This document provides guidance on hardening a Linux server for security. It recommends following the CIS and NSA security benchmarks. It suggests choosing a server-oriented Linux distribution, keeping partitions and filesystems separate, encrypting partitions and the running server, securing the boot process, using iptables and TCP wrappers for firewalls, restricting root access and using sudo, enforcing password policies, removing unnecessary packages and services, securing remote administration like SSH, disabling unnecessary Linux modules, and implementing auditing and integrity checks.
So you think the systems at your employer can actually use a little bit more security? Or what about your own system to gain more privacy? In this talk, we discuss the reasons for Linux server and system hardening. First we learn why we should protect our crown jewels, and what can wrong if we ignore information security. Next is getting a better understanding of the possible resources we can use. And since system hardening can be time-consuming, we discuss some tools to help in the system hardening quest.
Linux is considered to be a secure operating system by default. Still there is a lot to learn about system hardening and technical auditing. This 1-hour presentation explains the need for hardening and auditing of your systems. We discussed some additional documents and tools, to further help this endeavor.
This presentation is suitable for both beginners and those with experience in system hardening.
Linux Server Hardening - Steps by StepsSunil Paudel
Linux Server Hardening
This document has the step by step of the way of hardening the server. We have used the metasploitable server, the vulnerable ubuntu server designed to be hacked, and have done the hardening. We have stopped all the unnecessary services and ports. We have assumed the server to be the web server only. Hence, only port 80 and 443 will be opened. Then the firewall rules have been set following by the apache web server hardening, encryption of the folder and files, disabling the unwanted users, forcing the password policies.
So you think the systems at your employer can actually use a little bit more security? Or what about your own system to gain more privacy? In this talk, we discuss the reasons for Linux server and system hardening. First we learn why we should protect our crown jewels, and what can wrong if we ignore information security. Next is getting a better understanding of the possible resources we can use. And since system hardening can be time-consuming, we discuss some tools to help in the system hardening quest.
Linux is considered to be a secure operating system by default. Still there is a lot to learn about system hardening and technical auditing. This 1-hour presentation explains the need for hardening and auditing of your systems. We discussed some additional documents and tools, to further help this endeavor.
This presentation is suitable for both beginners and those with experience in system hardening.
Linux Server Hardening - Steps by StepsSunil Paudel
Linux Server Hardening
This document has the step by step of the way of hardening the server. We have used the metasploitable server, the vulnerable ubuntu server designed to be hacked, and have done the hardening. We have stopped all the unnecessary services and ports. We have assumed the server to be the web server only. Hence, only port 80 and 443 will be opened. Then the firewall rules have been set following by the apache web server hardening, encryption of the folder and files, disabling the unwanted users, forcing the password policies.
The Linux audit framework as shipped with many Linux distributions system provides a framework that reliably collects information about any security-relevant events. The audit records can be examined to determine whether any violation of the security policies has been committed, and by whom. Linux audit helps make your system more secure by providing you with a means to analyze what is happening on your system in great detail. It does not, however, provide additional security itself—it does not protect your system from code malfunctions or any kind of exploits. Instead, Audit is useful for tracking these issues and helps you take additional security measures to prevent them. This session provides a basic understanding of how audit works, how it can be set up, and how to use various utilities to display, query and archive the audit trail and how Linux Audit can be part of any overall Defense in Depth strategy.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Database firewall is a useful tool that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. However the commercial database firewalls are expensive and needs specific product knowledge, while the opensource database firewalls are designed for specific opensource database servers.
In order to fulfill the need of inexpensive database firewall, Snort - an opensource IDS/IPS - is possible to achieve the goal in some scenarios with familiar rule writing. The paper will explain the limitation of Snort as a database firewall, constraints in commercial database statement and some example implementation.
