SlideShare a Scribd company logo

How to convert your Linux box into Security Gateway - Part 1

Download as PPTX, PDF
n|u - The Open Security Community
n|u - The Open Security Community

How to convert your Linux box into Security Gateway - Part 1 by Murtuja Bharmal @ null Pune Meet, November, 2010

Technology
1 of 35
Convert your Linux box in to security Gateway Part-1 By Murtuja Bharmal void@null.co.in
About Me • Now Work Busy Man…. • Unemployed…. • Interest…. /dev/random…. • Co-founder of null…. :-D • X-IBMer’s ….. • Dal, Roti ka jugad, Security Consulting/Training
Prerequisites • Basic concept of networking/routing/natting. • Knowledge of TCP/IP model & communication protocol IP, TCP, UDP, ICMP, DNS, HTTP/S, SMTP, FTP etc. • How to Install and use Linux OS • Some hands on Linux command line
Full Picture • Security Features of Linux.. • Hardening OS • Firewall Concept/Configuration • VPN Concept/Configuration • IDS/IPS Concept/Configuration • Proxy Concept/Configuration • Antivirus Concept/Configuration • Hardening Services i.e. Web Server/Mail Server/Database etc.
Agenda for Today • Hardening OS – Minimizing Services – Kernel Parameters – Password Policies – No Login Shell for System accounts – Disable Core dumps – Securing SSH login
Agenda for Today(Cont) • IPTables Firewall – tables – Chains – Traversing of tables and chains – Basic Operations – iptables Parameters – iptables traget and jumpss – iptables matches – Netfilter modules – iptables Commands – Policy – iptables Rules
Minimizing Services • 1. portmap – Used with Remote procedure call services. Listens on port 111. • 2. nfslock – Used with Network File Sharing services. Listens on random registered ports. • 3. avahi-daemon – Multicast DNS service. Listens on (Multicast) UDP port 5353. • 4. cups – Printer service. Listens on port 631. • 5. gpm: Cut/Paste utility for virtual consoles. • 6. hidd: Bluetooth HID service. • 7. mcstrans – required By SELinux. • 8. xfs – X Font server for X windows system. • 9. netfs – Automounting of shared network file space such as NFS, Samba, etc on bootup. • 10. setroubleshoot – SELinux Troubleshooting Daemon. • 11. pcscd – Provides support for Smart Cards and Smart Card Readers. • 12. rpcidmapd – Used for Net File Sharing V4. • 13. restorecond – Complementary service to SELinux. • 14. rpcgssd – Used for Net File Sharing V4. • 15. mdmonitor – A monitoring Software RAID or LVM information. • 16. microcode_ctl – A microcode utility for use with Intel IA32 processors.
Kernel Parameters • net.ipv4.conf.all.send_redirects = 0 • net.ipv4.conf.default.send_redirects = 0 • net.ipv4.tcp_max_syn_backlog = 4096 • net.ipv4.icmp_echo_ignore_broadcasts = 1 • net.ipv4.conf.all.accept_source_route = 0 • net.ipv4.conf.all.accept_redirects = 0 • net.ipv4.conf.all.log_martians = 1 • net.ipv4.conf.default.accept_redirects = 0 • net.ipv4.icmp_echo_ignore_broadcasts = 1 • net.ipv4.icmp_ignore_bogus_error_responses = 1 • net.ipv4.conf.all.rp_filter = 1 • kernel.exec-shield = 1 • kernel.randomize_va_space = 1
Password Policy • /etc/pam.d/system-auth – password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 – password sufficient pam_unix.so existing_options remember=5 • /etc/login.defs PASS_MAX_DAYS 90 PASS_MIN_LEN 8 PASS_WARN_AGE 14 MD5_CRYPT_ENAB no ENCRYPT_METHOD SHA512 • /etc/libuser.conf crypt_style = sha512
No Login Shell for System accounts • usermod -s /sbin/nologin news • usermod -s /sbin/nologin mysql
Disable Core Dump • /etc/profile – ulimit -S -c 0 > /dev/null 2>&1 • /etc/security/limits.conf – * hard core 0 • sysctl -w fs.suid_dumpable=0
Securing SSH • /etc/ssh/sshd_config – PermitRootLogin no – PermitEmptyPasswords no – IgnoreRhosts yes – UsePrivilegeSeparation yes – Protocol 2 – X11Forwarding no
Lets Start Playing with the Packet
Standard Network Architecture (Scenario 1) Web Server 172.16.1.2 Local Lan 192.168.1.0/24 Linux Based Firewall/IDS/IPS/Proxy /Antivirus/VPN Mail Server 172.16.1.3 Switch Switch eth0 eth2 eth1 0.0.0.0/0 1.2.3.4192.168.1.1 172.16.1.1 LAN WAN DMZ 1.2.3.5
Server @ Data Center (Scenario 2) Linux Based Web Server/Mail Server 0.0.0.0/0 1.2.3.4 eth0
Important Files • /etc/init.d/iptables – start – stop – restart – status • /etc/sysconfig/iptables
Tables & Chains • mangle – PREROUTING – INPUT – FORWARD – OUTPUT – POSTROUTING • Filter – INPUT – FORWARD – OUTPUT • Nat – PREROUTING – OUTPUT – POSTROUTING
Scenario - 1 • Tables – mangle • PREROUTING • FORWARD • POSTROUTING – filter • FORWARD – nat • PREROUTING • POSTROUTING • FORWARD • Tables – mangle • PREROUTING • INPUT • OUTPUT • POSTROUTING – filter – INPUT – OUTPUT – nat • PREROUTING • POSTROUTING • OUTPUT Scenario - 2
Basic Operations • -I number Insert a new rule before rule number • -A Append a new rule at end of chain • -R number Replace rule number with new rule • -D number Delete rule number • -F Flush the chain (delete all rules) • -N chain New chain (specify name) • -X chain Delete user-defined chain • -P chain target (Set target for specify chain) • -L chain List the rules in chain Note: Rule “1” is the first rule in each chain
