SlideShare a Scribd company logo
Copyright @ 2019 JFrog - All rights reserved.
Hardening Linux
Made Easy
Guy Barnhart-Magen, Melior Security
@barnhartguy
Who am I?
Father of two, hacker
BSidesTLV chairman and CTF Lead
(Lucky to speak at many conferences)
Today: Cyber Security Consultant
Before: Intel, Cisco and a couple of Startups
OS Hardening, Crypto, Embedded Security, Security of ML
@barnhartguy
@barnhartguy
Why Hardening?
Assumption - the attacker has a foothold in your server
At least shell access (or something that will give him access)
Can we limit what he can do?
@barnhartguy
Threat Model
Consider the following:
● Is the VM compromised?
● Do we need a scalable solution?
● Is it open to the internet?
● How do we do patch management?
● If an attacker gets a shell, what is compromised?
● If an attacker gets root access, what is compromised?
● Do we have someone to look at reports?
@barnhartguy
Threat Model
Attacker model
● Is this a targeted or opportunistic attack?
● Do I have vital business value on this VM?
● Is the system old? Any security concerns? Something signaling to attackers?
@barnhartguy
Where to focus?
@barnhartguy
Passive vs. Active
Passive - build defenses, but an attacker is not present in the system allowing for more
flexibility
Active - need to remove an attacker (or suspicion) from the system, before deploying
defenses
@barnhartguy
Shopping list?
CIS Benchmarks
Lynis
NIST - SP800-123
Other standards
@barnhartguy
Hardening the System
● Passive vs. Active
● Firewall
● Updates
○ Repo, security, patches/upgrades
○ Remove unneeded packages
● SSH
○ 2FA
○ fail2ban
● User Accounts
○ Credentials, ACL
● Remote Logging
● Sensitive Files/Directories
● Remove unneeded TTY
● Secure Shared Memory/tmp folder
● Remove uncommon filesystems
● Disable compilers
● Set UMASK
● Disable core dumps
@barnhartguy
● Wrapper for iptables
● Enable Firewall
Firewall
$ sudo ufw allow ssh
$ sudo ufw enable
@barnhartguy
We would like to keep all our repositories up to
date
● Also, we would like to automate this
● Be careful - updates can break stuff!
● Rebooting is also a concern
Updating the System
$ sudo apt-get update
$ sudo apt-get upgrade -y
@barnhartguy
We would like to keep all our repositories up to
date
● Also, we would like to automate this
● Be careful - updates can break stuff!
● Rebooting is also a concern
Updating the System
$ sudo apt-get install unattended-upgrades
apt-listchanges
$ sudo dpkg-reconfigure -plow
unattended-upgrades
$ sudo nano
/etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Mail "user@example.com";
Unattended-Upgrade::Automatic-Reboot "true";
$ sudo unattended-upgrades --dry-run
@barnhartguy
● Reduce attack surface
● We should remove old/unneeded packages
Examples:
Ipv6, irqbalance, Bluetooth, USB storage driver,
Anacron, Apport, Atd, Autofs, Avahi, CUPS,
Dovecot, Modemmanager, Nfs, Snmp, Telnet,
Whoopsie, Zeitgeist
Updating the System
$ dpkg --list
$ dpkg --list packageName
$ apt-get remove packageName
$ sudo apt-get --purge ntfs-3g
@barnhartguy
● We should limit the number of users that are
allowed to login (never root)
● We should better protect these account
● If you can, use PKI keys
○ If you cannot, use 2FA
SSH Hardening
$ ssh-keygen -t ed25519
$ nano /etc/ssh/sshd.conf
PermitRootLogin no
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
AuthenticationMethods publickey
PubkeyAuthentication yes
AllowUsers user1 user2
PermitEmptyPasswords no
ClientAliveInterval 300
ClientAliveCountMax 0
IgnoreRhosts yes
@barnhartguy
● Use TOTP
● Try to limit the number of users who have
access, or share TOTP values
SSH Hardening - 2FA
$ sudo apt-get install
libpam-google-authenticator
$ google-authenticator -td --rate-limit=3
--rate-time=120
$ nano /etc/pam.d/sshd
auth required pam_google_authenticator.so
nullok
sudo nano /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