In enumeration the hacker now pursuing an in-depth analysis of all targeted devices such as hosts, connected devices. Hacker is mapping out your network to build a offensive attack strategy,**very important topic**
Martin Čmelík
Security-Portal.cz, Securix.org
http://www.security-session.cz
Přednáška: Hardening Linuxových systemů a představení distribuce Securix GNU/Linux
Přednáška se bude věnovat možnostem zabezpečení Linuxových systémů od té nejnižší až po aplikační vrstvu. Představí možnosti zvýšení bezpečnosti použitelných na všech linuxových distribucích až po MLS (Multi-Level Security) systémy typu Grsec a PaX, které jsou schopné detailního vymezení opravnění a přístupu k resourcům každé aplikace.
The Linux audit framework as shipped with many Linux distributions system provides a framework that reliably collects information about any security-relevant events. The audit records can be examined to determine whether any violation of the security policies has been committed, and by whom. Linux audit helps make your system more secure by providing you with a means to analyze what is happening on your system in great detail. It does not, however, provide additional security itself—it does not protect your system from code malfunctions or any kind of exploits. Instead, Audit is useful for tracking these issues and helps you take additional security measures to prevent them. This session provides a basic understanding of how audit works, how it can be set up, and how to use various utilities to display, query and archive the audit trail and how Linux Audit can be part of any overall Defense in Depth strategy.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Database firewall is a useful tool that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. However the commercial database firewalls are expensive and needs specific product knowledge, while the opensource database firewalls are designed for specific opensource database servers.
In order to fulfill the need of inexpensive database firewall, Snort - an opensource IDS/IPS - is possible to achieve the goal in some scenarios with familiar rule writing. The paper will explain the limitation of Snort as a database firewall, constraints in commercial database statement and some example implementation.
In enumeration the hacker now pursuing an in-depth analysis of all targeted devices such as hosts, connected devices. Hacker is mapping out your network to build a offensive attack strategy,**very important topic**
Martin Čmelík
Security-Portal.cz, Securix.org
http://www.security-session.cz
Přednáška: Hardening Linuxových systemů a představení distribuce Securix GNU/Linux
Přednáška se bude věnovat možnostem zabezpečení Linuxových systémů od té nejnižší až po aplikační vrstvu. Představí možnosti zvýšení bezpečnosti použitelných na všech linuxových distribucích až po MLS (Multi-Level Security) systémy typu Grsec a PaX, které jsou schopné detailního vymezení opravnění a přístupu k resourcům každé aplikace.
Andrea Zwirner - Magento security and hardening strategiesMeet Magento Italy
Starting from a fresh installation of Magento on Linux, we have conducted the common steps of a cyber-attack, through both ways of running automatic tools and performing manual penetration tests, in order to analyze the security features of the platform on it’s default configuration in a standard environment.
Addressing the security features of the platform with the simulation of both automated and targeted attacks, the study has the goal of discover it’s average level of security, in order to better understand which are the security patterns offered “by design” and where to intervene with specific hardening configuration and strategies when comes the time of customizing, deploying and maintain a Magento production environment.
In this PowerPoint, learn how a security policy can be your first line of defense. Servers running AIX and other operating systems are frequent targets of cyberattacks, according to the Data Breach Investigations Report. From DoS attacks to malware, attackers have a variety of strategies at their disposal. Having a security policy in place makes it easier to ensure you have appropriate controls in place to protect mission-critical data.
Systems administration for coders presentationMatt Willsher
A presentation given at Unified Diff in Cardiff in 2013, with the aim of introducing the art & science of systems administration to software developers, based on experiences at the web dev agency.
Introduction to metasploit that we presented to the 4th year compsci students at Rhodes university.Covering the basic functionality of metasploit, and penetration testing.
The practical section that Etienne made (with Ponies) will come soon.
Presentation from 2008. Compares Lighttpd .vs Apache for static content. Discovery session for scaling http://www.imagesocket.com during it's peak popularity.
This is really old and /outdated/ at this point.
Delve Labs was present during the GoSec 2016 conference, where our lead DevOps engineer presented an overview of the current options available for securing Docker in production environments.
https://www.delve-labs.com
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
After successfully attacking an endpoint and gaining a foothold there, sophisticated attackers know that to get to the valuable data within an organization they must quietly pivot. From reconnaissance to escalation of privileges to stealing credentials, learn about the tactics and tools that attackers are using today.
