Linux Server Hardening - Steps by StepsSunil Paudel
Linux Server Hardening
This document has the step by step of the way of hardening the server. We have used the metasploitable server, the vulnerable ubuntu server designed to be hacked, and have done the hardening. We have stopped all the unnecessary services and ports. We have assumed the server to be the web server only. Hence, only port 80 and 443 will be opened. Then the firewall rules have been set following by the apache web server hardening, encryption of the folder and files, disabling the unwanted users, forcing the password policies.
So you think the systems at your employer can actually use a little bit more security? Or what about your own system to gain more privacy? In this talk, we discuss the reasons for Linux server and system hardening. First we learn why we should protect our crown jewels, and what can wrong if we ignore information security. Next is getting a better understanding of the possible resources we can use. And since system hardening can be time-consuming, we discuss some tools to help in the system hardening quest.
Linux is considered to be a secure operating system by default. Still there is a lot to learn about system hardening and technical auditing. This 1-hour presentation explains the need for hardening and auditing of your systems. We discussed some additional documents and tools, to further help this endeavor.
This presentation is suitable for both beginners and those with experience in system hardening.
Linux Server Hardening - Steps by StepsSunil Paudel
Linux Server Hardening
This document has the step by step of the way of hardening the server. We have used the metasploitable server, the vulnerable ubuntu server designed to be hacked, and have done the hardening. We have stopped all the unnecessary services and ports. We have assumed the server to be the web server only. Hence, only port 80 and 443 will be opened. Then the firewall rules have been set following by the apache web server hardening, encryption of the folder and files, disabling the unwanted users, forcing the password policies.
So you think the systems at your employer can actually use a little bit more security? Or what about your own system to gain more privacy? In this talk, we discuss the reasons for Linux server and system hardening. First we learn why we should protect our crown jewels, and what can wrong if we ignore information security. Next is getting a better understanding of the possible resources we can use. And since system hardening can be time-consuming, we discuss some tools to help in the system hardening quest.
Linux is considered to be a secure operating system by default. Still there is a lot to learn about system hardening and technical auditing. This 1-hour presentation explains the need for hardening and auditing of your systems. We discussed some additional documents and tools, to further help this endeavor.
This presentation is suitable for both beginners and those with experience in system hardening.
Load Balancing MySQL with HAProxy - SlidesSeveralnines
Agenda:
* What is HAProxy?
* SQL Load balancing for MySQL
* Failure detection using MySQL health checks
* High Availability with Keepalived and Virtual IP
* Use cases: MySQL Cluster, Galera Cluster and MySQL Replication
* Alternative methods: Database drivers with inbuilt cluster support, MySQL proxy, MaxScale, ProxySQL
All about Firewalls ,IPS IDS and the era of UTM in a nutshellHishan Shouketh
The Following report shows the Evolution of the fire wall from the most basic technology’s used to current methods and technological advances in modern firewall design. The author has referred to many articles and related website to get data in to this report. Purpose was to see how the changing modern network infrastructure and the new type of working patterns has affected the firewall technology and design.
The study has on this report has researched the modern network security threats, and what type of measures has been taken to overcome these issues throng the existing firewall technology’s.
Results has shown that modern network needs a multilayered security architecture to protect network environments conclusion was to use the UTM and Next generation firewalls to solve to problem.
Report Also Suggest the new paradigm on Cloud firewall services NBFW (Network base firewall services) as a Solution for ever-growing Security needs
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
http://www.slideshare.net/AhmetGrel1/linuxa-giris-ve-kurulum
Bu döküman linkte ki bir önceki dökümanın devamıdır.Bu sunumda Temel Linux Kullanımı ve Komutlarını anlatmaya çalıştım.şinize yaraması dileğiyle iyi çalışmalar.Soru,görüş ve önerileriniz için ahmetgurel.yazilim@gmail.com a mail atabilirsiniz.
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.