Iptables Parameters • -p protocol Matches specified protocol • -s source Matches source address • -d destination Matches destination address • -i incoming interface Packets arriving on this interface • -o outgoing interface Packets departing on this interface • --sport Matches source port of the Packet • --dport Matches destination port of the Packet Note: Most of the parameters can precede with “!” to invert match.
Jump and Target • Jump -j target Jump to target(chain or predefined) • targets include (among others) –LOG Make a log entry (otherwise no-op) –REJECT Send back an error response –DROP Ignore packet without responding –SNAT Source network address translation –DNAT Destination network address translation –MASQUERADE Source NAT in a dialup context –REDIRECT Destination set to local (firewall) host
Iptables matches • Stateful filtering parameters -m state Causes matching on state of traffic --state NEW New communication request ESTABLISHED Reply to previous packet RELATED Like ESTABLISHED, but for special cases where the packet is not strictly a reply packet
Netfilter modules • ip_conntrack.o Connection tracking • ip_conntrack_ftp.o FTP connection tracking • ip_conntrack_irc.o IRC connection tracking • ip_tables.o IPTABLES support • ipt_MASQUERADE.o MASQUERADE target • ipt_REDIRECT.o REDIRECT target • ipt_nat.o NAT support • iptable_filter.o General filtering support • ipt_nat_ftp.o NAT of FTP protocol • ipt_nat_irc.o NAT of IRC protocol • ipt_route.o Source Routing • ipt_connmark.o Connect Marking
Iptables Command • Command to list rules – filter table • iptables -L -n -t filter -v – nat table • iptables -L -n -t nat -v – mangle table • iptables -L -n -t mangle -v
Policy • Set filter table policy to DROP for INPUT chains iptables -t filter -P INPUT DROP • Set filter table policy to DROP for FORWARD chanin iptables -t filter -P INPUT DROP • Set filter table policy to DROP for OUTPUT chain iptables -t filter -P INPUT DROP
Rules • Write a rule to allow port 80 traffic from local lan to internet for scenario – 1 with Source natting Outgoing rule (Request) iptables -t filter -A FORWARD -i eth0 -o eth1 -m state --state NEW -s 192.168.1.0/24 -d 0.0.0.0/0 -p tcp --sport 1025:65535 --dport 80 -j ACCEPT Incoming rule (Reply) iptables -t filter -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED -s 0.0.0.0/0 -d 192.168.1.0/24 -p tcp --sport 80 --dport 1025:65535 -j ACCEPT natting rule (source nat) iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d 0.0.0.0/0 -p tcp --sport 1025:65535 --dport 80 -j SNAT --to-source 1.2.3.4
Rules • Write a rule to allow port 80 traffic from local lan to internet for scenario – 1 with masquerading. Outgoing rule (Request) iptables -t filter -A FORWARD -i eth0 -o eth1 -m state --state NEW -s 192.168.1.0/24 -d 0.0.0.0/0 -p tcp --sport 1025:65535 --dport 80 -j ACCEPT Incoming rule (Reply) iptables -t filter -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED -s 0.0.0.0/0 -d 192.168.1.0/24 -p tcp --sport 80 --dport 1025:65535 -j ACCEPT masquerading rule (source nat) iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d 0.0.0.0/0 -p tcp --sport 1025:65535 --dport 80 -j MASQUERADE
Rules • Write a rule to allow port 80 traffic from internet to web server at DMZ with Destination natting for scenario 1. Incoming rule (Request) iptables -t filter -A FORWARD -i eth1 -o eth2 -m state --state NEW -s 0.0.0.0/0 -d 172.16.1.2 -p tcp --sport 1025:65535 --dport 80 -j ACCEPT Outgoing rule (Reply) iptables -t filter -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED -s 172.16.1.2 -d 10.0.0.0/0 -p tcp --sport 80 --dport 1025:65535 -j ACCEPT masquerading rule (source nat) iptables -t nat -A PREROUTING -i eth1 -s 0.0.0.0/0 -d 1.2.3.4 -p tcp --sport 1025:65535 --dport 80 -j DNAT --to-destination 172.16.1.2
Rules • Write a rule to allow port 80 traffic from web server to internet for scenario-2 Outgoing rule (request) iptables -t filter -A OUTPUT -o eth0 -m state --state NEW -s 1.2.3.4 -d 0.0.0.0/0 -p tcp --sport 1025:65535 -- dport 80 -j ACCEPT Incoming rule (reply) iptables -t filter -A INPUT -i eth0 -m state --state ESTABLISHED -s 0.0.0.0/0 -d 1.2.3.4 -p tcp --sport 80 -- dport 1025:65535 -j ACCEPT
Rules • Write a rule to allow port 80 traffic from internet to web server for scenario-2 Incoming rule (request) iptables -t filter -A INPUT -i eth0 -m state --state NEW - s 0.0.0.0/0 -d 1.2.3.4 -p tcp --sport 1025:65535 --dport 80 -j ACCEPT Outgoing rule (reply) iptables -t filter -A OUTPUT -o eth0 -m state --state ESTABLISHED -s 1.2.3.4 -d 0.0.0.0/0 -p tcp --sport 80 -- dport 1025:65535 -j ACCEPT
Performance tunning • iptables -t filter -A INPUT -m state --state ESTABLISHE,RELATED -j ACCEPT • iptables -t filter -A OUTPUT -m state --state ESTABLISHE,RELATED -j ACCEPT • iptables -t filter -A FORWARD -m state --state ESTABLISHE,RELATED -j ACCEPT
Reference • http://www.blogabc.net/i460_linux_network_ optimize_with_sysctl.htm • http://www.linuxhomenetworking.com/wiki/i ndex.php/Quick_HOWTO_:_Ch14_:_Linux_Fir ewalls_Using_iptables
Question?
Thank You Murtuja Bharmal void@null.co.in