One thing that most programmers do not take the time to understand is the servers that their application lives on. Most know a smattering of Apache configs, PHP configs, and basic information about the OS. This talk will deal with looking at tools that can help you quickly set up a server and how it can help you be a better developer. We'll look at tools like puppet for server management, OSSEC for log management, different command line tools, and nagios/monit for system monitoring.
Deployment of WebObjects applications on CentOS LinuxWO Community
With the rise of cloud computing and the death of the Xserve, learn how you can deploy your WebObjects applications on a CentOS server. You will also get tips about how to secure your server so that you don't get hack.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
4. CHOOSE A FLAVOUR ?
For better or worse, there’s no one “Linux”. Instead, there are loads of Linux
distributions that all run the Linux kernel.
" Server distributions differ from desktop versions,security distros both in
packages and in support "
5. DIVISION OF LABOUR
Basic idea behind the protection of a Linux server is to have the
system administrator control the work of the entire server and
only use the packages that are necessary for the planned
services.
• BASIC
• SERVER (WEB,DNS,MAIL)
• DESKTOP
6. KEEP IT SEPARATED ( FILE SYSTEM PARTITIONING)
Keep partitions Separate for a better administration and security
8. ENCRYPTING THE RUNNING SERVER
• To encrypt a partition using dm-crypt+LUKS on Linux
• $ sudo yum install cryptsetup
• $ sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb1
• sudo cryptsetup luksDump /dev/sdb1
• sudo cryptsetup luksOpen /dev/sdb1 sdb1
• Follow the FIPS -140
• Install the dracut-fips package:
# yum install dracut-fips
• Recreate the INITRAMFS image:
# dracut -f
9. SECURE THE BOOT
Root password to access run level 1:
echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
perl -npe 's/ca::ctrlaltdel:/sbin/shutdown/#ca::ctrlaltdel:/sbin/shutdown/' -i /etc/inittab
Password Protecting GRUB :
/sbin/grub-md5-crypt
password --md5 <password-hash>
Replace <password-hash> with the value returned by /sbin/grub-md5-crypt
The next time the system boots, the GRUB menu prevents access to the editor or command interface without first
pressing p followed by the GRUB password.
10. IPFILTERS & TCP WRAPPERS
IPTables has the following 4 built-in tables
• FILTER Table - (Input ,output ,Forward chain )
• NAT Table - (Pre routing,Post routing,output chain )
• MANGLE Table - (Pre routing, Output,Forward, Input, Post routing)
• RAW Table - (Pre routing , Output )
• Tcp warppers for a restrictive network
• # /etc/hosts.allow
• # /etc/hosts.deny
11. EGRESS FILTERING FOR A HEALTHIER INTERNET
When your SERVER is compromised, you are no longer the innocent party
trying to defend yourself, to other machines you have become the attacker.
Just reverse the -d / --dport (destination address / destination port) and -s / -
-sport (source address / source port) arguments.
13. THE "RIGHTS"
Restrict the root :
No one other than root should be allowed in root's home directory. The default
settings are close to this, but not quite paranoid enough.
echo "tty1" > /etc/securetty
chmod 700 /root
USE SUDO :
sudo allows for granular control over privileged actions. This way administrator
can start, stop and otherwise manage the web server without being able to affect
other services.
14. PERMISSIONS & PASSWORDS
• Narrow down rights for system files and folders
chmod 700 ( files owned by root )
chown root:root ( files owned by root )
Set a crotab to check the permissions periodically.