$ sudo systemctl restart sshd.service
$ sudo service ssh restart
$ sudo apt-get install oathtool
$ oathtool -b --totp `head -n 1
~/.google_authenticator`
@barnhartguy
● Fail2Ban and Rate Limiting
● Future updates can overwrite files, make
copies
SSH Hardening - Brute Force Attacks
$ sudo ufw limit ssh comment “rate limit ssh”
$ sudo apt-get install fail2ban
$ sudo cp /etc/fail2ban/fail2ban.conf
/etc/fail2ban/fail2ban.local
$ sudo cp /etc/fail2ban/jail.conf
/etc/fail2ban/jail.local
$ sudo systemctl start fail2ban
$ sudo systemctl enable fail2ban
@barnhartguy
● Separate user and admin accounts
● Limit “root” access
○ Root account shouldn’t have a login
● Verifying/setting that all world writable directories have their sticky bit set
User Accounts, ACL and special files/directories
$ sudo passwd -l root
$ sudo chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow
$ sudo chmod 644 /etc/passwd /etc/group
$ sudo chmod 500 /etc/shadow /etc/gshadow
$ sudo find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print | while read
directory; do
echo "$FUNCNAME: ${GREEN} Making sticky on ${directory}..."
chmod +t ${directory}
done
@barnhartguy
● Verifying/setting that there are no world-writable files on the system
● Verifying/setting that there are no unauthorized SETUID/SETGID files on the system
User Accounts, ACL and special files/directories
$ sudo find / -xdev -type f -perm -0002 -print | while read file; do
chmod o-w ${file}
done
$ sudo find / -xdev ( -perm -4000 -o -perm -2000 ) -type f -print| while read file; do
if grep -Fxq "$file" "allowed_suid_list.txt"
then
echo “${file} - This program is allowed; leave it alone.”
else
chmod -s ${file}
fi
done
@barnhartguy
● Use RSysLog
Remote Logging
$ sudo apt-get update && apt-get install rsyslog
$ sudo systemctl enable rsyslog
$ sudo systemctl start rsyslog
$ sudo nano /etc/rsyslog.d/01-server.conf
*.* @@distant-server-ip:514
$ sudo systemctl restart rsyslog
$ journalctl -f -u rsyslog
@barnhartguy
● Several tools: CIS Benchmark, Lynis
Audit
$ git clone https://github.com/CISOfy/lynis
$ lynis/lynis audit system
@barnhartguy
● You mostly pay attention to a single TTY, an attacker can work in a different one
Allow Single TTY
$ cat <<EOF > /etc/securetty
Console
Tty1
EOF
$ sudo nano /etc/default/console-setup
ACTIVE_CONSOLES=”/dev/tty1”
Reboot
$ dmesg | grep tty
@barnhartguy
●
Secure Shared Memory
$ sudo nano /etc/fstab
tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
@barnhartguy
● Backup the /tmp dir, replace with new one (which is secure)
Secure Temporary Directories
dd if=/dev/zero of=/usr/tmpDSK bs=1024 count=1024000
mkdir /tmpbackup && cp -Rpf /tmp /tmpbackup
mount -t tmpfs -o loop,noexec,nosuid,rw /usr/tmpDSK /tmp
chmod 1777 /tmp
cp -Rpf /tmpbackup/* /tmp/ && rm -rf /tmpbackup/*
echo "/usr/tmpDSK /tmp tmpfs loop,nosuid,noexec,rw 0 0" >> /etc/fstab
mount -o remount /tmp
mkdir /var/tmpold
mv /var/tmp /var/tmpold
ln -s /tmp /var/tmp
cp -prf /var/tmpold/* /tmp/
@barnhartguy
● Prevent attackers from mounting filesystems that you don’t need and might benefit them
Disable Uncommon File Systems
$ ls -1 /lib/modules/$(uname -r)/kernel/fs | sort | uniq > avail_fs
$ mount | column -t | cut -c 82-90 | sort | uniq > used_fs
$ for fs in $(comm -1 used_fs avail_fs); do echo "blacklist $fs"; done
>> /etc/modprobe.d/blacklist.conf
@barnhartguy
● Prevent attackers from compiling code to get
higher order abilities
Disable Compilers
>>
COMPILERS=(
"/usr/bin/byacc"
"/usr/bin/yacc"
"/usr/bin/bcc"
"/usr/bin/kgcc"
"/usr/bin/cc"
"/usr/bin/gcc"
"/usr/bin/c++"
"/usr/bin/g++"
)
for compiler in ${COMPILERS[@]}; do
if [ -f ${compiler} ]; then
echo "removing ${compiler}
chmod 000 ${compiler}
else
echo "missing ${compiler}
fi
done
Thank You!
@barnhartguy
I’ll be happy to answer more questions after
the talk (outside)