Recommended

ThesisPresentation_Upd
ThesisPresentation_UpdThesisPresentation_Upd
ThesisPresentation_UpdAshraf ElSharif
 
Topic 5 nx os management-ver 0.2
Topic 5 nx os management-ver 0.2Topic 5 nx os management-ver 0.2
Topic 5 nx os management-ver 0.2Krunal Shah
 
DPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesDPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesJim St. Leger
 
DPDK Summit 2015 - NTT - Yoshihiro Nakajima
DPDK Summit 2015 - NTT - Yoshihiro NakajimaDPDK Summit 2015 - NTT - Yoshihiro Nakajima
DPDK Summit 2015 - NTT - Yoshihiro NakajimaJim St. Leger
 
Introduction to Network Performance Measurement with Cisco IOS IP Service Lev...
Introduction to Network Performance Measurement with Cisco IOS IP Service Lev...Introduction to Network Performance Measurement with Cisco IOS IP Service Lev...
Introduction to Network Performance Measurement with Cisco IOS IP Service Lev...Cisco Canada
 
Juniper JNCIA – Juniper RIP Route Configuration
Juniper JNCIA – Juniper RIP Route ConfigurationJuniper JNCIA – Juniper RIP Route Configuration
Juniper JNCIA – Juniper RIP Route ConfigurationHamed Moghaddam
 
PCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet RoutingPCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet RoutingAPNIC
 
DPDK summit 2015: It's kind of fun to do the impossible with DPDK
DPDK summit 2015: It's kind of fun to do the impossible with DPDKDPDK summit 2015: It's kind of fun to do the impossible with DPDK
DPDK summit 2015: It's kind of fun to do the impossible with DPDKLagopus SDN/OpenFlow switch
 

Recommended

ThesisPresentation_Upd
ThesisPresentation_UpdThesisPresentation_Upd
ThesisPresentation_UpdAshraf ElSharif
 
Topic 5 nx os management-ver 0.2
Topic 5 nx os management-ver 0.2Topic 5 nx os management-ver 0.2
Topic 5 nx os management-ver 0.2Krunal Shah
 
DPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesDPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesJim St. Leger
 
DPDK Summit 2015 - NTT - Yoshihiro Nakajima
DPDK Summit 2015 - NTT - Yoshihiro NakajimaDPDK Summit 2015 - NTT - Yoshihiro Nakajima
DPDK Summit 2015 - NTT - Yoshihiro NakajimaJim St. Leger
 