• Upgrade Password Hashing Algorithm to SHA-512
# authconfig --passalgo=sha512 --update
16. CLEANUP !
Delete non-used user accounts
# userdel ( shutdown, halt, games, operator, gopher, games )
Disable unnecessary services
#for i in rpcbind restorecond nfslock lldpad fcoe rpcidmapd; do service $i stop;
chkconfig $i off; done
Remove unnecessary packages
# yum groupremove (package names )
# sudo apt-get remove pino
Make sure no non-root accounts have UID set to 0
# % awk -F: '($3 == "0") {print}' /etc/passwd
17. BASH HARDENING
• Define Read-Only environment variables -> To avoid
being overwriten by users (declare –r
HISTFILE=~/.bash_history && chattr +I .bash_history)
• HISTFILESIZE -> Maximum number of lines to keep
• HISTFSIZE -> Maximum stored commands in memory
• HISTTIMEFORMAT -> Date/Time format to store
commands execution
• Force to commit HISTFILE every time a command is
typed instead of logout -> readonly || declare -r
PROMPT_COMMAND="history -a"
• Limit Timeout login session -> declare -r TMOUT=120
18. AVOID THE FORK BOMBS
• The ulimit and sysctl programs allow to limit system-wide resource use. This can help a lot in
system administration, e.g. when a user starts too many processes and therefore makes the system
unresponsive for other users.
• # ulimit -u 30
# ulimit -a
…
max user processes (-u) 30
• # sysctl -a
…
vm.swappiness = 60
• # sysctl vm.swappiness=0
vm.swappiness = 0
• "fork: resource temporarily unavailable".
19. STRIPPING DOWN LINUX
( REMOVE THE UNNECESSARY PACKAGES)
• One of the simplest ways to hinder an intruder is to remove unnecessary
system binaries.On a typical Linux server, there are many unneeded tools,
which can be useful to an attacker if he gains entry.
• Unnecessary Binaries
• Network Utilities
• Compilers and Interpreters
20. SECURE REMOTE ADMINISTRATION
• Remove the legacy , unsecure tools.
• Make sure to keep the crypto libraries updated ( Patch them)
• Avoid installing ssh client
• Harden the SSH
• Use jumphosts, vpn to connect.
• Avoid using passwords, start using key based authentication.
• Remove the non-ssl processes
# yum remove erase xinetd tftp-server ypserv telnet-server rsh-server
22. KEY BASED AUTHENTICATION
# ssh-keygen
Created directory '/home/username/.ssh'. Enter
passphrase (empty for no passphrase): Enter same
passphrase again:
Your identification has been saved in
/home/username/.ssh/id_rsa. Your public key has
been saved in /home/username/.ssh/id_rsa.pub. The
key fingerprint is:
a9:49:2e:2a:5e:33:3e:a9:de:4e:77:11:58:b6:90:26
username@remote_host The key's randomart image is:
+--[ RSA 2048]----+ | ..o | | E o= . | | o. o | |
.. | | ..S | | o o. | | =o.+. | |. =++.. | |o=++.
| +-----------------+
23. KERNEL HARDENING: DISABLE AND BLACKLIST LINUX
MODULES
• The Linux kernel is modular, which makes it more flexible than monolithic kernels. New
functionality can be easily added to a run kernel, by loading the related module.
One option to disallow loading modules, is by blacklisting them.
# modinfo
# modprobe --showconfig | grep blacklist
# /etc/modprobe.d/blacklist-firewire.conf
# modprobe --showconfig | grep "^install" | grep "/bin"
By using the kernel setting kernel.modules_disabled and set its value to 1, we can make sure
things are really tightened. Even the root user can not load any modules anymore.
25. CRITICAL,UNKNOWN AND THIRD PARTY
• SE LINUX Security-Enhanced Linux (SELinux) is a Linux feature that
provides a variety of security policies for Linux kernel.
• APP ARMOUR (Application Armor) is another security software for Linux
which maintained and released by Novell under GPL. AppArmor was
created as an alternative to SELinux. AppArmor works with file paths.
• GRSECURITY is a set of patches for the Linux kernel with an emphasis on
enhancing security. It utilizes a multi-layered detection, prevention, and
containment model.
26. AUDIT ,LOG, INTEGRITY CHECK
Record Events That Modify Date and Time Information,
System's Network Environment ,System's Mandatory Access
Controls ,Unsuccessful Unauthorized Access Attempts to Files
Install AIDE, Implement Periodic Execution of File Integrity.
( TRIP WIRE ,AIDE ,AUDITD,LOGWATCH)