as legitimate software Trojan horse programs bundled in
the form of ldquoRootkitsrdquo Originally written for Sunrsquos
Berkeley flavor of Unix (SunOS 4)
19
Get a program to scan binlogin and see if it has been corrupted Tools like Tripwrie can check the
Integrity of the file if an hash has been generated at install time
Identify and replace the files that have been modified Use md5 checksum to check for the
authenticity of the program
20
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
RootkitA rootkit is a set of tools used by an intruder after cracking a computer system
help the attacker maintain his or her access to the system and use it for malicious purposes
Hides data that indicates an intruder has control of your system
Rootkits exist for a variety of operating systems such as Linux Solaris and Microsoft Windows
15
16
bull Root kitsbull Contain Trojan binary programs ready to be installed by
an intruder with root access to the systembull Attacker hide the tools used for later attacksbull Replace legitimate commands with Trojan programsbull Eg LRK5
bull Tool to check root kitsbull Root kit Hunterbull Chkrootkit
Vulnerabilities Continuehellip
17
bull Scan the system(s) for un-patched codemodule
bull Intruders usually focus on a small number of exploits
Once a intruder gain access to root next step for him is to make sure that he does not get caught
18
Trojan horse is a malicious program that is disguised as legitimate software Trojan horse programs bundled in
the form of ldquoRootkitsrdquo Originally written for Sunrsquos
Berkeley flavor of Unix (SunOS 4)
19
Get a program to scan binlogin and see if it has been corrupted Tools like Tripwrie can check the
Integrity of the file if an hash has been generated at install time
Identify and replace the files that have been modified Use md5 checksum to check for the
authenticity of the program
20
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
16
bull Root kitsbull Contain Trojan binary programs ready to be installed by
an intruder with root access to the systembull Attacker hide the tools used for later attacksbull Replace legitimate commands with Trojan programsbull Eg LRK5
bull Tool to check root kitsbull Root kit Hunterbull Chkrootkit
Vulnerabilities Continuehellip
17
bull Scan the system(s) for un-patched codemodule
bull Intruders usually focus on a small number of exploits
Once a intruder gain access to root next step for him is to make sure that he does not get caught
18
Trojan horse is a malicious program that is disguised as legitimate software Trojan horse programs bundled in
the form of ldquoRootkitsrdquo Originally written for Sunrsquos
Berkeley flavor of Unix (SunOS 4)
19
Get a program to scan binlogin and see if it has been corrupted Tools like Tripwrie can check the
Integrity of the file if an hash has been generated at install time
Identify and replace the files that have been modified Use md5 checksum to check for the
authenticity of the program
20
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
17
bull Scan the system(s) for un-patched codemodule
bull Intruders usually focus on a small number of exploits
Once a intruder gain access to root next step for him is to make sure that he does not get caught
18
Trojan horse is a malicious program that is disguised as legitimate software Trojan horse programs bundled in
the form of ldquoRootkitsrdquo Originally written for Sunrsquos
Berkeley flavor of Unix (SunOS 4)
19
Get a program to scan binlogin and see if it has been corrupted Tools like Tripwrie can check the
Integrity of the file if an hash has been generated at install time
Identify and replace the files that have been modified Use md5 checksum to check for the
authenticity of the program
20
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Once a intruder gain access to root next step for him is to make sure that he does not get caught
18
Trojan horse is a malicious program that is disguised as legitimate software Trojan horse programs bundled in
the form of ldquoRootkitsrdquo Originally written for Sunrsquos
Berkeley flavor of Unix (SunOS 4)
19
Get a program to scan binlogin and see if it has been corrupted Tools like Tripwrie can check the
Integrity of the file if an hash has been generated at install time
Identify and replace the files that have been modified Use md5 checksum to check for the
authenticity of the program
20
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Trojan horse is a malicious program that is disguised as legitimate software Trojan horse programs bundled in
the form of ldquoRootkitsrdquo Originally written for Sunrsquos
Berkeley flavor of Unix (SunOS 4)
19
Get a program to scan binlogin and see if it has been corrupted Tools like Tripwrie can check the
Integrity of the file if an hash has been generated at install time
Identify and replace the files that have been modified Use md5 checksum to check for the
authenticity of the program
20
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Get a program to scan binlogin and see if it has been corrupted Tools like Tripwrie can check the
Integrity of the file if an hash has been generated at install time