Martin Čmelík
Security-Portal.cz, Securix.org
http://www.security-session.cz
Přednáška: Hardening Linuxových systemů a představení distribuce Securix GNU/Linux
Přednáška se bude věnovat možnostem zabezpečení Linuxových systémů od té nejnižší až po aplikační vrstvu. Představí možnosti zvýšení bezpečnosti použitelných na všech linuxových distribucích až po MLS (Multi-Level Security) systémy typu Grsec a PaX, které jsou schopné detailního vymezení opravnění a přístupu k resourcům každé aplikace.
Load Balancing MySQL with HAProxy - SlidesSeveralnines
Agenda:
* What is HAProxy?
* SQL Load balancing for MySQL
* Failure detection using MySQL health checks
* High Availability with Keepalived and Virtual IP
* Use cases: MySQL Cluster, Galera Cluster and MySQL Replication
* Alternative methods: Database drivers with inbuilt cluster support, MySQL proxy, MaxScale, ProxySQL
All about Firewalls ,IPS IDS and the era of UTM in a nutshellHishan Shouketh
The Following report shows the Evolution of the fire wall from the most basic technology’s used to current methods and technological advances in modern firewall design. The author has referred to many articles and related website to get data in to this report. Purpose was to see how the changing modern network infrastructure and the new type of working patterns has affected the firewall technology and design.
The study has on this report has researched the modern network security threats, and what type of measures has been taken to overcome these issues throng the existing firewall technology’s.
Results has shown that modern network needs a multilayered security architecture to protect network environments conclusion was to use the UTM and Next generation firewalls to solve to problem.
Report Also Suggest the new paradigm on Cloud firewall services NBFW (Network base firewall services) as a Solution for ever-growing Security needs
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
http://www.slideshare.net/AhmetGrel1/linuxa-giris-ve-kurulum
Bu döküman linkte ki bir önceki dökümanın devamıdır.Bu sunumda Temel Linux Kullanımı ve Komutlarını anlatmaya çalıştım.şinize yaraması dileğiyle iyi çalışmalar.Soru,görüş ve önerileriniz için ahmetgurel.yazilim@gmail.com a mail atabilirsiniz.
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.
Martin Čmelík
Security-Portal.cz, Securix.org
http://www.security-session.cz
Přednáška: Hardening Linuxových systemů a představení distribuce Securix GNU/Linux
Přednáška se bude věnovat možnostem zabezpečení Linuxových systémů od té nejnižší až po aplikační vrstvu. Představí možnosti zvýšení bezpečnosti použitelných na všech linuxových distribucích až po MLS (Multi-Level Security) systémy typu Grsec a PaX, které jsou schopné detailního vymezení opravnění a přístupu k resourcům každé aplikace.
This session provides a schematic overview of the security properties, architecture, tweaks and settings of a SUSE Linux Enterprise 11 installation. It will also deliver a systematic, hands-on experience for analyzing and adjusting these security properties. This session will cover both networked and non-networked security properties, and may be applied to both the desktop and the server use of the system.
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
This presentation is made for my college presentation of explaining "Threats, Vulnerabilities & Security measures in Linux' and also suggestion how you could enhance ur Linux OS security.
Samba is a popular freeware program that allows end users to access and use files, printers, and other commonly shared resources on a company's intranet or internet
Akash Mahajan, Appsecco
Ansible offers a flexible approach to building a SecOps pipeline. System hardening can become just another software project. Using it we can do secure application deployment, configuration management and continuous monitoring. Security can be codified & attack surfaces reduced by using Ansible.
Who is this talk for?
This talks and demo is relevant and useful for any practitioner of DevSecOps.