Introduction to Network Performance Measurement with Cisco IOS IP Service Lev...
Introduction to Network Performance Measurement with Cisco IOS IP Service Lev...Introduction to Network Performance Measurement with Cisco IOS IP Service Lev...
Introduction to Network Performance Measurement with Cisco IOS IP Service Lev...Cisco Canada
 
Juniper JNCIA – Juniper RIP Route Configuration
Juniper JNCIA – Juniper RIP Route ConfigurationJuniper JNCIA – Juniper RIP Route Configuration
Juniper JNCIA – Juniper RIP Route ConfigurationHamed Moghaddam
 
PCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet RoutingPCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet RoutingAPNIC
 
DPDK summit 2015: It's kind of fun to do the impossible with DPDK
DPDK summit 2015: It's kind of fun to do the impossible with DPDKDPDK summit 2015: It's kind of fun to do the impossible with DPDK
DPDK summit 2015: It's kind of fun to do the impossible with DPDKLagopus SDN/OpenFlow switch
 
Cisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configurationCisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configurationHamed Moghaddam
 
Cisco CCNA IPV6 Static Configuration
Cisco CCNA IPV6 Static ConfigurationCisco CCNA IPV6 Static Configuration
Cisco CCNA IPV6 Static ConfigurationHamed Moghaddam
 
03 router-configuration
03 router-configuration03 router-configuration
03 router-configuration97148881557
 
Linkmeup v076(2019-06).2
Linkmeup v076(2019-06).2Linkmeup v076(2019-06).2
Linkmeup v076(2019-06).2eucariot
 
LinuxCNC 入門簡介
LinuxCNC 入門簡介LinuxCNC 入門簡介
LinuxCNC 入門簡介roboard
 
Packet Card Knowledge Transferfinal
Packet Card Knowledge TransferfinalPacket Card Knowledge Transferfinal
Packet Card Knowledge TransferfinalAbdel-Fattah M. Hmoud
 
Linux cnc overview
Linux cnc overviewLinux cnc overview
Linux cnc overviewNylon
 
OVS and DPDK - T.F. Herbert, K. Traynor, M. Gray
OVS and DPDK - T.F. Herbert, K. Traynor, M. GrayOVS and DPDK - T.F. Herbert, K. Traynor, M. Gray
OVS and DPDK - T.F. Herbert, K. Traynor, M. Grayharryvanhaaren
 
Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...
Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...
Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...gogo6
 
Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409Abdel-Fattah M. Hmoud
 
CCNA ppt Day 4
CCNA ppt Day 4CCNA ppt Day 4
CCNA ppt Day 4VISHNU N
 
Dynamic routing OSPF 1
Dynamic routing OSPF 1Dynamic routing OSPF 1
Dynamic routing OSPF 1Kishore Kumar
 
Cisco CCNA CCNP VACL Configuration
Cisco CCNA CCNP VACL ConfigurationCisco CCNA CCNP VACL Configuration
Cisco CCNA CCNP VACL ConfigurationHamed Moghaddam
 
Labmannual
LabmannualLabmannual
LabmannualMatiullah Jamil
 
Ccnpswitch
CcnpswitchCcnpswitch
CcnpswitchSiddhartha Rajbhatt
 
Cef based switching
Cef based switchingCef based switching
Cef based switchingIsrael Umana
 
CCNA Lab Guide
CCNA Lab GuideCCNA Lab Guide
CCNA Lab GuideSalachudin Emir
 
Ipv6
Ipv6Ipv6
Ipv6Alp isik
 
Cisco CCNA EIGRP IPV6 Configuration
Cisco CCNA EIGRP IPV6 ConfigurationCisco CCNA EIGRP IPV6 Configuration
Cisco CCNA EIGRP IPV6 ConfigurationHamed Moghaddam
 
Cisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA ConfigurationCisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA ConfigurationHamed Moghaddam
 
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Kevin Minder
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayDataWorks Summit
 

More Related Content

What's hot

Cisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configurationCisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configurationHamed Moghaddam
 
Cisco CCNA IPV6 Static Configuration
Cisco CCNA IPV6 Static ConfigurationCisco CCNA IPV6 Static Configuration
Cisco CCNA IPV6 Static ConfigurationHamed Moghaddam
 
03 router-configuration
03 router-configuration03 router-configuration
03 router-configuration97148881557
 
Linkmeup v076(2019-06).2
Linkmeup v076(2019-06).2Linkmeup v076(2019-06).2
Linkmeup v076(2019-06).2eucariot
 
LinuxCNC 入門簡介
LinuxCNC 入門簡介LinuxCNC 入門簡介
LinuxCNC 入門簡介roboard
 
Linux cnc overview
Linux cnc overviewLinux cnc overview
Linux cnc overviewNylon
 
OVS and DPDK - T.F. Herbert, K. Traynor, M. Gray
OVS and DPDK - T.F. Herbert, K. Traynor, M. GrayOVS and DPDK - T.F. Herbert, K. Traynor, M. Gray
OVS and DPDK - T.F. Herbert, K. Traynor, M. Grayharryvanhaaren
 
Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...
Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...
Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...gogo6
 
Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409Abdel-Fattah M. Hmoud
 
CCNA ppt Day 4
CCNA ppt Day 4CCNA ppt Day 4
CCNA ppt Day 4VISHNU N
 
Dynamic routing OSPF 1
Dynamic routing OSPF 1Dynamic routing OSPF 1
Dynamic routing OSPF 1Kishore Kumar
 
Cisco CCNA CCNP VACL Configuration
Cisco CCNA CCNP VACL ConfigurationCisco CCNA CCNP VACL Configuration
Cisco CCNA CCNP VACL ConfigurationHamed Moghaddam
 
Cef based switching
Cef based switchingCef based switching
Cef based switchingIsrael Umana
 
Cisco CCNA EIGRP IPV6 Configuration
Cisco CCNA EIGRP IPV6 ConfigurationCisco CCNA EIGRP IPV6 Configuration
Cisco CCNA EIGRP IPV6 ConfigurationHamed Moghaddam
 
Cisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA ConfigurationCisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA ConfigurationHamed Moghaddam
 

What's hot (20)

Cisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configurationCisco CCNA IP SLA with tracking configuration
Cisco CCNA IP SLA with tracking configuration
 
Cisco CCNA IPV6 Static Configuration
Cisco CCNA IPV6 Static ConfigurationCisco CCNA IPV6 Static Configuration
Cisco CCNA IPV6 Static Configuration
 
03 router-configuration
03 router-configuration03 router-configuration
03 router-configuration
 
Linkmeup v076(2019-06).2
Linkmeup v076(2019-06).2Linkmeup v076(2019-06).2
Linkmeup v076(2019-06).2
 
LinuxCNC 入門簡介
LinuxCNC 入門簡介LinuxCNC 入門簡介
LinuxCNC 入門簡介
 
Packet Card Knowledge Transferfinal
Packet Card Knowledge TransferfinalPacket Card Knowledge Transferfinal
Packet Card Knowledge Transferfinal
 
Linux cnc overview
Linux cnc overviewLinux cnc overview
Linux cnc overview
 
OVS and DPDK - T.F. Herbert, K. Traynor, M. Gray
OVS and DPDK - T.F. Herbert, K. Traynor, M. GrayOVS and DPDK - T.F. Herbert, K. Traynor, M. Gray
OVS and DPDK - T.F. Herbert, K. Traynor, M. Gray
 
Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...
Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...
Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...
 
Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409Uip Sip Implementation Best Practices060409
Uip Sip Implementation Best Practices060409
 
CCNA ppt Day 4
CCNA ppt Day 4CCNA ppt Day 4
CCNA ppt Day 4
 
Dynamic routing OSPF 1
Dynamic routing OSPF 1Dynamic routing OSPF 1
Dynamic routing OSPF 1
 
Cisco CCNA CCNP VACL Configuration
Cisco CCNA CCNP VACL ConfigurationCisco CCNA CCNP VACL Configuration
Cisco CCNA CCNP VACL Configuration
 
Labmannual
LabmannualLabmannual
Labmannual
 
Ccnpswitch
CcnpswitchCcnpswitch
Ccnpswitch
 
Cef based switching
Cef based switchingCef based switching
Cef based switching
 
CCNA Lab Guide
CCNA Lab GuideCCNA Lab Guide
CCNA Lab Guide
 
Ipv6
Ipv6Ipv6
Ipv6
 
Cisco CCNA EIGRP IPV6 Configuration
Cisco CCNA EIGRP IPV6 ConfigurationCisco CCNA EIGRP IPV6 Configuration
Cisco CCNA EIGRP IPV6 Configuration
 
Cisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA ConfigurationCisco CCNA-CCNP IP SLA Configuration
Cisco CCNA-CCNP IP SLA Configuration
 

Viewers also liked

Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Kevin Minder
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayDataWorks Summit
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxVinay Shukla
 
Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview Hortonworks
 
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Amazon Web Services
 
Securing Hadoop with Apache Ranger
Securing Hadoop with Apache RangerSecuring Hadoop with Apache Ranger
Securing Hadoop with Apache RangerDataWorks Summit
 

Viewers also liked (7)

Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox Gateway
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache Knox
 
Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview
 
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
 
Securing Hadoop with Apache Ranger
Securing Hadoop with Apache RangerSecuring Hadoop with Apache Ranger
Securing Hadoop with Apache Ranger
 

Similar to How to convert your Linux box into Security Gateway - Part 1

The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Joel W. King
 
Multihomed Linux router
Multihomed Linux routerMultihomed Linux router
Multihomed Linux routerMarian Marinov
 
