Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Securing your application and server in Linux B.C. Sekar HCL Technologies Limited ©HCL Technologies Nov 21, 2003 NETWORKING PRODUCTS DIVISION
  2. 2. Agenda <ul><li>Introduction </li></ul><ul><li>Securing server </li></ul><ul><li>Securing access to application </li></ul><ul><li>Question Time... </li></ul>
  3. 3. Introduction <ul><li>The server and application security are critical for the enterprise. </li></ul><ul><li>Some of the security attacks are IP spoofing, Eavesdropping, Access attack, Reconnaissance. </li></ul><ul><li>There are many tools in Linux to detect and prevent attacks on server and application, which is the topic of this presentation. </li></ul>
  4. 4. Commercial solutions. <ul><li>The commercial solutions for detecting and preventing attacks are: </li></ul><ul><li>Firewalls </li></ul><ul><li>Intrusion Detection Systems </li></ul><ul><li>AAA </li></ul><ul><li>IPSEC </li></ul>
  5. 5. Securing server <ul><li>Using IP chains, IP tables to secure the server. </li></ul><ul><li>Using SSH/SFTP to access the box. </li></ul><ul><li>Hardening the OS </li></ul><ul><li>LIDS </li></ul><ul><li>Integrity checking </li></ul>
  6. 6. <ul><li>Firewalls helps in handling external attacks. </li></ul><ul><li>Server needs to be protected from unwanted internal access also. </li></ul><ul><li>Access control can be enforced by IP Chains for internal access. </li></ul><ul><li>Server not to respond to any packets sent from a range of computers. </li></ul><ul><ul><li>Use ipchains –A input –s –j DENY </li></ul></ul>IPChains(1)
  7. 7. <ul><li>Server not to connect to particular outside sites. </li></ul><ul><li>ipchains -A output -d -j REJECT </li></ul><ul><li>To prevent IP spoofing. </li></ul><ul><li>ipchains -A input -j REJECT -p all -s -i eth0 </li></ul>IPChains(2)
  8. 8. IPChains(3) IPChains Input Chain Forward Chain Output Chain Packet ACCEPT Packet Packet ACCEPT ACCEPT Packet Packet Packet Packet DENY DENY DENY
  9. 9. IPTables(1) <ul><li>Similar to IPTables but supports more advanced operations. </li></ul><ul><li>To disallow TCP connections from a internal host use: ip tables –A INPUT -p TCP -s --syn DROP </li></ul><ul><li>Log all packets to /var/log/messages </li></ul><ul><li>iptables -A OUTPUT -j LOG </li></ul><ul><li>iptables -A INPUT -j LOG </li></ul><ul><li>iptables -A FORWARD -j LOG </li></ul>
  10. 10. SSH/SFTP access to server <ul><li>SSH prevents from packet sniffing </li></ul><ul><li>SFTP works over an SSH connection. </li></ul><ul><li>Data and server password are secure. </li></ul>
  11. 11. OS Hardening(1) <ul><li>Set LILO/GRUB password protection. </li></ul><ul><li>Edit /etc/shutdown.allow to allow only root to shutdown and shutdown with –a option to be called from /etc/inittab. </li></ul><ul><li>Upgrade to current stable kernel and turn off unused kernel options. </li></ul><ul><li>Apply Kernel Security patches for kernel vulnerabilities. </li></ul><ul><li>http://www.openwall.com/linux </li></ul>
  12. 12. OS Hardening(2) <ul><li>Using nmap to detect unwanted open ports </li></ul><ul><li>$ nmap abc.zzzzz.com </li></ul><ul><li>Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) </li></ul><ul><li>Interesting ports on abc.zzzz.com ( </li></ul><ul><li>(The 1587 ports scanned but not shown below are in state: closed) </li></ul><ul><li>1005/tcp open unknown </li></ul><ul><li>Close unwanted ports and stop services that are not needed. </li></ul><ul><li>Disable unused daemons from startup scripts. </li></ul>
  13. 13. LIDS LIDS – www.lids.org – kernel patch for securing server <ul><li>Protection of files </li></ul><ul><li>Protection of process </li></ul><ul><li>Access control with ACL </li></ul><ul><li>Security alert from kernel </li></ul><ul><li>Port scanner detector in kernel </li></ul>Access Control File Operations Process operations Kernel
  14. 14. Integrity Checker <ul><li>Integrity checker could be run on the server to determine integrity of important files and binaries. </li></ul><ul><li>Integrity checker checks for checksums of all important files and compares with reference values. </li></ul><ul><li>Run tripwire using a crontab entry. </li></ul><ul><li>15 05 * * * root usr/local/adm/tcheck/tripwire </li></ul>