It introduces the concepts of declarative security
Showcases one of the tools (Ansible) to embrace DevSecOps in a friction free no expense required manner
Implements security architecture principles using a structured language (YAML) as part of the framework (playbooks) which is ‘Infrastructure As Code’
Gives a clear roadmap on how to find the best practices for security hardening
Covers how continuous monitoring can be applied for security
Technical Requirements
While 30 minutes short for letting attendees do hands-on, the following will be required
- A modern Linux distribution with Python and Ansible installed
- Basic idea of running commands on the Linux command line
I have tried my best to describe Samba Server through this PPT. I hope you guys will love this and this ppt will be helpful for you all.
Thanks,
Veeral Arora
While probably the most prominent, Docker is not the only tool for building and managing containers. Originally meant to be a "chroot on steroids" to help debug systemd, systemd-nspawn provides a fairly uncomplicated approach to work with containers. Being part of systemd, it is available on most recent distributions out-of-the-box and requires no additional dependencies.
This deck will introduce a few concepts involved in containers and will guide you through the steps of building a container from scratch. The payload will be a simple service, which will be automatically activated by systemd when the first request arrives.
Tick Stack - Listen your infrastructure and please sleepGianluca Arbezzano
Our application and our infrastructure speak, time series are one of their languages, during this talk I will share my experience about InfluxDB and time series to monitor and know the status of our cloud infrastructure. We will show best practice and tricks to grab information from an application in order to understand the mains difference between logs and time series.
Keeping DNS server up-and-running with “runitMen and Mice
A traditional Unix/Linux init system like SystemV-Init or BSD rc does start a DNS server process on server boot, but it does not restart the service in case of an abnormal termination. Modern init replacements like systemd provide process supervision, but bring extra complexities and possible stability and security issues.
This webinar demonstrates an alternative, open source process supervision system called “runit”.
“runit” is lean and fast and sticks to the Unix tradition to do one thing, and do that right.
In this webinar you will learn how to manage DNS server processes such as BIND 9, Unbound and NSD from runit.
This webcast will show you how to properly configure and deploy Memcached and Solr on Windows, including all the required Drupal integration. The webcast includes also instructions on proper configuration of your Drupal cron tasks for Solr indexing in conjunction with Windows Task Scheduler.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
2. 2
• Network security (VLANs, IPS, firewalls, etc.)
• IT Processes around accesses, Deny all, only allow and use when needed
• Human factor (e.g. e-mailing password)
• In-house software development hardening (SQL injections, etc.)
• COTS configurations (MySQL, Apache, etc.)
• Physical server access (BIOS, GRUB, etc.)
• Providing Internet access from a server
Remember: OS hardening is
only a step in the right
direction…
3. 3
• E.g. Do you really need X-window on a real-time system? (performance
and security issues)
• Installing unnecessary software also installs additional security flaws
• CentOS 6.8 minimal:
CentOS-6.8-x86_64-minimal.iso
(The minimal install iso media is an alternative install to the main CentOS-6.0 distribution and comes with a trimmed down,
preselected rpm list. However, it still runs off the standard installer, with all the regular features that one would expect from the main
distribution, except the rpm selection screen has been disabled)
http://centos.mirror.netelligent.ca/centos/6/isos/x86_64/
General rule:
Only install what is needed
4. 4
• Step 1) Burn ISO and boot
• Step 2) Follow wizard and finish setup
• Step 3) Test server Internet connectivity
• Step 4) “yum update –y” and reboot
• Step 5) OS Hardening
• Step 6) Install/configure your software
• Step 7) Configure firewall
Installing CentOS 6.8 minimal
5. 5
• Temporarily stop firewall
% service iptables stop
• Install some tools
% yum install sudo perl ntp crontabs sendmail wget –y
• Install EPEL repository
% wget http://fedora.mirror.nexicom.net/epel/6/x86_64/epel-release-6-8.noarch.rpm
% yum install epel-release-6-8.noarch.rpm -y
% yum repolist
...
