This presentation is made for my college presentation of explaining "Threats, Vulnerabilities & Security measures in Linux' and also suggestion how you could enhance ur Linux OS security.
2. Linux is a Kernel developed by Linus
Torvalds.
Combined with GNU project of Robert
Stallman, it is known as GNU-LINUX
operating system… initial version was
released on 1991.
3. -Unix like operating system.
-Open source
-Freeware.
-GPL
-Copy left.
-Many vendors(redhat, suse…etc)
-Comparatively most secured than other
available OS.
4. Most generic term, can relate with the security need to
protect us against intruders in real world… That keeps us &
our assets safe.…Same in OS.
- Most common security terminologies are:-
a> Assets.
-An asset is what we’re trying to protect….
- People, property, and information.
b> Threats
-A threat is what we’re trying to protect against.
-Anything that can exploit the vulnerability.
5. c> Vulnerability
-A vulnerability is a weakness or gap in our
protection efforts/security program.
d> Attack
- Sequence of actions of exploiting a
vulnerability
e> Risk
-Risk is the intersection of assets, threats,
and vulnerabilities.
8. Trojan Horse-
Sending information to third party without knowing to you.
It allow a hacker to gain access to your machine ,called Remote Access
Trojans (RATs).
Phishing Threats-
Trustworthy person steal your information.
Hackers-
Looking for credit card no., or any other information for their gain.
9. Worms –
Programs that replicates and spread
Need not another program to propagate itself
Spyware-
Send information about you and your system to somebody else.
Monitors your online activities
Adware-
It automatically plays , displays or downloads your advertisement to a computer.
Viruses –
It alter the way a computer operates
It can not do anything unless you run it.
Types of viruses :
1. Boot Sector Infectors
2. File Infectors
3. Macro viruses
14. Trapdoor/Back door
Undocumented method
Written by original programmer
Used in both legal and illegal ways
Logic bomb
Piece of code intentionally inserted into software
system that will set off a malicious function when
specified condition are met.
15. Rootkit
A rootkit is a set of tools used by an intruder after cracking a
computer system.
help the attacker maintain his or her access to the system and use it for
malicious purposes.
Hides data that indicates an intruder has control of your system
Rootkits exist for a variety of operating systems such as Linux, Solaris and
Microsoft Windows.
15
16. 16
• Root kits
• Contain Trojan binary programs ready to be installed by an intruder
with root access to the system
• Attacker hide the tools used for later attacks
• Replace legitimate commands with Trojan programs
• E.g.: LRK5
• Tool to check root kits
• Root kit Hunter
• Chkrootkit
Vulnerabilities Continue…
17. 17
• Scan the system(s) for un-patched code/module
• Intruders usually focus on a small number of exploits
18. Once a intruder gain access to root, next step for him is to make
sure that he does not get caught
18
19. Trojan horse is a malicious
program that is disguised as
legitimate software
Trojan horse programs bundled in
the form of “Rootkits”.
Originally written for Sun’s
Berkeley flavor of Unix (SunOS 4)
19
"
20. Get a program to scan /bin/login and see if it
has been corrupted
Tools like Tripwrie can check the Integrity of the
file if an hash has been generated at install time.
Identify and replace the files that have been
modified.
Use md5 checksum to check for the authenticity
of the program.
20
22. Buffer overflows write code to the OS’s
memory
Then run some type of program
Can elevate the attacker’s permissions to the level
of the owner
A buffer overflow program looks like
22
23. The program compiles, but returns the
following error
23
24. Guidelines to help reduce this type of attack
Avoids functions known to have buffer overflow vulnerabilities
▪ strcpy()
▪ strcat()
▪ sprintf()
▪ gets()
Configure OS to not allow code in the stack to run any other
executable code in the stack
Use compilers that warn programmers when functions listed in the
first bullet are used
24
25. Sniffers work by setting a network card adapter in
promiscuous mode
NIC accepts all packets that traverse the network
cable
Attacker can analyze packets and learn user names and
passwords
Avoid using protocols such as Telnet, HTTP, and
FTP that send data in clear text
Sniffers
Tcpdump, Ethereal (wireshark)
25
26. Footprinting techniques
Used to find out information about a target
system
footprinting tools include: Whois databases, DNS zone transfers,
Nessus, and port scanning tools
Determining the OS version the attacked computer is
running
Check newsgroups for details on posted messages
Knowing a company’s e-mail address makes the
search easier
26
27. Goal
To get OS information from company employees
Common techniques
Urgency
Quid pro quo
Status quo
Kindness
Position
Train your employees about social engineering techniques
27
28. Users must be told not to reveal information
to outsiders
Make customers aware that many exploits
can be downloaded from Web sites
Teach users to be suspicious of people
asking questions about the system they are
using
Verify caller’s identity
Call back technique
28
29. Keeping current on new kernel releases and
security updates
Installing these fixes is essential to protecting your
system
automated tools for updating your systems
29
31. How to physically secure Linux
server????
Precaution during installation of
Linux ???
Precaution post installation?????
32. BIOS Password
Setting up BIOS password protects the system configuration from
being reset or altered by intruders.
Place servers in a controlled area
•Server rooms should always be locked.
•Monitoring should be both controlled via cameras and human.
•Implement access controls such as biometric or other means of
logging entries.
• Servers should be visible from outside the room for operators to
notice any potential threats or hazards.
•Fire suppression system must be available to control fire or electrical
hazards.
33. Servers are to be placed in racks with locking
mechanisms
Choosing suitable racks are as follows:
•Racks are to be made of heavy and durable material
•Individual locks are required for each servers in the rack
•Implement logging controls on each locks
Prevent servers from being booted through other
medium.
