Your SlideShare is downloading. ×
0
Securing your application and server in Linux B.C. Sekar HCL Technologies   Limited ©HCL Technologies Nov 21, 2003 NETWORK...
Agenda <ul><li>Introduction </li></ul><ul><li>Securing server </li></ul><ul><li>Securing access to application </li></ul><...
Introduction <ul><li>The server and application security are critical for the enterprise. </li></ul><ul><li>Some of the se...
Commercial solutions. <ul><li>The commercial solutions for detecting and preventing attacks are: </li></ul><ul><li>Firewal...
Securing server <ul><li>Using IP chains, IP tables to secure the server. </li></ul><ul><li>Using SSH/SFTP to access the bo...
<ul><li>Firewalls helps in handling external attacks. </li></ul><ul><li>Server needs to be protected from unwanted interna...
<ul><li>Server not to connect to particular outside sites. </li></ul><ul><li>ipchains -A output -d 199.95.207.0/24 -j REJE...
IPChains(3) IPChains Input Chain Forward Chain Output Chain Packet ACCEPT Packet Packet ACCEPT ACCEPT Packet Packet Packet...
IPTables(1) <ul><li>Similar to IPTables but supports more advanced operations. </li></ul><ul><li>To disallow TCP connectio...
SSH/SFTP access to server <ul><li>SSH prevents from packet sniffing  </li></ul><ul><li>SFTP works over an SSH connection. ...
OS Hardening(1) <ul><li>Set LILO/GRUB password protection. </li></ul><ul><li>Edit /etc/shutdown.allow to allow only root t...
OS Hardening(2) <ul><li>Using nmap to detect unwanted open ports </li></ul><ul><li>$ nmap abc.zzzzz.com </li></ul><ul><li>...
LIDS LIDS –  www.lids.org  – kernel patch for securing server <ul><li>Protection of files </li></ul><ul><li>Protection of ...
Integrity Checker <ul><li>Integrity checker could be run on the server to determine integrity of important files and binar...
Securing Application <ul><li>Using HTTPS for web based applications. </li></ul><ul><li>Using GPG for encrypting Password f...
HTTPS(1) <ul><li>Ability to connect to server via HTTP secure. </li></ul><ul><li>Consists of : </li></ul><ul><ul><li>Gener...
HTTPS(2) <ul><li>OpenSSL http://www.openssl.com/ </li></ul><ul><li>Generate key:  </li></ul><ul><li>Openssl genrsa –rand r...
Apache configuration for HTTPS .   <ul><li>SSLCertificateFile $APACHE_CONF_DIR/ssl.crt/https.crt </li></ul><ul><li>SSLCert...
GPG <ul><li>Encryption of application specific password file can be accomplished using </li></ul><ul><li>gpg –c file.txt <...
Signed images and patches(1) <ul><li>RPM could be used to create image and patches. </li></ul><ul><li>RPM signing could be...
Signed images and patches(2) <ul><li>Edit file /etc/rpm/macros </li></ul><ul><li>%_signature  gpg  </li></ul><ul><li>%_gpg...
Signed images and patches(3) <ul><li>For verification, <login_dir>/.gpg, drop the public key. </li></ul><ul><li>gpg -ka <p...
Cost Benefit Analysis <ul><li>The commercial solutions cost at least $10,000 to implement. Eg., One firewall, one IDS, AAA...
Conclusion <ul><li>Security needs of Server and application needs to be met with a comprehensive set of tools. </li></ul><...
References <ul><li>Tripwire Integrity Checker –  http://www.tripwire.com </li></ul><ul><li>NMAP  www.insecure.org/nmap/ </...
Questions <ul><li>B.C. Sekar </li></ul><ul><li>HCL Technologies Limited, </li></ul><ul><li>158, NSK Salai, Vadapalani, </l...
Upcoming SlideShare
Loading in...5
×

BCSekar-Linux-presen..

290

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
290
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "BCSekar-Linux-presen.."

