Basic%20Linux/System%20Security

1
Basic Linux/System Security

• Bill Stearns, Senior Research Engineer
• Institute for Security Technology Studies,
• Investigative Research for Infrastructure
  Assurance
• Dartmouth College

2
Physical Security

• Physical access to machines
• Switches instead of hubs

3
Principle of least privilege

• Fewest accounts necessary
• Fewest open ports necessary
• Fewest running applications

4
Root Account

• Used as little as possible
• Master key to a building
• Apps use other accounts, if possible
• People use su, sudo
• http//www.ists.dartmouth.edu/IRIA/knowledge_base/
  linuxinfo/sudo.v80.htm

5
Passwords

• gt7 characters
• Mixed case, letters and symbols
• Not names or words
• Keep private
• Dont leave them out in the open
• Change once a month to 6 months
• Passphrases
• http//www.ists.dartmouth.edu/IRIA/knowledge_base/
  linuxinfo/essential_host_security.htm

6
Open ports

• Close all unneeded applications
• netstat anp or lsof to see whats open
• Ntsysv, linuxconf to shut down
• Firewalls as a special case for a network
• Disable, or at least limit, file sharing
• http//www.ists.dartmouth.edu/IRIA/knowledge_base/
  linuxinfo/essential_host_security.htm

7
Plaintext network connections

• Email, telnet, web traffic
• Sniffers
• http//www.ists.dartmouth.edu/IRIA/knowledge_base/
  linuxinfo/ssh-intro.htm

8
Encrypted network connections

• Ssh
• Terminal session
• File copying
• Other TCP connections
• http//www.ists.dartmouth.edu/IRIA/knowledge_base/
  linuxinfo/ssh-techniques.v0.81.htm
• IPSec
• All packets traveling between systems or networks
• http//www.freeswan.org
• https web servers http//httpd.apache.org/related_
  projects.html

9
Package updates

• Available from Linux distribution vendor
• Sign up for announcements list
• Use automated update tools up2date, red carpet
• http//www.ists.dartmouth.edu/IRIA/knowledge_base/
  linuxinfo/essential_host_security.htm

10
Intrusion Detection System

• Snort
• Reports on attack packets based on a regularly
  updated signature file
• Install inside the firewall
• http//www.snort.org

11
Advanced techniques

• Audited OS OpenBSD http//www.openbsd.org
• Stack overflow protected OS Immunix
  http//www.immunix.org
• Chroot applications, capabilities
• Virtual machines VMWare and UML
• http//www.vmware.com, http//www.user-mode-linux.
  sourceforge.net
• TCFS http//tcfs.dia.unisa.it

12
Resources

• Distribution security announcements list
• ISTS Knowledgebase http//www.ists.dartmouth.edu/I
  RIA/knowledge_base/index.htm
• Worm characterizations and removal tools
• Linux and network security papers covering many
  of todays topics
• Ssh key installer ftp//ftp.stearns.org
• Sans training http//www.sans.org
• Bastille Linux http//www.bastille-linux.org

13
Thanks

• Les Morton, PSEG and Jim ONeill NJ InfraGard for
  inviting me
• ISTS and George Cybenko for sponsoring the
  presentation

14
Contact

• http//www.ists.dartmouth.edu/IRIA/
• William Stearns wstearns_at_ists.dartmouth.edu
• Questions?