34. Conceal cabling and power outlets
• It is a main source of data flow and operation
• Unprotected cablings may result in an attacker.
35. •Linux installation should be planned out initially
to achieve the best quality performance.
•purpose of usage is crucial to determine the
necessity of packages or services to be installed.
36. Install from a clean formatted drive
- should be run on a clean formatted drive,Run disk
utilities to find out bad sector(fschk).
-In the case of such problems arising, consider
replacing the drive and run diagnostics again.
Partitions
•Linux offers partitioning for its directories to protect
against data loss due to corrupted partitions.
•Example, /usr directory on a different partition, hda3, is
not affected if a partition fails or corrupts in ‘hda1’.
37. Custom installation
•Installation must be done with custom or minimal packages as
possible.
• This prevents unnecessary services to be running on either
workstations or servers.
•Additional packages can be installed later depending on the purpose
of usage.
• Example, running Linux for a web server only needs packages such as
Apache, PHP, OpenSSL, etc, as required. Having other services such
as Sendmail (mail server) may jeopardize the web server’s security.
38. Patches
•Patches that are acquired should be tested on a test system before
implementing it on production level. This is to ensure patches don’t crash
the production system resulting unnecessary downtime.
•Update and patches sites differ from each Linux distributions or
packages. Here are list of major packages sites.
Redhat Linux
http://www.redhat.com/support/errata
Mandrake Linux
http://www.mandrakesoft.com/security
39. Accounts password safety
-Linux store its user accounts information in /etc/passwd
file. Most Linux nowadays have shadow passwords enabled by
default in /etc/shadow
-In case shadow is not enabled, the command pwconv
will create the shadow file based on/etc/passwd file.
40. Accounts policy
Limit ability to access areas the system by using “groups” to categorize users
o Use groupadd <groupname> command to create a group
o Use useradd –g <groupname> <username> to add username to groupname
or usermod –g <groupname> <username>
• Enforce password aging that forces users to change their passwords from time to
time
o Chage command is used to enforce password aging.
• Default password length allowable in Linux is 5. Change it to enforce users to
choose passwords more than 8 characters for better security, takes longer time
to crack.
o # vi /etc/login.defs
o Change the value of PASS_MIN_LEN 5 to PASS_MIN_LEN 8
41. Removing unnecessary accounts
There are 2 ways can be used to accomplish this:
• userdel command is used to delete user accounts .i.e
userdel –r ftp ; this will remove user account ‘ftp’ , home
directory and files residing in it.
• Other way is by manually removing entries from
/etc/passwd and /etc/shadow related
to the user account.
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin - remove in
/etc/passwd
ftp:*:12329:0:99999:7::: - remove in /etc/shadow
42. The root account is the most privileged account on a
UNIX system. When the administrator forgot to
logout from the system root prompt before leaving
the system then the system should automatically
logout from the shell. A special variable in Linux,
‘TMOUT’, must be set in /etc/profile to use the
feature.
Edit the /etc/profile file:
# vi /etc/profile
Add the following lines:
"HISTFILESIZE="
"TMOUT=3600"
43. Services/daemons are background programs
that serve as a utility function without being
called by a user
Ports are designated to provide a gateway to
the services. These ports can be numbered
from 1 to 65535.
Example, to stop sendmail:
# service sendmail stop
44. apmd Required only in laptops to monitor battery information
portmap Only if rpc services is running (which is dangerous) i.e NFS, NIS
pcmcia Required only in laptops
telnet Use Secure Shell (SSH)
finger Used to query account information
samba Used to share volumes with Windows clients
sendmail Mail server, depends on purpose
httpd Apache web server, depends on purpose
mysql Database server
vnc Remote desktop administration
nfs Network File Server
xfs X Font server
45. Xinetd is a secure replacement for inetd and it also known as
the internet service daemon.
Inetd is a daemon that controls and manages several other
daemons.
It calls those daemons that are needed by the system to
perform various duties.
Inetd requires root access to run, hence, it is extremely
powerful and can call certain processes into life and kill them
as well.
Ensure xinetd configuration is own by root
[root@asydz etc]# ls –l xinetd.conf
-rw-r—r-- 1 root root 289 Feb 18 02:59 xinetd.conf
46. TCP wrapper is used to provide additional security
against intrusion by controlling connections to
defined services.
Tcp_wrappers uses the tcpd daemon which acts a
filter on a particular port until the appropriate call is
made.
TCP wrappers are controlled from two files.
/etc/hosts.allow.
/etc/hosts.deny.
The best policy is to deny all hosts by putting "ALL:
ALL@ALL, PARANOID" in the
"/etc/hosts.deny" file and then explicitly list trusted
47. In a default Linux environment, login screen will show
important information such as the Linux distribution name,
version and kernel information. With this information,
potential attacker might have the information he/she need
to focus their attack to a specific version or name.
By following these following steps will disable the
information and will only show ‘login:’ at the login menu.
48. Edit /etc/rc.d/rc.local and put # to comment out
the following lines:
# This will overwrite /etc/issue at every boot. So, make any
changes you
# want to make to /etc/issue here or you will lose them
when you reboot.
#echo "" > /etc/issue
#echo "$R" >> /etc/issue#echo "Kernel $(uname -r) on $a $
(uname -m)" >> /etc/issue
#
#cp -f /etc/issue /etc/issue.net
#echo >> /etc/issue
49. Third party utilities
-prevent or detect malicious activities.
-system files integrity check.
Exp:-
Tripwire is a policy driven file system integrity.
Sentry tools provide host-level security services for
the LINUX platform.
Bastille is a useful tool that attempts to "harden" or
"tighten" LINUX operating systems, by configuring
daemons, system settings and firewall.