  1. 1. Securing your application and server in Linux B.C. Sekar HCL Technologies Limited ©HCL Technologies Nov 21, 2003 NETWORKING PRODUCTS DIVISION
  2. 2. Agenda <ul><li>Introduction </li></ul><ul><li>Securing server </li></ul><ul><li>Securing access to application </li></ul><ul><li>Question Time... </li></ul>
  3. 3. Introduction <ul><li>The server and application security are critical for the enterprise. </li></ul><ul><li>Some of the security attacks are IP spoofing, Eavesdropping, Access attack, Reconnaissance. </li></ul><ul><li>There are many tools in Linux to detect and prevent attacks on server and application, which is the topic of this presentation. </li></ul>
  4. 4. Commercial solutions. <ul><li>The commercial solutions for detecting and preventing attacks are: </li></ul><ul><li>Firewalls </li></ul><ul><li>Intrusion Detection Systems </li></ul><ul><li>AAA </li></ul><ul><li>IPSEC </li></ul>
  5. 5. Securing server <ul><li>Using IP chains, IP tables to secure the server. </li></ul><ul><li>Using SSH/SFTP to access the box. </li></ul><ul><li>Hardening the OS </li></ul><ul><li>LIDS </li></ul><ul><li>Integrity checking </li></ul>
  6. 6. <ul><li>Firewalls helps in handling external attacks. </li></ul><ul><li>Server needs to be protected from unwanted internal access also. </li></ul><ul><li>Access control can be enforced by IP Chains for internal access. </li></ul><ul><li>Server not to respond to any packets sent from a range of computers. </li></ul><ul><ul><li>Use ipchains –A input –s 199.95.207.0/24 –j DENY </li></ul></ul>IPChains(1)
  7. 7. <ul><li>Server not to connect to particular outside sites. </li></ul><ul><li>ipchains -A output -d 199.95.207.0/24 -j REJECT </li></ul><ul><li>To prevent IP spoofing. </li></ul><ul><li>ipchains -A input -j REJECT -p all -s 192.168.10.0/24 -i eth0 </li></ul>IPChains(2)
  8. 8. IPChains(3) IPChains Input Chain Forward Chain Output Chain Packet ACCEPT Packet Packet ACCEPT ACCEPT Packet Packet Packet Packet DENY DENY DENY
  9. 9. IPTables(1) <ul><li>Similar to IPTables but supports more advanced operations. </li></ul><ul><li>To disallow TCP connections from a internal host use: ip tables –A INPUT -p TCP -s 192.168.1.1 --syn DROP </li></ul><ul><li>Log all packets to /var/log/messages </li></ul><ul><li>iptables -A OUTPUT -j LOG </li></ul><ul><li>iptables -A INPUT -j LOG </li></ul><ul><li>iptables -A FORWARD -j LOG </li></ul>
  10. 10. SSH/SFTP access to server <ul><li>SSH prevents from packet sniffing </li></ul><ul><li>SFTP works over an SSH connection. </li></ul><ul><li>Data and server password are secure. </li></ul>
  11. 11. OS Hardening(1) <ul><li>Set LILO/GRUB password protection. </li></ul><ul><li>Edit /etc/shutdown.allow to allow only root to shutdown and shutdown with –a option to be called from /etc/inittab. </li></ul><ul><li>Upgrade to current stable kernel and turn off unused kernel options. </li></ul><ul><li>Apply Kernel Security patches for kernel vulnerabilities. </li></ul><ul><li>http://www.openwall.com/linux </li></ul>
  12. 12. OS Hardening(2) <ul><li>Using nmap to detect unwanted open ports </li></ul><ul><li>$ nmap abc.zzzzz.com </li></ul><ul><li>Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) </li></ul><ul><li>Interesting ports on abc.zzzz.com (10.0.0.1): </li></ul><ul><li>(The 1587 ports scanned but not shown below are in state: closed) </li></ul><ul><li>1005/tcp open unknown </li></ul><ul><li>Close unwanted ports and stop services that are not needed. </li></ul><ul><li>Disable unused daemons from startup scripts. </li></ul>
  13. 13. LIDS LIDS – www.lids.org – kernel patch for securing server <ul><li>Protection of files </li></ul><ul><li>Protection of process </li></ul><ul><li>Access control with ACL </li></ul><ul><li>Security alert from kernel </li></ul><ul><li>Port scanner detector in kernel </li></ul>Access Control File Operations Process operations Kernel
  14. 14. Integrity Checker <ul><li>Integrity checker could be run on the server to determine integrity of important files and binaries. </li></ul><ul><li>Integrity checker checks for checksums of all important files and compares with reference values. </li></ul><ul><li>Run tripwire using a crontab entry. </li></ul><ul><li>15 05 * * * root usr/local/adm/tcheck/tripwire </li></ul>