More Related Content

What's hot

Managing server secrets at scale with SaltStack and a vaultless password manager
Managing server secrets at scale with SaltStack and a vaultless password managerManaging server secrets at scale with SaltStack and a vaultless password manager
Managing server secrets at scale with SaltStack and a vaultless password manager
Ignat Korchagin
 
Hadoop Installation
Hadoop InstallationHadoop Installation
Hadoop Installation
mrinalsingh385
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso Remoto
Tiago Cruz
 
install mosquitto-auth-plug - cheat sheet -
install mosquitto-auth-plug - cheat sheet -install mosquitto-auth-plug - cheat sheet -
install mosquitto-auth-plug - cheat sheet -
Naoto MATSUMOTO
 
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
 How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
Kentaro Hatori
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
Retrieva inc.
 
Environments line-up! Vagrant & Puppet 101
Environments line-up! Vagrant & Puppet 101Environments line-up! Vagrant & Puppet 101
Environments line-up! Vagrant & Puppet 101
jelrikvh
 
Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"
Francesco Prior
 
Odoo 13 installation on ubuntu 19.04
Odoo 13 installation on ubuntu 19.04Odoo 13 installation on ubuntu 19.04
Odoo 13 installation on ubuntu 19.04
PlanetOdoo
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardening
archwisp
 
Network
NetworkNetwork
Network
puneethpun7
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
HelpSystems
 
Single node hadoop cluster installation
Single node hadoop cluster installation Single node hadoop cluster installation
Single node hadoop cluster installation
Mahantesh Angadi
 
Getting_Started_With_Docker
Getting_Started_With_DockerGetting_Started_With_Docker
Getting_Started_With_Docker
Jason Greathouse
 
Brief summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-20...
Brief summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-20...Brief summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-20...
Brief summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-20...
Circling Cycle
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
webhostingguy
 
Android in ubuntu
Android in ubuntuAndroid in ubuntu
Android in ubuntu
ksrajkumar87
 
Sun raysetup
Sun raysetupSun raysetup
Sun raysetup
Portal Oliveira
 
101 4.3 control mounting and unmounting of filesystems
101 4.3 control mounting and unmounting of filesystems101 4.3 control mounting and unmounting of filesystems
101 4.3 control mounting and unmounting of filesystems
Acácio Oliveira
 
Linux 系統管理與安全:基本 Linux 系統知識
Linux 系統管理與安全:基本 Linux 系統知識Linux 系統管理與安全:基本 Linux 系統知識
Linux 系統管理與安全:基本 Linux 系統知識
維泰 蔡
 

What's hot (20)

Managing server secrets at scale with SaltStack and a vaultless password manager
Managing server secrets at scale with SaltStack and a vaultless password managerManaging server secrets at scale with SaltStack and a vaultless password manager
Managing server secrets at scale with SaltStack and a vaultless password manager
 
Hadoop Installation
Hadoop InstallationHadoop Installation
Hadoop Installation
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso Remoto
 
install mosquitto-auth-plug - cheat sheet -
install mosquitto-auth-plug - cheat sheet -install mosquitto-auth-plug - cheat sheet -
install mosquitto-auth-plug - cheat sheet -
 
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
 How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
How to make multi-boot USB drive for LiveCD iso images on EFI/UEFI and BIOS
 
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
コンテナ仮想、その裏側 〜user namespaceとrootlessコンテナ〜
 
Environments line-up! Vagrant & Puppet 101
Environments line-up! Vagrant & Puppet 101Environments line-up! Vagrant & Puppet 101
Environments line-up! Vagrant & Puppet 101
 
Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"Astricon 2013: "Asterisk and Database"
Astricon 2013: "Asterisk and Database"
 
Odoo 13 installation on ubuntu 19.04
Odoo 13 installation on ubuntu 19.04Odoo 13 installation on ubuntu 19.04
Odoo 13 installation on ubuntu 19.04
 
Creating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server HardeningCreating "Secure" PHP applications, Part 2, Server Hardening
Creating "Secure" PHP applications, Part 2, Server Hardening
 