repo id repo name status
base CentOS-6 - Base 6,346
epel Extra Packages for Enterprise Linux 6 - x86_64 8,029
extras CentOS-6 - Extras 6
updates CentOS-6 - Updates 820
First steps…
6. 6
• Configure password, idle and timeout policies
% perl -npe 's/PASS_MAX_DAYS.*/PASS_MAX_DAYS 180/' -i /etc/login.defs
% perl -npe 's/PASS_MIN_LEN.*/PASS_MIN_LEN 8/' -i /etc/login.defs
% perl -npe 's/LOGIN_TIMEOUT.*/LOGIN_TIMEOUT 30/' -i /etc/login.defs
% perl -npe 's/PASS_WARN_AGE.*/PASS_WARN_AGE 7/' -i /etc/login.defs
(These defaults still can be overridden by chage or passwd commands)
% vi /etc/profile.d/security.sh
TMOUT=900
readonly TMOUT
export TMOUT
readonly HISTFILE
% chmod +x /etc/profile.d/security.sh
% vi /etc/ssh/sshd_config
ClientAliveInterval 900
ClientAliveCountMax 0
% service sshd restart
Configure users
7. 7
• Manage user accounts
e.g. our scenario:
admsupp used by administrators / softsupp used
by application maintainers
% userdel shutdown
% userdel halt
% userdel games
% userdel operator
% userdel ftp
% userdel gopher
% groupadd support
% useradd admsupp -G support
% useradd softsupp -G support
% passwd admsupp
• Make sure no non-root accounts
have UID set to 0
% awk -F: '($3 == "0") {print}' /etc/passwd
Configure users (cont’d)
8. 8
• Disable unneeded SSHD authentication methods
% sed -i 's/[#]*ChallengeResponseAuthentication.*no/ChallengeResponseAuthentication yes/g'
/etc/ssh/sshd_config
% sed -i 's/[#]*GSSAPIAuthentication.*yes/GSSAPIAuthentication no/g' /etc/ssh/sshd_config
• Disable direct root login
% sed -i 's/[#]*PermitRootLogin.*yes/PermitRootLogin no/g' /etc/ssh/sshd_config
• Only allow permitted users using a valid password
% echo 'AllowUsers softsupp admsupp' >> /etc/ssh/sshd_config
% sed -i 's/[#]*PermitEmptyPasswords.*/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
• Change SSHD listening port (e.g. 4622 – choose your own port!)
% sed -i 's/[#]*Port 22/Port 4622/g' /etc/ssh/sshd_config
% /etc/init.d/sshd restart (then reconnect using « admsupp » on port 4622 and do % su - root)
Remote access configuration
9. 9
• Configure Visudo
% visudo
# As an example, append the following line:
%support ALL=NOPASSWD:/etc/init.d/httpd start, /etc/init.d/httpd stop, /etc/init.d/httpd restart,
/sbin/services httpd restart
• Test it
% su – softsupp
% whoami
% sudo /etc/init.d/httpd restart
Specify what users can do
Credit to: http://xkcd.com/149
10. 10
• Remove all non SSL based servers
% yum erase xinetd inetd tftp-server ypserv telnet-server rsh-server
• A sniffer can easily get your password
• All in and out communications should be encrypted whenever possible
• Use ssh, sftp, https, scp, etc.