  15. 15. Securing Application <ul><li>Using HTTPS for web based applications. </li></ul><ul><li>Using GPG for encrypting Password files </li></ul><ul><li>Using RPM signing for updating patches and installables. </li></ul>
  16. 16. HTTPS(1) <ul><li>Ability to connect to server via HTTP secure. </li></ul><ul><li>Consists of : </li></ul><ul><ul><li>Generating key </li></ul></ul><ul><ul><li>Generating certificate signing request </li></ul></ul><ul><ul><li>Generating self signed certificate </li></ul></ul><ul><ul><li>CA signed certificate </li></ul></ul><ul><ul><li>Configuring web server. </li></ul></ul>
  17. 17. HTTPS(2) <ul><li>OpenSSL http://www.openssl.com/ </li></ul><ul><li>Generate key: </li></ul><ul><li>Openssl genrsa –rand rt.txt 1024 > $APACHE_CONF_DIR/ssl/https.key </li></ul><ul><li>Generate CSR – </li></ul><ul><li>openssl req –new –key $APACHE_CONF_DIR/ssl/http.key > $APACHE_CONF_DIR/ssl/https.csr </li></ul><ul><li>Generate Certificate – </li></ul><ul><li>Openssl req –x509 -days 30 –key $APACHE_CONF_DIR/ssl/https.key –in $APACHE_CONF_DIR/ssl/https.csr > $APACHE_CONF_DIR/ssl/https.crt </li></ul><ul><li>Validate certificate – </li></ul><ul><li>Openssl x509 –noout –text –in $APACHE_CONF_DIR/ssl/https.crt </li></ul>
  18. 18. Apache configuration for HTTPS . <ul><li>SSLCertificateFile $APACHE_CONF_DIR/ssl.crt/https.crt </li></ul><ul><li>SSLCertificateKeyFile $APACHE_CONF_DIR/ssl.key/https.key </li></ul><ul><li>The above lines need to be configured in apache’s httpd.conf. </li></ul>
  19. 19. GPG <ul><li>Encryption of application specific password file can be accomplished using </li></ul><ul><li>gpg –c file.txt </li></ul><ul><li>Retrieval is done using </li></ul><ul><li>gpg file.txt.gpg </li></ul><ul><li>Same pass phrase needs to be use for both encrypting and decrypting. </li></ul>
  20. 20. Signed images and patches(1) <ul><li>RPM could be used to create image and patches. </li></ul><ul><li>RPM signing could be used to sign the image and patches for determining if the patch is from the application vendor. </li></ul><ul><li>Create public, private key pairs. </li></ul><ul><li># gpg -kg </li></ul>
  21. 21. Signed images and patches(2) <ul><li>Edit file /etc/rpm/macros </li></ul><ul><li>%_signature gpg </li></ul><ul><li>%_gpg_name xxx <yyy@zzz.com>&quot; </li></ul><ul><li>%_gpg_path /root/.gpg </li></ul><ul><li>%_gpgbin /usr/bin/gpg </li></ul><ul><li>Sign rpms. </li></ul><ul><li>rpm -bb -vv --sign <rpm_spec.name> </li></ul>
  22. 22. Signed images and patches(3) <ul><li>For verification, <login_dir>/.gpg, drop the public key. </li></ul><ul><li>gpg -ka <public_key> </li></ul><ul><li>rpm --checksign <rpm_name> </li></ul><ul><li>test-1.0-0.i386.rpm.orig: gpg md5 OK </li></ul>
  23. 23. Cost Benefit Analysis <ul><li>The commercial solutions cost at least $10,000 to implement. Eg., One firewall, one IDS, AAA solution etc., </li></ul><ul><li>The open source solution does not have any cost. </li></ul><ul><li>The support on commercial solution may be better. </li></ul><ul><li>But with wider usage of open source solutions in Linux, getting security updates is much faster. </li></ul>
  24. 24. Conclusion <ul><li>Security needs of Server and application needs to be met with a comprehensive set of tools. </li></ul><ul><li>The level in which security tools are deployed is related to the business dependency on the server and application. </li></ul><ul><li>These mechanisms and tools in addition to protecting internal attacks helps in small organizations to protect from external attacks also. </li></ul>
  25. 25. References <ul><li>Tripwire Integrity Checker – http://www.tripwire.com </li></ul><ul><li>NMAP www.insecure.org/nmap/ </li></ul><ul><li>Open SSL http://www.openssl.org </li></ul><ul><li>Apache Web server http://www.apache.org </li></ul><ul><li>Linux HOWTOs http://www.tldp.org </li></ul><ul><li>LIDS – www.lids.org </li></ul><ul><li>Openwall http://www.openwall.com/linux </li></ul>
  26. 26. Questions <ul><li>B.C. Sekar </li></ul><ul><li>HCL Technologies Limited, </li></ul><ul><li>158, NSK Salai, Vadapalani, </li></ul><ul><li>Chennai - 600026. </li></ul><ul><li>Phone - +91-44-3750171 </li></ul><ul><li>http://www.hcltechnologies.com </li></ul><ul><li>[email_address] </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×