Pyretic - A new programmer friendly language for SDN
Pyretic - A new programmer friendly language for SDNPyretic - A new programmer friendly language for SDN
Pyretic - A new programmer friendly language for SDNnvirters
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux FirewallMarian Marinov
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferenceCengage Learning
 
Linux firewall
Linux firewallLinux firewall
Linux firewallchanmyaeag
 
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全維泰 蔡
 
Introduction to firewalls through Iptables
Introduction to firewalls through IptablesIntroduction to firewalls through Iptables
Introduction to firewalls through IptablesBud Siddhisena
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
VMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep DiveVMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep DiveVMworld
 
DPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSDPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSVipin Varghese
 
Chapter 6 firewall
Chapter 6 firewallChapter 6 firewall
Chapter 6 firewallnewbie2019
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesterscamsec
 
Router Commands Overview
Router Commands OverviewRouter Commands Overview
Router Commands OverviewMuhammed Niyas
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network securityThanawan Tuamyim
 

Similar to How to convert your Linux box into Security Gateway - Part 1 (20)

The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
 
Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1Security defined routing_cybergamut_v1_1
Security defined routing_cybergamut_v1_1
 
Multihomed Linux router
Multihomed Linux routerMultihomed Linux router
Multihomed Linux router
 
Pyretic - A new programmer friendly language for SDN
Pyretic - A new programmer friendly language for SDNPyretic - A new programmer friendly language for SDN
Pyretic - A new programmer friendly language for SDN
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentation
 
Security Onion Advance
Security Onion AdvanceSecurity Onion Advance
Security Onion Advance
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewall
 
Chapter14ccna
Chapter14ccnaChapter14ccna
Chapter14ccna
 
Packet Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing ConferencePacket Analysis - Course Technology Computing Conference
Packet Analysis - Course Technology Computing Conference
 
Linux firewall
Linux firewallLinux firewall
Linux firewall
 
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
Linux 系統管理與安全:進階系統管理系統防駭與資訊安全
 
Introduction to firewalls through Iptables
Introduction to firewalls through IptablesIntroduction to firewalls through Iptables
Introduction to firewalls through Iptables
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
 
VMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep DiveVMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep Dive
 
DPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDSDPDK layer for porting IPS-IDS
DPDK layer for porting IPS-IDS
 
Chapter 6 firewall
Chapter 6 firewallChapter 6 firewall
Chapter 6 firewall
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 
Router Commands Overview
Router Commands OverviewRouter Commands Overview
Router Commands Overview
 
In depth understanding network security
In depth understanding network securityIn depth understanding network security
In depth understanding network security
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