Non-SSL software removal
11. 11
• Verify listening network ports
% netstat –tulpn
• Verify currently installed packages,
examples:
% yum list installed | more
% yum remove <package>
% yum grouplist
% yum groupremove "X Window System"
• Disable unnecessary services
% chkconfig --list
% chkconfig <service name> off
% for i in rpcbind restorecond nfslock lldpad
fcoe rpcidmapd; do service $i stop;
chkconfig $i off; done
• Turn off IPv6 if not needed
% vi /etc/sysconfig/network-scripts/ifcfg-eth0
IPV6INIT=no
IPV6_AUTOCONF=no
Services & packages removal
12. 12
• Prevent anybody but root to run cron or at tasks
% touch /etc/cron.allow
% chmod 600 /etc/cron.allow
% awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny
% touch /etc/at.allow
% chmod 600 /etc/at.allow
% awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny
Prevent users to schedule
tasks
13. 13
• Narrow down rights for system files and folders
% chmod 700 /root
% chmod 700 /var/log/audit
% chmod 740 /etc/rc.d/init.d/iptables
% chmod 740 /sbin/iptables
% chmod -R 700 /etc/skel
% chmod 600 /etc/rsyslog.conf
% chmod 640 /etc/security/access.conf
% chmod 600 /etc/sysctl.conf
Narrowing rights
14. 14
• Identify unwanted SUID and SGID Binaries
% find / ( -perm -4000 -o -perm -2000 ) –print
% find / -path -prune -o -type f -perm +6000 –ls
• Identify world writable files
% find /dir -xdev -type d ( -perm -0002 -a ! -perm -1000 ) –print
• Identify orphaned files and folders
% find /dir -xdev ( -nouser -o -nogroup ) –print
Verifying file system
15. 15
• Make your point on login
% cat >/etc/issue << EOF
USE OF THIS COMPUTER SYSTEM, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES CONSENT
TO MONITORING OF THIS SYSTEM. UNAUTHORIZED USE MAY SUBJECT YOU TO CRIMINAL
PROSECUTION. EVIDENCE OF UNAUTHORIZED USE COLLECTED DURING MONITORING MAY BE
USED FOR ADMINISTRATIVE, CRIMINAL, OR OTHER ADVERSE ACTION. USE OF THIS SYSTEM
CONSTITUTES CONSENT TO MONITORING FOR THESE PURPOSES.
EOF
% cp /etc/issue /etc/ssh-banner
• Now configure SSHD
% sed -i 's/[#]*Banner.*/Banner /etc/ssh-banner/g' /etc/ssh/sshd_config
% service sshd restart
Welcome messages
16. 16
• Sysctl is an interface for examining and dynamically changing parameters in the BSD and
Linux operating systems
• Edit sysctl.conf to optimize kernel parameters
(see http://www.mjmwired.net/kernel/Documentation/networking/ip-sysctl.txt for descriptions)
• ICMP Redirect
This is where an attacker uses either the ICMP "Time exceeded" or "Destination unreachable" messages. Both of these ICMP messages can cause a
host to immediately drop a connection. An attacker can make use of this by simply forging one of these ICMP messages, and sending it to one or
both of the communicating hosts. Their connection will then be broken. The ICMP "Redirect" message is commonly used by gateways when a host
has mistakenly assumed the destination is not on the local network. If an attacker forges an ICMP "Redirect" message, it can cause another host to
send packets for certain connections through the attacker's host.
Tune kernel parameters
17. 17
• Synflood
A Synflood exploits a server by sending a flood of SYN packets, but ignoring the SYN/ACK that come back in response. When this happens, the connection goes into SYN_RCVD
state on the server, which is held open until it receives an ACK reply from the Client. If an ACK reply is never received, then it will go into TIME_WAIT state on the server, causing it
to be held open even longer. Imagine if a Client sent several hundred (or even thousands) of SYN packets, only to ignore the SYN/ACK reply. Generally, this form of attack targets
a particular service to exploit the built in connection limits built into most services. This type of attack will not generally cause a server to go out of memory, but will make the
service being targeted, usually Apache, go unresponsive.
Client [SYN] ---------------> Server
Client <----------- [SYN/ACK] Server
Client [ACK] ---------------> Server
• UDP Floods
UDP attacks are quite effective, as UDP is a state-less protocol. UDP just sends the traffic without the initial overhead of the three way handshake in TCP. In addition to no initial
overhead, UDP also has no verification that the packet was received. Normally, when you send a UDP packet with the "DNS Query" bit set to port 53 of a nameserver, it will reply
with DNS results if the nameserver is active. However, if you send a UDP packet to a port that doesn't have a service listening on it, the remote host will send back an ICMP
Destination Unreachable packet (http://en.wikipedia.org/wiki/ICMP_Destination_Unreachable). It does this for EACH and EVERY UDP packet sent. As floods go, you can imagine
sending a whole bunch of UDP packets would generate quite lot of return traffic, now that you don't need state.