  15. 15. Securing Application <ul><li>Using HTTPS for web based applications. </li></ul><ul><li>Using GPG for encrypting Password files </li></ul><ul><li>Using RPM signing for updating patches and installables. </li></ul>
  16. 16. HTTPS(1) <ul><li>Ability to connect to server via HTTP secure. </li></ul><ul><li>Consists of : </li></ul><ul><ul><li>Generating key </li></ul></ul><ul><ul><li>Generating certificate signing request </li></ul></ul><ul><ul><li>Generating self signed certificate </li></ul></ul><ul><ul><li>CA signed certificate </li></ul></ul><ul><ul><li>Configuring web server. </li></ul></ul>
  17. 17. HTTPS(2) <ul><li>OpenSSL http://www.openssl.com/ </li></ul><ul><li>Generate key: </li></ul><ul><li>Openssl genrsa –rand rt.txt 1024 > $APACHE_CONF_DIR/ssl/https.key </li></ul><ul><li>Generate CSR – </li></ul><ul><li>openssl req –new –key $APACHE_CONF_DIR/ssl/http.key > $APACHE_CONF_DIR/ssl/https.csr </li></ul><ul><li>Generate Certificate – </li></ul><ul><li>Openssl req –x509 -days 30 –key $APACHE_CONF_DIR/ssl/https.key –in $APACHE_CONF_DIR/ssl/https.csr > $APACHE_CONF_DIR/ssl/https.crt </li></ul><ul><li>Validate certificate – </li></ul><ul><li>Openssl x509 –noout –text –in $APACHE_CONF_DIR/ssl/https.crt </li></ul>
  18. 18. Apache configuration for HTTPS . <ul><li>SSLCertificateFile $APACHE_CONF_DIR/ssl.crt/https.crt </li></ul><ul><li>SSLCertificateKeyFile $APACHE_CONF_DIR/ssl.key/https.key </li></ul><ul><li>The above lines need to be configured in apache’s httpd.conf. </li></ul>
  19. 19. GPG <ul><li>Encryption of application specific password file can be accomplished using </li></ul><ul><li>gpg –c file.txt </li></ul><ul><li>Retrieval is done using </li></ul><ul><li>gpg file.txt.gpg </li></ul><ul><li>Same pass phrase needs to be use for both encrypting and decrypting. </li></ul>
  20. 20. Signed images and patches(1) <ul><li>RPM could be used to create image and patches. </li></ul><ul><li>RPM signing could be used to sign the image and patches for determining if the patch is from the application vendor. </li></ul><ul><li>Create public, private key pairs. </li></ul><ul><li># gpg -kg </li></ul>
  21. 21. Signed images and patches(2) <ul><li>Edit file /etc/rpm/macros </li></ul><ul><li>%_signature gpg </li></ul><ul><li>%_gpg_name xxx <yyy@zzz.com>&quot; </li></ul><ul><li>%_gpg_path /root/.gpg </li></ul><ul><li>%_gpgbin /usr/bin/gpg </li></ul><ul><li>Sign rpms. </li></ul><ul><li>rpm -bb -vv --sign <rpm_spec.name> </li></ul>
  22. 22. Signed images and patches(3) <ul><li>For verification, <login_dir>/.gpg, drop the public key. </li></ul><ul><li>gpg -ka <public_key> </li></ul><ul><li>rpm --checksign <rpm_name> </li></ul><ul><li>test-1.0-0.i386.rpm.orig: gpg md5 OK </li></ul>
  23. 23. Cost Benefit Analysis <ul><li>The commercial solutions cost at least $10,000 to implement. Eg., One firewall, one IDS, AAA solution etc., </li></ul><ul><li>The open source solution does not have any cost. </li></ul><ul><li>The support on commercial solution may be better. </li></ul><ul><li>But with wider usage of open source solutions in Linux, getting security updates is much faster. </li></ul>
  24. 24. Conclusion <ul><li>Security needs of Server and application needs to be met with a comprehensive set of tools. </li></ul><ul><li>The level in which security tools are deployed is related to the business dependency on the server and application. </li></ul><ul><li>These mechanisms and tools in addition to protecting internal attacks helps in small organizations to protect from external attacks also. </li></ul>
  25. 25. References <ul><li>Tripwire Integrity Checker – http://www.tripwire.com </li></ul><ul><li>NMAP www.insecure.org/nmap/ </li></ul><ul><li>Open SSL http://www.openssl.org </li></ul><ul><li>Apache Web server http://www.apache.org </li></ul><ul><li>Linux HOWTOs http://www.tldp.org </li></ul><ul><li>LIDS – www.lids.org </li></ul><ul><li>Openwall http://www.openwall.com/linux </li></ul>
  26. 26. Questions <ul><li>B.C. Sekar </li></ul><ul><li>HCL Technologies Limited, </li></ul><ul><li>158, NSK Salai, Vadapalani, </li></ul><ul><li>Chennai - 600026. </li></ul><ul><li>Phone - +91-44-3750171 </li></ul><ul><li>http://www.hcltechnologies.com </li></ul><ul><li>[email_address] </li></ul>