How to convert your Linux box into Security Gateway - Part 1

  • 1. Convert your Linux box in to security Gateway Part-1 By Murtuja Bharmal void@null.co.in
  • 2. About Me • Now Work Busy Man…. • Unemployed…. • Interest…. /dev/random…. • Co-founder of null…. :-D • X-IBMer’s ….. • Dal, Roti ka jugad, Security Consulting/Training
  • 3. Prerequisites • Basic concept of networking/routing/natting. • Knowledge of TCP/IP model & communication protocol IP, TCP, UDP, ICMP, DNS, HTTP/S, SMTP, FTP etc. • How to Install and use Linux OS • Some hands on Linux command line
  • 4. Full Picture • Security Features of Linux.. • Hardening OS • Firewall Concept/Configuration • VPN Concept/Configuration • IDS/IPS Concept/Configuration • Proxy Concept/Configuration • Antivirus Concept/Configuration • Hardening Services i.e. Web Server/Mail Server/Database etc.
  • 5. Agenda for Today • Hardening OS – Minimizing Services – Kernel Parameters – Password Policies – No Login Shell for System accounts – Disable Core dumps – Securing SSH login
  • 6. Agenda for Today(Cont) • IPTables Firewall – tables – Chains – Traversing of tables and chains – Basic Operations – iptables Parameters – iptables traget and jumpss – iptables matches – Netfilter modules – iptables Commands – Policy – iptables Rules
  • 7. Minimizing Services • 1. portmap – Used with Remote procedure call services. Listens on port 111. • 2. nfslock – Used with Network File Sharing services. Listens on random registered ports. • 3. avahi-daemon – Multicast DNS service. Listens on (Multicast) UDP port 5353. • 4. cups – Printer service. Listens on port 631. • 5. gpm: Cut/Paste utility for virtual consoles. • 6. hidd: Bluetooth HID service. • 7. mcstrans – required By SELinux. • 8. xfs – X Font server for X windows system. • 9. netfs – Automounting of shared network file space such as NFS, Samba, etc on bootup. • 10. setroubleshoot – SELinux Troubleshooting Daemon. • 11. pcscd – Provides support for Smart Cards and Smart Card Readers. • 12. rpcidmapd – Used for Net File Sharing V4. • 13. restorecond – Complementary service to SELinux. • 14. rpcgssd – Used for Net File Sharing V4. • 15. mdmonitor – A monitoring Software RAID or LVM information. • 16. microcode_ctl – A microcode utility for use with Intel IA32 processors.
  • 8. Kernel Parameters • net.ipv4.conf.all.send_redirects = 0 • net.ipv4.conf.default.send_redirects = 0 • net.ipv4.tcp_max_syn_backlog = 4096 • net.ipv4.icmp_echo_ignore_broadcasts = 1 • net.ipv4.conf.all.accept_source_route = 0 • net.ipv4.conf.all.accept_redirects = 0 • net.ipv4.conf.all.log_martians = 1 • net.ipv4.conf.default.accept_redirects = 0 • net.ipv4.icmp_echo_ignore_broadcasts = 1 • net.ipv4.icmp_ignore_bogus_error_responses = 1 • net.ipv4.conf.all.rp_filter = 1 • kernel.exec-shield = 1 • kernel.randomize_va_space = 1
  • 9. Password Policy • /etc/pam.d/system-auth – password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 – password sufficient pam_unix.so existing_options remember=5 • /etc/login.defs PASS_MAX_DAYS 90 PASS_MIN_LEN 8 PASS_WARN_AGE 14 MD5_CRYPT_ENAB no ENCRYPT_METHOD SHA512 • /etc/libuser.conf crypt_style = sha512
  • 10. No Login Shell for System accounts • usermod -s /sbin/nologin news • usermod -s /sbin/nologin mysql
  • 11. Disable Core Dump • /etc/profile – ulimit -S -c 0 > /dev/null 2>&1 • /etc/security/limits.conf – * hard core 0 • sysctl -w fs.suid_dumpable=0
  • 12. Securing SSH • /etc/ssh/sshd_config – PermitRootLogin no – PermitEmptyPasswords no – IgnoreRhosts yes – UsePrivilegeSeparation yes – Protocol 2 – X11Forwarding no
  • 13. Lets Start Playing with the Packet
  • 14. Standard Network Architecture (Scenario 1) Web Server 172.16.1.2 Local Lan 192.168.1.0/24 Linux Based Firewall/IDS/IPS/Proxy /Antivirus/VPN Mail Server 172.16.1.3 Switch Switch eth0 eth2 eth1 0.0.0.0/0 1.2.3.4192.168.1.1 172.16.1.1 LAN WAN DMZ 1.2.3.5
  • 15. Server @ Data Center (Scenario 2) Linux Based Web Server/Mail Server 0.0.0.0/0 1.2.3.4 eth0
  • 16. Important Files • /etc/init.d/iptables – start – stop – restart – status • /etc/sysconfig/iptables
  • 17. Tables & Chains • mangle – PREROUTING – INPUT – FORWARD – OUTPUT – POSTROUTING • Filter – INPUT – FORWARD – OUTPUT • Nat – PREROUTING – OUTPUT – POSTROUTING
  • 18. Scenario - 1 • Tables – mangle • PREROUTING • FORWARD • POSTROUTING – filter • FORWARD – nat • PREROUTING • POSTROUTING • FORWARD • Tables – mangle • PREROUTING • INPUT • OUTPUT • POSTROUTING – filter – INPUT – OUTPUT – nat • PREROUTING • POSTROUTING • OUTPUT Scenario - 2
  • 19.
  • 20. Basic Operations • -I number Insert a new rule before rule number • -A Append a new rule at end of chain • -R number Replace rule number with new rule • -D number Delete rule number • -F Flush the chain (delete all rules) • -N chain New chain (specify name) • -X chain Delete user-defined chain • -P chain target (Set target for specify chain) • -L chain List the rules in chain Note: Rule “1” is the first rule in each chain