Tune kernel parameters
(cont’d)
18. cat << 'EOF' >> /etc/sysctl.conf
# drop icmp redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# double the syn backlog size
net.ipv4.tcp_max_syn_backlog = 2048
# ignore ping broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1
# drop the source routing ability
net.ipv4.conf.all.accept_source_route = 0
# log packets destinated to impossible addresses
net.ipv4.conf.all.log_martians = 1
# ignore bogus icmp error responses
net.ipv4.icmp_ignore_bogus_error_responses = 1
(continuing on next slide…)
18Tune kernel parameters
(cont’d)
19. # drop packets that come in using a bad interface
# (they will be logged as martian)
net.ipv4.conf.all.rp_filter = 1
# don't send timestamps
#net.ipv4.tcp_timestamps = 0
# Kernel threads
kernel.threads-max = 163840
# Socket buffers
net.core.wmem_default = 655360
net.core.wmem_max = 5242880
net.core.rmem_default = 655360
net.core.rmem_max = 5242880
# netdev backlog
net.core.netdev_max_backlog = 4096
# Semafores
kernel.sem="250 32000 32 1024"
# Socket buckets
net.ipv4.tcp_max_tw_buckets = 163840
# Controls source route verification
net.ipv4.conf.all.rp_filter = 1
# Do not accept source route
net.ipv4.conf.all.accept_source_route = 0
# Increase port range
net.ipv4.ip_local_port_range = 2000 65000
EOF
19Tune kernel parameters
(cont’d)
20. 20
• Make sure your server has the right time
set at any moment
Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched,
variable-latency data networks.
NTP uses Marzullo's algorithm and is designed to resist the effects of variable latency. NTP can usually maintain time to within tens of
milliseconds over the public Internet, and can achieve 1 millisecond accuracy in local area networks under ideal conditions.
% chkconfig ntpd on
% sed -i 's/^(s*)server(ss*[0123]).*/1server 2.north-america.pool.ntp.org/' /etc/ntp.conf
% /etc/init.d/ntpd start
% ln -sf /usr/share/zoneinfo/America/Montreal /etc/localtime
Network Time Protocol
21. 21
Security-Enhanced Linux (SELinux) is a Linux feature that provides the mechanism for supporting
access control security policies, including United States Department of Defense-style mandatory
access controls, through the use of Linux Security Modules (LSM) in the Linux kernel.
• Enabled by default, should you disable it?
• Difficult to configure with some software, transparent with others, google
it first
• Disabling SELinux
% vi /etc/selinux/config
"SELINUX=disabled“
• Configuration files
See: http://selinuxproject.org/page/ConfigurationFiles
Security policies
22. 22
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many
password failures, seeking for exploits, etc. Generally Fail2Ban then used to update firewall rules to reject the IP
addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting
CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache,
curier, ssh, etc).
Ref: http://www.fail2ban.org
• Example, regex scanning for Asterisk PBX log files:
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
• Check current bans:
% /usr/bin/fail2ban-client status ssh-iptables
Ban bad IPs
23. 23
• Installation steps
% yum install fail2ban
% chkconfig fail2ban on
% vi /etc/fail2ban/jail.conf
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=4622, protocol=tcp]
sendmail-whois[name=SSH, dest=support@yourdomain.com, sender=fail2ban@yourdomain.net]
logpath = /var/log/secure
maxretry = 5
% vi /etc/fail2ban/fail2ban.conf
logtarget = /var/log/fail2ban.log
% service fail2ban start
Ban bad IPs (cont’d)
24. 24
Logwatch is a customizable log analysis system. Logwatch parses through your system's logs and
creates a report analyzing areas that you specify.