Identify and replace the files that have been modified Use md5 checksum to check for the
authenticity of the program
20
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Chkrootkit Tripwire Rkscan Carbonite Rkdet Checkps LSM (Loadable Security Module) LCAP (Linux Kernel Capability Bounding Set
Editor)
21
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Buffer overflows write code to the OSrsquos memory Then run some type of program Can elevate the attackerrsquos permissions
to the level of the ownerA buffer overflow program looks like
22
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
The program compiles but returns the following error
23
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Guidelines to help reduce this type of attack Avoids functions known to have buffer overflow
vulnerabilities strcpy() strcat() sprintf() gets()
Configure OS to not allow code in the stack to run any other executable code in the stack
Use compilers that warn programmers when functions listed in the first bullet are used
24
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Sniffers work by setting a network card adapter in promiscuous mode NIC accepts all packets that traverse the
network cable Attacker can analyze packets and learn user
names and passwords Avoid using protocols such as Telnet
HTTP and FTP that send data in clear text
Sniffers Tcpdump Ethereal (wireshark)
25
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Footprinting techniques Used to find out information about a
target system footprinting tools include Whois databases DNS zone
transfers Nessus and port scanning tools
Determining the OS version the attacked computer is running Check newsgroups for details on posted
messages Knowing a companyrsquos e-mail address
makes the search easier
26
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Goal To get OS information from company
employees Common techniques
Urgency Quid pro quo Status quo Kindness Position
Train your employees about social engineering techniques
27
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Users must be told not to reveal information to outsiders
Make customers aware that many exploits can be downloaded from Web sites
Teach users to be suspicious of people asking questions about the system they are using Verify callerrsquos identity Call back technique
28
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Keeping current on new kernel releases and security updates Installing these fixes is essential to
protecting your system automated tools for updating your
systems
29
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Linux helliphelliphellip Make it more
secure
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
How to physically secure Linux server
Precaution during installation of Linux Precaution post installation
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
BIOS Password
Setting up BIOS password protects the system configuration from being reset or altered by intruders
Place servers in a controlled area
bullServer rooms should always be lockedbullMonitoring should be both controlled via cameras and humanbullImplement access controls such as biometric or other means of logging entriesbull Servers should be visible from outside the room for operators to notice any potential threats or hazardsbullFire suppression system must be available to control fire or electrical hazards
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Servers are to be placed in racks with locking mechanisms
Choosing suitable racks are as followsbullRacks are to be made of heavy and durable materialbullIndividual locks are required for each servers in the rackbullImplement logging controls on each locks
Prevent servers from being booted through other medium
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Conceal cabling and power outlets
bull It is a main source of data flow and operation
bull Unprotected cablings may result in an attacker
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
bullLinux installation should be planned out initially to achieve the best quality performance
bullpurpose of usage is crucial to determine the necessity of packages or services to be installed
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Install from a clean formatted drive- should be run on a clean formatted driveRun disk
utilities to find out bad sector(fschk)-In the case of such problems arising consider
replacing the drive and run diagnostics againPartitionsbullLinux offers partitioning for its directories to protect against data loss due to corrupted partitionsbullExample usr directory on a different partition hda3 is not affected if a partition fails or corrupts in lsquohda1rsquo
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Custom installationbullInstallation must be done with custom or minimal packages as possible
bull This prevents unnecessary services to be running on either workstations or servers
bullAdditional packages can be installed later depending on the purpose of usage
bull Example running Linux for a web server only needs packages such as Apache PHP OpenSSL etc as required Having other services such as Sendmail (mail server) may jeopardize the web serverrsquos security