Network
NetworkNetwork
Network
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 
Single node hadoop cluster installation
Single node hadoop cluster installation Single node hadoop cluster installation
Single node hadoop cluster installation
 
Getting_Started_With_Docker
Getting_Started_With_DockerGetting_Started_With_Docker
Getting_Started_With_Docker
 
Brief summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-20...
Brief summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-20...Brief summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-20...
Brief summary-standard-password-hashes-Aix-FreeBSD-Linux-Solaris-HP-UX-May-20...
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
Android in ubuntu
Android in ubuntuAndroid in ubuntu
Android in ubuntu
 
Sun raysetup
Sun raysetupSun raysetup
Sun raysetup
 
101 4.3 control mounting and unmounting of filesystems
101 4.3 control mounting and unmounting of filesystems101 4.3 control mounting and unmounting of filesystems
101 4.3 control mounting and unmounting of filesystems
 
Linux 系統管理與安全:基本 Linux 系統知識
Linux 系統管理與安全:基本 Linux 系統知識Linux 系統管理與安全:基本 Linux 系統知識
Linux 系統管理與安全:基本 Linux 系統知識
 

Similar to Linux Hardening - Made Easy

Adhocr T-dose 2012
Adhocr T-dose 2012Adhocr T-dose 2012
Adhocr T-dose 2012
Gratien D'haese
 
Essential security for linux servers
Essential security for linux serversEssential security for linux servers
Essential security for linux servers
Juan Carlos Pérez Pardo
 
How to create a secured multi tenancy for clustered ML with JupyterHub
How to create a secured multi tenancy for clustered ML with JupyterHubHow to create a secured multi tenancy for clustered ML with JupyterHub
How to create a secured multi tenancy for clustered ML with JupyterHub
Tiago Simões
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
Jameel Nabbo
 
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Puppet
 
PGConf.ASIA 2019 - High Availability, 10 Seconds Failover - Lucky Haryadi
PGConf.ASIA 2019 - High Availability, 10 Seconds Failover - Lucky HaryadiPGConf.ASIA 2019 - High Availability, 10 Seconds Failover - Lucky Haryadi
PGConf.ASIA 2019 - High Availability, 10 Seconds Failover - Lucky Haryadi
Equnix Business Solutions
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
Gábor Nyers
 
Ubuntu Practice and Configuration
Ubuntu Practice and ConfigurationUbuntu Practice and Configuration
Ubuntu Practice and Configuration
Manoj Sahu
 
Linux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactLinux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compact
Alessandro Selli
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
n|u - The Open Security Community
 
Phishing for Root (How I Got Access to Root on Your Computer With 8 Seconds o...
Phishing for Root (How I Got Access to Root on Your Computer With 8 Seconds o...Phishing for Root (How I Got Access to Root on Your Computer With 8 Seconds o...
Phishing for Root (How I Got Access to Root on Your Computer With 8 Seconds o...
Vi Grey
 
Aide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege EscalationAide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege Escalation
nullthreat
 
What you most likely did not know about sudo…
What you most likely did not know about sudo…What you most likely did not know about sudo…
What you most likely did not know about sudo…
All Things Open
 
System administration
System administrationSystem administration
System administration
puspa joshi
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
Craig Cannon
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with Ansible
Rayed Alrashed
 
Puppet for Developers
Puppet for DevelopersPuppet for Developers
Puppet for Developers
sagarhere4u
 
The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012
Philip Polstra
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
Ishan A B Ambanwela
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
webhostingguy
 

Similar to Linux Hardening - Made Easy (20)

Adhocr T-dose 2012
Adhocr T-dose 2012Adhocr T-dose 2012
Adhocr T-dose 2012
 
Essential security for linux servers
Essential security for linux serversEssential security for linux servers
Essential security for linux servers
 
How to create a secured multi tenancy for clustered ML with JupyterHub
How to create a secured multi tenancy for clustered ML with JupyterHubHow to create a secured multi tenancy for clustered ML with JupyterHub
How to create a secured multi tenancy for clustered ML with JupyterHub
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
 
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
Continuous Infrastructure: Modern Puppet for the Jenkins Project - PuppetConf...
 