Ref: http://sourceforge.net/projects/logwatch/files/
• Too much information to consider manual analysis
• Sends daily e-mails to you
• Fail2ban & logwatch
Ref: http://sourceforge.net/projects/fail2ban/files/logwatch/
• Even get yesterday’s installed packages list
Log watching & reporting
26. 26
iptables is a user space application program that allows a system administrator to configure the tables provided by
the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores. Different
kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6,
arptables to ARP, and ebtables to Ethernet frames
• Create a check list for your applications
• Create a shell script with all of your rules
• Start iptables service and run the script
% service iptables start
% ./myrules.sh
• Check applications connectivity
• Also configure your hardware firewall!
Firewall setup
27. cat > myrules.sh << EOF
#!/bin/bash
# Flush all current rules from iptables
iptables -F
# SSH (4622) - Don't lock ourselves out + Limit of 3 attempts
# per minute
iptables -A INPUT -p tcp --dport 4622 --syn -m limit --limit
1/m --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --dport 4622 --syn -j DROP
# Set default policies for INPUT, FORWARD and OUTPUT chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Set access for localhost
iptables -A INPUT -i lo -j ACCEPT
# Accept packets belonging to established and
# related connections
iptables -A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT
# Make sure new incoming tcp connections are SYN
# packets; otherwise we need to drop them
iptables -A INPUT -p tcp ! --syn -m state --state
NEW -j DROP
# Drop packets with incoming fragments
iptables -A INPUT -f -j DROP
(continuing on next slide…)
27Firewall (cont’d)
28. # Drop incoming malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop all NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# ICMP (PING) - Ping flood protection 1 per second
iptables -A INPUT -p icmp -m limit --limit 5/s
--limit-burst 5 -j ACCEPT
iptables -A INPUT -p icmp -j DROP
# Allow MySQL (port 3306) access
# from other servers
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
# Save settings
/sbin/service iptables save
# List rules
iptables -L -v
EOF
28Firewall (cont’d)
29. 29
• Change the nb of available gettys as there too many available by default
% sed -i 's/1-6/1/g' /etc/sysconfig/init
% sed -i 's/1-6/1/g' /etc/init/start-ttys.conf
• Require root's password for single user mode
% echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
• Disable USB mass storage, if you're not using it in your environment
% echo "blacklist usb-storage" > /etc/modprobe.d/blacklist-usbstorage
• Once a server is up and running, root shouldn't be logging in directly except in emergency situations. These usually
require hands at the console, so that's the only place root should be allowed to log in
% echo "tty1" > /etc/securetty
• Update the system to use sha512 instead of md5 for password protection
% authconfig --passalgo=sha512 --update
Miscellaneous
30. 30
• Regularly install the security patches
• Set your Outlook reminders
• Install yum plugin
% yum -y install yum-plugin-security
• Check and install security updates (cron them!)
% yum updateinfo summary
% yum --security check-update
% yum –y --security update
• CentOS ‘announce’ mailing list
http://lists.centos.org/mailman/listinfo/centos-announce
Going forward: security updates
31. 31
To consider:
1. The only folks allowed near the server should be directly responsible for it.
2. Don't allow the system to boot from removable media as the default option
3. Require a bios password to change boot options. OS security doesn't matter much if your attacker brings their
own OS to the party.
4. Use a password for grub. All the security in the world is for nothing if someone can simply pass some
arguments to your loader and disable your security.
5. Require a password for single user mode. Same reason as above.
6. Most servers don't need usb storage devices. Disable the usb-storage driver if possible.
Server proximity security
32. 32
Now that you have performed a basic hardening of your server, consider
going through the same exercise for what is currently installed in terms of
software
Think of Apache, MySQL, etc. they all require your attention!
Other softwares