CIS 290 LINUX Security - PowerPoint PPT Presentation

About This Presentation
Title:

CIS 290 LINUX Security

Description:

CIS 290 LINUX Security Application and Network Security Part 1 SSH /etc/ssh/sshd_config AllowTcpForwarding no AllowAgentForwarding No DenyUsers, AllowUsers ... – PowerPoint PPT presentation

Number of Views:45
Avg rating:3.0/5.0
Slides: 10
Provided by: RRDonn7
Learn more at: https://www.oakton.edu
Category:
Tags: cis | linux | flood | routing | security

less

Transcript and Presenter's Notes

Title: CIS 290 LINUX Security


1
CIS 290LINUX Security
  • Application and
  • Network Security
  • Part 1

2
SSH
  • /etc/ssh/sshd_config
  • AllowTcpForwarding no
  • AllowAgentForwarding No
  • DenyUsers, AllowUsers, DenyGroups,
    AllowGroups
  • AllowTcpForwarding No
  • Banner No
  • ChrootDirectory No
  • ClientAliveInterval 600
  • ClientAliveCountMax 0
  • ForceCommand
  • HostbasedAuthentication no
  • IgnoreRhosts yes
  • ListenAddress
  • LoginGraceTime
  • MaxAuthTries
  • MaxSessions
  • MaxStartups
  • PermitEmptyPasswords no

3
Original Sentry Tools (Psionic)
  • Logcheck (still an RPM)
  • Portsentry
  • http//sourceforge.net/projects/sentrytools/
  • Tcplogd
  • See also netstat an or ss -a

4
Network Security
  • TCP Wrappers hosts.allow, hosts.deny
  • /etc/security/access.conf
  • Iptables 2.4 - formerly ipfwadm lt2.0, ipchains,
    2.1)
  • /etc/sysctl.conf
  • Avoid a smurf attack
  • net.ipv4.icmp_echo_ignore_broadca
    sts 1
  • Turn on protection for bad icmp error messages
  • net.ipv4.icmp_ignore_bogus_error_r
    esponses 1
  • Turn on syncookies for SYN flood attack
    protection
  • net.ipv4.tcp_syncookies 1
  • Turn on and log spoofed, source routed, and
    redirect packets
  • net.ipv4.conf.all.log_martians
    1
  • net.ipv4.conf.default.log_martians
    1

5
Network Security
  • /etc/sysctl.conf
  • No source routed packets here
  • net.ipv4.conf.all.accept_source_ro
    ute 0
  • net.ipv4.conf.default.accept_sourc
    e_route 0
  • Turn on reverse path filtering
  • net.ipv4.conf.all.rp_filter 1
  • net.ipv4.conf.default.rp_filter 1
  • Make sure no one can alter the routing tables
  • net.ipv4.conf.all.accept_redirects
    0
  • net.ipv4.conf.default.accept_redir
    ects 0
  • net.ipv4.conf.all.secure_redirects
    0
  • net.ipv4.conf.default.secure_redire
    cts 0
  • Don't act as a router
  • net.ipv4.ip_forward 0
  • net.ipv4.conf.all.send_redirects
    0
  • net.ipv4.conf.default.send_redirec
    ts 0

6
Network Security
  • /etc/sysctl.conf
  • Turn on execshild
  • kernel.exec-shield 1
  • kernel.randomize_va_space 1
  • Tune IPv6 (or turn it off)
  • net.ipv6.conf.default.router_solic
    itations 0
  • net.ipv6.conf.default.accept_ra_rt
    r_pref 0
  • net.ipv6.conf.default.accept_ra_pi
    nfo 0
  • net.ipv6.conf.default.accept_ra_def
    rtr 0
  • net.ipv6.conf.default.autoconf 0
  • net.ipv6.conf.default.dad_transmit
    s 0
  • net.ipv6.conf.default.max_addresse
    s 1
  • Optimization for port usefor LBs
  • Increase system file descriptor
    limit
  • fs.file-max 65535
  • Allow for more PIDs (to reduce rollover
    problems) may break some programs 327

7
Network Security
  • Increase system IP port limits
  • net.ipv4.ip_local_port_range
    2000 65000
  • Increase TCP max buffer size setable using
    setsockopt()
  • net.ipv4.tcp_rmem 4096 87380
    8388608
  • net.ipv4.tcp_wmem 4096 87380
    8388608
  • Increase Linux auto tuning TCP buffer limits
  • min, default, and max number of
    bytes to use
  • set max to at least 4MB, or
    higher if you use very high BDP paths
  • Tcp Windows etc
  • net.core.rmem_max 8388608
  • net.core.wmem_max 8388608
  • net.core.netdev_max_backlog
    5000
  • net.ipv4.tcp_window_scaling 1

8
Firewall - Iptables
  • /etc/sysconfig/iptables
  • Commands iptables, iptables-save,
    iptables-restore
  • There are total 4 chains
  • INPUT - The default chain is used for packets
    addressed to the system. Use this to open or
    close incoming ports (such as 80,25, and 110 etc)
    and ip addresses / subnet (such as
    202.54.1.20/29).
  • OUTPUT - The default chain is used when packets
    are generating from the system. Use this open or
    close outgoing ports and ip addresses / subnets.
  • FORWARD - The default chains is used when
    packets send through another interface. Usually
    used when you setup Linux as router. For example,
    eth0 connected to ADSL/Cable modem and eth1 is
    connected to local LAN. Use FORWARD chain to send
    and receive traffic from LAN to the Internet.
  • RH-Firewall-1-INPUT - This is a user-defined
    custom chain. It is used by the INPUT, OUTPUT and
    FORWARD chains.

9
iptables
  • Packet Matching Rules
  • Each packet starts at the first rule in the
    chain.
  • A packet proceeds until it matches a rule.
  • If a match found, then control will jump to the
    specified target (such as REJECT, ACCEPT, DROP).
  • Target Meanings
  • The target ACCEPT means allow packet.
  • The target REJECT means to drop the packet and
    send an error message to remote host.
  • The target DROP means drop the packet and do not
    send an error message to remote host or sending
    host.
Write a Comment
User Comments (0)
About PowerShow.com