PGConf.ASIA 2019 - High Availability, 10 Seconds Failover - Lucky Haryadi
PGConf.ASIA 2019 - High Availability, 10 Seconds Failover - Lucky HaryadiPGConf.ASIA 2019 - High Availability, 10 Seconds Failover - Lucky Haryadi
PGConf.ASIA 2019 - High Availability, 10 Seconds Failover - Lucky Haryadi
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
 
Ubuntu Practice and Configuration
Ubuntu Practice and ConfigurationUbuntu Practice and Configuration
Ubuntu Practice and Configuration
 
Linux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactLinux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compact
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
Phishing for Root (How I Got Access to Root on Your Computer With 8 Seconds o...
Phishing for Root (How I Got Access to Root on Your Computer With 8 Seconds o...Phishing for Root (How I Got Access to Root on Your Computer With 8 Seconds o...
Phishing for Root (How I Got Access to Root on Your Computer With 8 Seconds o...
 
Aide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege EscalationAide 2014 - Fundamentals of Linux Privilege Escalation
Aide 2014 - Fundamentals of Linux Privilege Escalation
 
What you most likely did not know about sudo…
What you most likely did not know about sudo…What you most likely did not know about sudo…
What you most likely did not know about sudo…
 
System administration
System administrationSystem administration
System administration
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with Ansible
 
Puppet for Developers
Puppet for DevelopersPuppet for Developers
Puppet for Developers
 
The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 

Recently uploaded

XP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to LeadershipXP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to Leadership
samililja
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
OECD Directorate for Financial and Enterprise Affairs
 
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
SkillCertProExams
 
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussionPro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
OECD Directorate for Financial and Enterprise Affairs
 
Gregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptxGregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptx
gharris9
 
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
OECD Directorate for Financial and Enterprise Affairs
 
ASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdfASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdf
ToshihiroIto4
 
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
Dutch Power
 
Mẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPoint
Mẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPointMẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPoint
Mẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPoint
1990 Media
 
Tom tresser burning issue.pptx My Burning issue
Tom tresser burning issue.pptx My Burning issueTom tresser burning issue.pptx My Burning issue
Tom tresser burning issue.pptx My Burning issue
amekonnen
 
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussionArtificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
Burning Issue Presentation By Kenmaryon.pdf
Burning Issue Presentation By Kenmaryon.pdfBurning Issue Presentation By Kenmaryon.pdf
Burning Issue Presentation By Kenmaryon.pdf
kkirkland2
 
Updated diagnosis. Cause and treatment of hypothyroidism
Updated diagnosis. Cause and treatment of hypothyroidismUpdated diagnosis. Cause and treatment of hypothyroidism
Updated diagnosis. Cause and treatment of hypothyroidism
Faculty of Medicine And Health Sciences
 
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij
 
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussionArtificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
Carrer goals.pptx and their importance in real life
Carrer goals.pptx  and their importance in real lifeCarrer goals.pptx  and their importance in real life
Carrer goals.pptx and their importance in real life
artemacademy2
 
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussionPro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
Gregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics PresentationGregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics Presentation
gharris9
 
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
gpww3sf4
 

Recently uploaded (20)

XP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to LeadershipXP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to Leadership
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
 
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
 
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussionPro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
 
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
 
Gregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptxGregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptx
 
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
 
ASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdfASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdf
 
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
 
Mẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPoint
Mẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPointMẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPoint
Mẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPoint
 
Tom tresser burning issue.pptx My Burning issue
Tom tresser burning issue.pptx My Burning issueTom tresser burning issue.pptx My Burning issue
Tom tresser burning issue.pptx My Burning issue
 
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussionArtificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – LIM – June 2024 OECD discussion
 
Burning Issue Presentation By Kenmaryon.pdf
Burning Issue Presentation By Kenmaryon.pdfBurning Issue Presentation By Kenmaryon.pdf
Burning Issue Presentation By Kenmaryon.pdf
 
Updated diagnosis. Cause and treatment of hypothyroidism
Updated diagnosis. Cause and treatment of hypothyroidismUpdated diagnosis. Cause and treatment of hypothyroidism
Updated diagnosis. Cause and treatment of hypothyroidism
 
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
 
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussionArtificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
 
Carrer goals.pptx and their importance in real life
Carrer goals.pptx  and their importance in real lifeCarrer goals.pptx  and their importance in real life
Carrer goals.pptx and their importance in real life
 
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussionPro-competitive Industrial Policy – LANE – June 2024 OECD discussion
Pro-competitive Industrial Policy – LANE – June 2024 OECD discussion
 
Gregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics PresentationGregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics Presentation
 
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
 

Linux Hardening - Made Easy

  • 1. Copyright @ 2019 JFrog - All rights reserved. Hardening Linux Made Easy Guy Barnhart-Magen, Melior Security @barnhartguy
  • 2. Who am I? Father of two, hacker BSidesTLV chairman and CTF Lead (Lucky to speak at many conferences) Today: Cyber Security Consultant Before: Intel, Cisco and a couple of Startups OS Hardening, Crypto, Embedded Security, Security of ML @barnhartguy
  • 3. @barnhartguy Why Hardening? Assumption - the attacker has a foothold in your server At least shell access (or something that will give him access) Can we limit what he can do?
  • 4. @barnhartguy Threat Model Consider the following: ● Is the VM compromised? ● Do we need a scalable solution? ● Is it open to the internet? ● How do we do patch management? ● If an attacker gets a shell, what is compromised? ● If an attacker gets root access, what is compromised? ● Do we have someone to look at reports?
  • 5. @barnhartguy Threat Model Attacker model ● Is this a targeted or opportunistic attack? ● Do I have vital business value on this VM? ● Is the system old? Any security concerns? Something signaling to attackers?
  • 7. @barnhartguy Passive vs. Active Passive - build defenses, but an attacker is not present in the system allowing for more flexibility Active - need to remove an attacker (or suspicion) from the system, before deploying defenses
  • 9. @barnhartguy Hardening the System ● Passive vs. Active ● Firewall ● Updates ○ Repo, security, patches/upgrades ○ Remove unneeded packages ● SSH ○ 2FA ○ fail2ban ● User Accounts ○ Credentials, ACL ● Remote Logging ● Sensitive Files/Directories ● Remove unneeded TTY ● Secure Shared Memory/tmp folder ● Remove uncommon filesystems ● Disable compilers ● Set UMASK ● Disable core dumps
  • 10. @barnhartguy ● Wrapper for iptables ● Enable Firewall Firewall $ sudo ufw allow ssh $ sudo ufw enable
  • 11. @barnhartguy We would like to keep all our repositories up to date ● Also, we would like to automate this ● Be careful - updates can break stuff! ● Rebooting is also a concern Updating the System $ sudo apt-get update $ sudo apt-get upgrade -y
  • 12. @barnhartguy We would like to keep all our repositories up to date ● Also, we would like to automate this ● Be careful - updates can break stuff! ● Rebooting is also a concern Updating the System $ sudo apt-get install unattended-upgrades apt-listchanges $ sudo dpkg-reconfigure -plow unattended-upgrades $ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades Unattended-Upgrade::Mail "user@example.com"; Unattended-Upgrade::Automatic-Reboot "true"; $ sudo unattended-upgrades --dry-run
  • 13. @barnhartguy ● Reduce attack surface ● We should remove old/unneeded packages Examples: Ipv6, irqbalance, Bluetooth, USB storage driver, Anacron, Apport, Atd, Autofs, Avahi, CUPS, Dovecot, Modemmanager, Nfs, Snmp, Telnet, Whoopsie, Zeitgeist Updating the System $ dpkg --list $ dpkg --list packageName $ apt-get remove packageName $ sudo apt-get --purge ntfs-3g
  • 14. @barnhartguy ● We should limit the number of users that are allowed to login (never root) ● We should better protect these account ● If you can, use PKI keys ○ If you cannot, use 2FA SSH Hardening $ ssh-keygen -t ed25519 $ nano /etc/ssh/sshd.conf PermitRootLogin no ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no AuthenticationMethods publickey PubkeyAuthentication yes AllowUsers user1 user2 PermitEmptyPasswords no ClientAliveInterval 300 ClientAliveCountMax 0 IgnoreRhosts yes
  • 15. @barnhartguy ● Use TOTP ● Try to limit the number of users who have access, or share TOTP values SSH Hardening - 2FA $ sudo apt-get install libpam-google-authenticator $ google-authenticator -td --rate-limit=3 --rate-time=120 $ nano /etc/pam.d/sshd auth required pam_google_authenticator.so nullok sudo nano /etc/ssh/sshd_config ChallengeResponseAuthentication yes $ sudo systemctl restart sshd.service $ sudo service ssh restart $ sudo apt-get install oathtool $ oathtool -b --totp `head -n 1 ~/.google_authenticator`