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
PatchesbullPatches that are acquired should be tested on a test system before implementing it on production level This is to ensure patches donrsquot crash the production system resulting unnecessary downtime
bullUpdate and patches sites differ from each Linux distributions or packages Here are list of major packages sites
Redhat Linux
httpwwwredhatcomsupporterrata
Mandrake Linux
httpwwwmandrakesoftcomsecurity
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Accounts password safety
-Linux store its user accounts information in etcpasswd file Most Linux nowadays have shadow passwords enabled by default in etcshadow
-In case shadow is not enabled the command pwconv will create the shadow file based onetcpasswd file
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Accounts policy
Limit ability to access areas the system by using ldquogroupsrdquo to categorize users
o Use groupadd ltgroupnamegt command to create a groupo Use useradd ndashg ltgroupnamegt ltusernamegt to add username to groupname or usermod ndashg ltgroupnamegt ltusernamegt
bull Enforce password aging that forces users to change their passwords from time to timeo Chage command is used to enforce password aging
bull Default password length allowable in Linux is 5 Change it to enforce users to choose passwords more than 8 characters for better security takes longer time to cracko vi etclogindefso Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Removing unnecessary accountsThere are 2 ways can be used to accomplish this
bull userdel command is used to delete user accounts ie userdel ndashr ftp this will remove user account lsquoftprsquo home directory and files residing in it
bull Other way is by manually removing entries from etcpasswd and etcshadow related
to the user account ftpx1450FTP Uservarftpsbinnologin - remove
in etcpasswd ftp123290999997 - remove in etcshadow
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
The root account is the most privileged account on a UNIX system When the administrator forgot to logout from the system root prompt before leaving the system then the system should automatically logout from the shell A special variable in Linux lsquoTMOUTrsquo must be set in etcprofile to use the feature
Edit the etcprofile file vi etcprofileAdd the following lines HISTFILESIZE= TMOUT=3600
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Servicesdaemons are background programs that serve as a utility function without being called by a user
Ports are designated to provide a gateway to the services These ports can be numbered from 1 to 65535
Example to stop sendmail service sendmail stop
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) ie NFS NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server depends on purpose
httpd Apache web server depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Xinetd is a secure replacement for inetd and it also known as the internet service daemon
Inetd is a daemon that controls and manages several other daemons
It calls those daemons that are needed by the system to perform various duties
Inetd requires root access to run hence it is extremely powerful and can call certain processes into life and kill them as well
Ensure xinetd configuration is own by root [rootasydz etc] ls ndashl xinetdconf
-rw-rmdashr-- 1 root root 289 Feb 18 0259 xinetdconf
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services
Tcp_wrappers uses the tcpd daemon which acts a filter on a particular port until the appropriate call is made TCP wrappers are controlled from two files
1048707 etchostsallow 1048707 etchostsdeny The best policy is to deny all hosts by putting ALL
ALLALL PARANOID in the etchostsdeny file and then explicitly list
trusted hosts who are allowed to connect to the
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
In a default Linux environment login screen will show important information such as the Linux distribution name version and kernel information With this information potential attacker might have the information heshe need to focus their attack to a specific version or name
By following these following steps will disable the information and will only show lsquologinrsquo at the login menu
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Edit etcrcdrclocal and put to comment out the following lines
This will overwrite etcissue at every boot So make any changes you
want to make to etcissue here or you will lose them when you reboot
echo gt etcissueecho $R gtgt etcissueecho Kernel $
(uname -r) on $a $(uname -m) gtgt etcissuecp -f etcissue etcissuenetecho gtgt etcissue
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall
Third party utilities-prevent or detect malicious activities-system files integrity check
Exp- Tripwire is a policy driven file system
integrity Sentry tools provide host-level security
services for the LINUX platform Bastille is a useful tool that attempts to
harden or tighten LINUX operating systems by configuring daemons system settings and firewall