  • 21. Iptables Parameters • -p protocol Matches specified protocol • -s source Matches source address • -d destination Matches destination address • -i incoming interface Packets arriving on this interface • -o outgoing interface Packets departing on this interface • --sport Matches source port of the Packet • --dport Matches destination port of the Packet Note: Most of the parameters can precede with “!” to invert match.
  • 22. Jump and Target • Jump -j target Jump to target(chain or predefined) • targets include (among others) –LOG Make a log entry (otherwise no-op) –REJECT Send back an error response –DROP Ignore packet without responding –SNAT Source network address translation –DNAT Destination network address translation –MASQUERADE Source NAT in a dialup context –REDIRECT Destination set to local (firewall) host
  • 23. Iptables matches • Stateful filtering parameters -m state Causes matching on state of traffic --state NEW New communication request ESTABLISHED Reply to previous packet RELATED Like ESTABLISHED, but for special cases where the packet is not strictly a reply packet
  • 24. Netfilter modules • ip_conntrack.o Connection tracking • ip_conntrack_ftp.o FTP connection tracking • ip_conntrack_irc.o IRC connection tracking • ip_tables.o IPTABLES support • ipt_MASQUERADE.o MASQUERADE target • ipt_REDIRECT.o REDIRECT target • ipt_nat.o NAT support • iptable_filter.o General filtering support • ipt_nat_ftp.o NAT of FTP protocol • ipt_nat_irc.o NAT of IRC protocol • ipt_route.o Source Routing • ipt_connmark.o Connect Marking
  • 25. Iptables Command • Command to list rules – filter table • iptables -L -n -t filter -v – nat table • iptables -L -n -t nat -v – mangle table • iptables -L -n -t mangle -v
  • 26. Policy • Set filter table policy to DROP for INPUT chains iptables -t filter -P INPUT DROP • Set filter table policy to DROP for FORWARD chanin iptables -t filter -P INPUT DROP • Set filter table policy to DROP for OUTPUT chain iptables -t filter -P INPUT DROP
  • 27. Rules • Write a rule to allow port 80 traffic from local lan to internet for scenario – 1 with Source natting Outgoing rule (Request) iptables -t filter -A FORWARD -i eth0 -o eth1 -m state --state NEW -s 192.168.1.0/24 -d 0.0.0.0/0 -p tcp --sport 1025:65535 --dport 80 -j ACCEPT Incoming rule (Reply) iptables -t filter -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED -s 0.0.0.0/0 -d 192.168.1.0/24 -p tcp --sport 80 --dport 1025:65535 -j ACCEPT natting rule (source nat) iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d 0.0.0.0/0 -p tcp --sport 1025:65535 --dport 80 -j SNAT --to-source 1.2.3.4
  • 28. Rules • Write a rule to allow port 80 traffic from local lan to internet for scenario – 1 with masquerading. Outgoing rule (Request) iptables -t filter -A FORWARD -i eth0 -o eth1 -m state --state NEW -s 192.168.1.0/24 -d 0.0.0.0/0 -p tcp --sport 1025:65535 --dport 80 -j ACCEPT Incoming rule (Reply) iptables -t filter -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED -s 0.0.0.0/0 -d 192.168.1.0/24 -p tcp --sport 80 --dport 1025:65535 -j ACCEPT masquerading rule (source nat) iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d 0.0.0.0/0 -p tcp --sport 1025:65535 --dport 80 -j MASQUERADE
  • 29. Rules • Write a rule to allow port 80 traffic from internet to web server at DMZ with Destination natting for scenario 1. Incoming rule (Request) iptables -t filter -A FORWARD -i eth1 -o eth2 -m state --state NEW -s 0.0.0.0/0 -d 172.16.1.2 -p tcp --sport 1025:65535 --dport 80 -j ACCEPT Outgoing rule (Reply) iptables -t filter -A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED -s 172.16.1.2 -d 10.0.0.0/0 -p tcp --sport 80 --dport 1025:65535 -j ACCEPT masquerading rule (source nat) iptables -t nat -A PREROUTING -i eth1 -s 0.0.0.0/0 -d 1.2.3.4 -p tcp --sport 1025:65535 --dport 80 -j DNAT --to-destination 172.16.1.2
  • 30. Rules • Write a rule to allow port 80 traffic from web server to internet for scenario-2 Outgoing rule (request) iptables -t filter -A OUTPUT -o eth0 -m state --state NEW -s 1.2.3.4 -d 0.0.0.0/0 -p tcp --sport 1025:65535 -- dport 80 -j ACCEPT Incoming rule (reply) iptables -t filter -A INPUT -i eth0 -m state --state ESTABLISHED -s 0.0.0.0/0 -d 1.2.3.4 -p tcp --sport 80 -- dport 1025:65535 -j ACCEPT
  • 31. Rules • Write a rule to allow port 80 traffic from internet to web server for scenario-2 Incoming rule (request) iptables -t filter -A INPUT -i eth0 -m state --state NEW - s 0.0.0.0/0 -d 1.2.3.4 -p tcp --sport 1025:65535 --dport 80 -j ACCEPT Outgoing rule (reply) iptables -t filter -A OUTPUT -o eth0 -m state --state ESTABLISHED -s 1.2.3.4 -d 0.0.0.0/0 -p tcp --sport 80 -- dport 1025:65535 -j ACCEPT
  • 32. Performance tunning • iptables -t filter -A INPUT -m state --state ESTABLISHE,RELATED -j ACCEPT • iptables -t filter -A OUTPUT -m state --state ESTABLISHE,RELATED -j ACCEPT • iptables -t filter -A FORWARD -m state --state ESTABLISHE,RELATED -j ACCEPT