  • 16. @barnhartguy ● Fail2Ban and Rate Limiting ● Future updates can overwrite files, make copies SSH Hardening - Brute Force Attacks $ sudo ufw limit ssh comment “rate limit ssh” $ sudo apt-get install fail2ban $ sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local $ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local $ sudo systemctl start fail2ban $ sudo systemctl enable fail2ban
  • 17. @barnhartguy ● Separate user and admin accounts ● Limit “root” access ○ Root account shouldn’t have a login ● Verifying/setting that all world writable directories have their sticky bit set User Accounts, ACL and special files/directories $ sudo passwd -l root $ sudo chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow $ sudo chmod 644 /etc/passwd /etc/group $ sudo chmod 500 /etc/shadow /etc/gshadow $ sudo find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print | while read directory; do echo "$FUNCNAME: ${GREEN} Making sticky on ${directory}..." chmod +t ${directory} done
  • 18. @barnhartguy ● Verifying/setting that there are no world-writable files on the system ● Verifying/setting that there are no unauthorized SETUID/SETGID files on the system User Accounts, ACL and special files/directories $ sudo find / -xdev -type f -perm -0002 -print | while read file; do chmod o-w ${file} done $ sudo find / -xdev ( -perm -4000 -o -perm -2000 ) -type f -print| while read file; do if grep -Fxq "$file" "allowed_suid_list.txt" then echo “${file} - This program is allowed; leave it alone.” else chmod -s ${file} fi done
  • 19. @barnhartguy ● Use RSysLog Remote Logging $ sudo apt-get update && apt-get install rsyslog $ sudo systemctl enable rsyslog $ sudo systemctl start rsyslog $ sudo nano /etc/rsyslog.d/01-server.conf *.* @@distant-server-ip:514 $ sudo systemctl restart rsyslog $ journalctl -f -u rsyslog
  • 20. @barnhartguy ● Several tools: CIS Benchmark, Lynis Audit $ git clone https://github.com/CISOfy/lynis $ lynis/lynis audit system
  • 21. @barnhartguy ● You mostly pay attention to a single TTY, an attacker can work in a different one Allow Single TTY $ cat <<EOF > /etc/securetty Console Tty1 EOF $ sudo nano /etc/default/console-setup ACTIVE_CONSOLES=”/dev/tty1” Reboot $ dmesg | grep tty
  • 22. @barnhartguy ● Secure Shared Memory $ sudo nano /etc/fstab tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
  • 23. @barnhartguy ● Backup the /tmp dir, replace with new one (which is secure) Secure Temporary Directories dd if=/dev/zero of=/usr/tmpDSK bs=1024 count=1024000 mkdir /tmpbackup && cp -Rpf /tmp /tmpbackup mount -t tmpfs -o loop,noexec,nosuid,rw /usr/tmpDSK /tmp chmod 1777 /tmp cp -Rpf /tmpbackup/* /tmp/ && rm -rf /tmpbackup/* echo "/usr/tmpDSK /tmp tmpfs loop,nosuid,noexec,rw 0 0" >> /etc/fstab mount -o remount /tmp mkdir /var/tmpold mv /var/tmp /var/tmpold ln -s /tmp /var/tmp cp -prf /var/tmpold/* /tmp/
  • 24. @barnhartguy ● Prevent attackers from mounting filesystems that you don’t need and might benefit them Disable Uncommon File Systems $ ls -1 /lib/modules/$(uname -r)/kernel/fs | sort | uniq > avail_fs $ mount | column -t | cut -c 82-90 | sort | uniq > used_fs $ for fs in $(comm -1 used_fs avail_fs); do echo "blacklist $fs"; done >> /etc/modprobe.d/blacklist.conf
  • 25. @barnhartguy ● Prevent attackers from compiling code to get higher order abilities Disable Compilers >> COMPILERS=( "/usr/bin/byacc" "/usr/bin/yacc" "/usr/bin/bcc" "/usr/bin/kgcc" "/usr/bin/cc" "/usr/bin/gcc" "/usr/bin/c++" "/usr/bin/g++" ) for compiler in ${COMPILERS[@]}; do if [ -f ${compiler} ]; then echo "removing ${compiler} chmod 000 ${compiler} else echo "missing ${compiler} fi done
  • 26. Thank You! @barnhartguy I’ll be happy to answer more questions after the talk (outside)