LProbe : Linux Security

1
L-Probe Linux Security

• Security Guide and
• Vulnerability Assessment Tool for Linux

Project in Lieu of Thesis October 7, 2004
Damodar Balagi Department of Computer Science,
The University of Tennessee, Knoxville
2
Overview Agenda

• Security Overview
• Security Hardening
• Security Maintenance
• L-Probe Demonstration

3
Overview Scope

• Beginner to Intermediate Level of Security
• Primary Focus on Red Hat Linux
• Web Servers, DNS Servers etc - Not Covered
• Intrusion Detection, Hacker tools etc - Not
  Covered
• Masters Level Project
• Disclaimer Not Liable for Damages
• More Info http//www.cs.utk.edu/balagi/l-probe

4
Overview Backups

• Always Leave an Option to Restore
• Irreversible Actions Dire Consequences
• Prepare a Test Box
• Critical Systems Need Judicious Decisions
• A file that big? It might be very useful. But now
  it is gone. -- David J. Liszewski

5

• Security Overview
• " Security Precautions taken to keep somebody or
  something safe from crime, attack or danger "
• Encarta World English Dictionary

6
Security Overview

• What is Under Threat?
• - System Accessibility
• - Services
• - Private and Confidential Data
• - Reputation of the Organization
• - Reputation of Security Personnel

7
Security Overview

• Who are the Attackers?
• - Curiosity Driven
• - Malicious Minded
• - Foreign Powers Competitors
• - System Trotters
• - Resource Grabbers

8
Security Overview

• Threats and Vulnerabilities
• - People Former Employees, Users
• - Untrained or Under trained Personnel
• - Misconfigured Networks
• - Unpatched Systems
• - Insecure Services
• - Flawed Security Policy
• - Management Errors

9
Security Overview

• Why Linux?
• - Free Possibly used by attackers
• - Similar to Unix Familiar Territory
• - Open Source Easy to Program and Exploit
  
• - Software Easy to spot vulnerabilities
• - Default Installations usually insecure

10

• Security Hardening
• Hardening is the process of optimizing a system's
  security configuration, a term usually applied to
  operating systems.
• - ITSecurity.com

11
Security Hardening Installation Issues

• Customize the Installation
• - Default Installations are Insecure
  by default
• - Choose Packages to be installed with
  care
• - Do not install web server, news
  server, database unless necessary
• Set Strong Root and User Passwords
• - Do not operate as root all the time.
  
• - Less is more !!

12
Security Hardening Installation Issues

• Secure Partitions
• - Mount /var , /tmp, /usr separately
  from / (root)
• - Significant influence on System
  Security
• - Some protections against Denial of
  Service Attacks
• - Convenient for backups and
  maintenance
• - More on Secure Partitioning later
• Set a Boot Loader Password
• - Protection to Lilo

13
Security Hardening Files and File Systems

• File Permissions and Umask
• umask 022
• World Writable Files
• find / -perm 0002 -type f ls
• Files Without Ownership
• find / -nouser o nogroup ls
• SUID Files
• find / -type f \( -perm 04000 o perm
  -02000 \) ls
• Setting the Sticky Bit in Public Directories
• chmod 1777 ltpublic_directorygt

14
Security Hardening Files and File Systems

• Modifying the /etc/fstab file
• Contains file system table about different file
  systems to be mounted
• /tmp Very Variable. Mount nosuid and noexec
• /var Variable. Mount nosuid and noexec
• /home User Area. Mount with nosuid option
• /etc/fstab set to read-only
• Set the immutable bit
• chattr i /etc/fstab

15
Security Hardening Managing Services

• Network Services
• - Stand alone vs Inetd
• The Inetd Model
• - Network Super Daemon
• - /etc/services Maps the name of
  the service to a port number.
• eg ulistserv 372/tcp ulistproc
• - /etc/inetd.conf Main
  Configuration file for inetd.
• eg ftp stream tcp nowait root
  /usr/sbin/tcpd proftpd
• The Xinetd Model
• - Advanced Replacement for inetd
• - More Secure and flexible with
  Advanced Access Control Mechanisms
• - /etc/xinetd.conf Main
  Configuration file for xinetd
• - /etc/xinetd.d/ Contains files for
  services managed by xinetd

16
Security Hardening Managing Services

• Managing Services in Inetd and Xinetd
• - For Inetd Comment out
  corresponding service from inetd.conf
• - Restart Inetd
• pkill HUP inetd
• - For Xinetd Make changes in
  xinetd.conf and xinetd.d
• - Access control Mechanisms for
  services can be specified
• /etc/rc.d/init.d/xinetd restart
• Typical Services to be Blocked
• - Finger, rwho, rsh , rlogin, rexec,
  echo, ntalk
• - FTP, Telnet
• - Use ssh, scp, sftp

17
Security Hardening Managing Services

• Run Level Services
• - Run Levels 0-6 Upon init
• - 0 Halt 6 Reboot
• - Default Level usually 3 or 5
• - /etc/inittab Defines Run Levels
  and Configuration File
• - /etc/rc.d Symbolic Links to each
  Runlevel in different directories
• eg /etc/rc.d/rc1.d Services to
  start and kill at level 1
• /etc/rc.d/rc2.d/S10network
  Start network on runlevel 2
• /etc/rc.d/rc2.d/K09smb Kill
  smb upon lowering level
• Managing Run Level Services
• - Rename /etc/rc.d/rc2.d/S10network
  to /etc/rc.d/rc2.d/NO-S10network
• - Chkconfig Better Alternative
• - Can list and delete services at
  every level

18
Security Hardening Access Control

• Root logins and setting privileges
• Limit root logins to secure terminals
• - Limit terminals in /etc/securetty
  to the minimum
• Limit su to the wheel group
• - Edit /etc/pam.d/su
• auth required /lib/security/ISA/pam_wheel
  .so use_uid
• Distribute privileges using sudo
• - Flexible alternative to su
• - Do not share root passwords

19
Security Hardening Access Control

• Firewalls
• What is a Firewall?
• Access control policy
• Isolates networks
• Packet Filtering
• IPTables
• Chains (Input, Output, Forward)
• Targets (Accept, Drop, Reject, Log)
• Efficient Packet Filtering based on protocols, IP
  Address, state/stateless etc
• iptables -A INPUT -s 160.36.172.1 -j DROP

20
Security Hardening Access Control

• TCP Wrappers
• Effective Access Control Mechanism
• Invisible Layer to Block or Permit Access to
  Services
• Hostname, IPAddresses, Logging
• /etc/hosts.allow
• /etc/hosts.deny
• Booby Traps
• in.telnetd ALL EXCEPT .utk.edu spawn
  (/bin/echo date \c gtgt/var/log/telnet.log
  /usr/bin/mail -s telnet-c
  balagi_at_utk.edu )

21
Security Hardening Access Control

• Kernel Tweaks ( IP/ICMP Settings )
• The /proc system
• - Internal configuration of the Running
  Kernel
• - Tweaks can be applied dynamically
• Use of Sysctl
• Eg /sbin/sysctl net.ipv4.ip_forward
• net.ipv4.ip_forward 0
• Record changes in /etc/sysctl.conf

22
Security Hardening Access Control

• Recommended IP/ICMP Settings
• Disable Ping
• sysctl w net.ipv4.icmp_echo_ignore_all1
  
• Disable ICMP Echo Requests
• sysctl w net.ipv4.icmp_echo_ignore_br
  oadcasts1
• Disable IP Source Routing
• sysctl w net.ipv4.conf.all.accept_sou
  rce_route0
• Disable ICMP Redirects
• sysctl w net.ipv4.conf.all.accept_red
  irects0
• Enable TCP SYN Cookie Protection
• sysctl w net.ipv4.tcp_syncookies1
• Disable Bogus Error Logging
• sysctl w net.ipv4.icmp_ignore_bogus_e
  rror_responses1
• Enable Packet Logging
• sysctl w net.ipv4.conf.all.log_martia
  ns1

23
Security Hardening Access Control

• More restrictions
• Restrict ctrl-alt-del
• - /etc/shutdown.allow Add Usernames
  of authorized users
• - In /etc/inittab Add
• cactrlaltdel/sbin/shutdown a t3 r
  now
• Password Protect Single User Mode
• - In /etc/inittab Add
• ssSonce/sbin/sulogin
• Disable Logins by System Accounts
• - In /etc/passwd Edit for lpr, mail,
  uucp etc
• mailx812mail/var/spool/mail/sbin/nol
  ogin

24
Security Hardening Access Control

• More restrictions
• Change Default Login Settings
• - In /etc/login.defs
• PASS_MAX_DAYS 100
• PASS_MIN_LENGTH 8
• PASS_WARN_AG 10
• Clean System information from
• - /etc/motd
• - /etc/issue /etc/issue.net

25

• Security Maintenance
• Effectively protecting a network, and ultimately
  the company's health and welfare, comes down to
  one thing -- the philosophy of security Sharon
  Gaudin

26
Security Maintenance Monitoring

• Check for failed login attempts and unwarranted
  system use
• more /var/log/messages grep failure
• lastb
• last
• Monitor Network Traffic
• netstat --inet
• tcpdump

27
Security Maintenance Monitoring

• Log Files Syslog
• Linux System Logger Utility
• Config File in /etc/syslog.conf
• Capable of logging authorization, kernel, user,
  daemon messages
• Important Files
• - /var/log/secure
• - /var/log/messages
• - /var/log/spooler
• Make reading log files a daily habit

28
Security Maintenance Monitoring

• Know your System
• Packages and Programs installed
• Processes that run normally
• Authorized Users and Privileges
• File System Usage
• Network and Bandwidth Usage
• What Behavior can be termed Normal ?

29
Security Maintenance Policies

• Security Policy
• A set of documents
• Well defined terms for usage, services provided,
  guidelines
• Legal Document
• Specific with minimal Ambiguities at High Level
• Enforceable and Approved by Management
• Flexible
• Reminder for Security Guidelines

30
Security Maintenance Patch Management

• Patching is Critical
• For Programs and Operating System
• Open Vulnerabilities easily exploited
• Can be Automated with up2date
• Be Alert on Security Updates

31
Conclusion

• Security Mindset
• Not the domain of system admins alone
• Users need to take responsibility
• Management Support

32
Conclusion

• Striking a Balance Security vs Usability
• No Absolute Security
• Know your user community
• Tolerance and Expectations
• Understand System Role
• Strike a Balance
• A Final Word
• Constant Process
• Significant
• Effective Security Policy

33
In Retrospect

• Security Overview
• Security Hardening
• Security Maintenance
• Questions?

34

• Thank You
• Damodar Balagi
• balagi_at_cs.utk.edu
• More details about L-Probe
• http//www.cs.utk.edu/balagi/l-probe