SlideShare a Scribd company logo

Linux Security Crash Course

UTD Computer Security Group
UTD Computer Security Group

A crash course in Linux security walking through Linux access control, firewalls, auditing, and more.

Technology
1 of 49
Download to read offline
Linux Security Crash Course February 7th, 2018
Get in touch with us Mailing List - Sign in and check “Add to Mailing List” Website - csg.utdallas.edu Slack - #csg on ecsutd.slack.com Email - utdcsg@gmail.com 2
Announcements Lab Hangouts - ECSS 4.619 - 4 PM Thursday - February 15 Pentesting Session - FO 1.202 February 24th, 1 - 4pm State Farm CTF Sign-up - March 5th - 12th 3
Linux Security Crash Course 1. Authentication a. PAM 2. Authorization a. sudo b. setuid & setgid c. capabilities d. ACL 3. Audit a. auditd 4 4. Services a. sshd 5. Firewall a. iptables b. firewalld 6. Intrusion Detection a. AIDE 7. Compliance a. OpenSCAP
Authentication 5
Pluggable Authentication Modules (PAM) Provide authentication for Linux A configurable collection of modules used to authenticate users Used by most services that want to authenticate the user 6
PAM System Auth 7
PAM - Tasks PAM supports the following tasks: ● auth - verify the user’s identity ● account - confirm the user can do the requested action ● session - control tasks at the beginning and end of a session ● password - control steps around changing passwords 8
PAM - Controls Modules support the following controls: ● required - fails after the stack is processed ● requisite - fails immediately ● sufficient - if succeeds (with no prior failures), stack succeeds ● optional - only matters if it is the only module in the stack 9
PAM - Useful Modules pam_faildelay - How long the user is delayed after failure pam_unix - Authentication from /etc/passwd and /etc/shadow pam_succeed_if - Set constraints on attributes like uid pam_pwquality - Set constraints on new passwords 10
PAM - Malicious Uses Given a user with root access to the system: ● Add a malicious module that logs user’s passwords ● Add a malicious module that sets a password backdoor ● Change to configuration to lock out users 11
https://github.com/eurialo/pambd/ 12
Authorization 13
Sudo ● A Program that allows users to run programs with different security privileges ● Sudo defaults to the superuser or root allowing for greater privileges ● Different from the command su because users supply personal password instead of root ● Configuration file in /etc/sudoers, this contains a list of all users allow to sudo 14
Sudo Sudo su username -- switches user to username Sudo -i -- switches to root user environment Sudo -s -- runs root shell in current directory Sudo -l -U username -- checks to see what commands the user generic can run/capabilities 15
Sudo Replay To start sudoreplay : Sudo visudo: Defaults log_output Defaults!/usr/bin/sudoreplay !log_output Defaults!/sbin/reboot !log_output Sudo replay -l (this will list all sudo commands and users that used the command) 16
setuid & setgid Part of the “mysterious” first octet of chmod setuid - sets the process owner to the owner of the file setgid - sets the process group to the group of the file Generally used to grant root permissions to an executable (i.e. sudo) 17
Finding setuid and setgid binaries setuid - find <path> -perm -4000 setgid - find <path> -perm -2000 18
Consequences of setuid & setgid binaries ● System is only secure as your root setuid & setgid binaries ● GNU Screen Exploit ● Makes for fun CTF/Wargame Challenges 19
Capabilities Added in Kernel 2.2 (1999) Switches the traditional permissions (root or not) into granular capabilities Follows the idea of least privileges 20
Capabilities - Actively in use /usr/bin/ping = cap_net_raw+p As ping requires access to a raw socket, systems without capabilities require ping to be suid root 21
Managing Capabilities getcap - List the capabilities for a file setcap - set the capabilities for a file capsh - list the capabilities for the current process 22
Capabilities - Consequences (?) Some claim many capabilities can be abused to achieve root access https://forums.grsecurity.net/viewtopic.php?f=7&t=2522&sid=c6fbc f62fd5d3472562540a7e608ce4e#p10271 - February 2002 23
File Access Control List (ACL) Similar to chmod Be able to set user groups and user access to files and directories Give more in depth permissions for different files with user groups and users 24
File ACL getfacl Directory or File -- show owner, group and permissions setfacl -m (modify) user:username:rwx , group:group:rwx directory -This will set a directory to be owned by user and group with read write and execute permissions 25
Audit 26
Auditd ● Provides more information should an incident occur ● Designed to allow admins to quickly show what activity has been happening ● Rule based, so can be hard to manage 27
Auditd - Auditing Events ● File Access ● System Calls ● Commands Run ● Failed Logins ● Firewall Changes 28
Auditd - RedHat Examples File System Changes: auditctl -w /etc/passwd -p wa -k passwd_changes File Execution: auditctl -w /sbin/insmod -p x -k module_insertion System Call: auditctl -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time_change 29
Auditd - Utilities ausearch - query audit logs for events aureport - show and overview of the events audited 30
Services 31
SSHD Service of SSH, SSH daemon Config located in /etc/ssh/sshd_config Restart ssh or sshd for ever change in config file 32
SSHD Config After opening sshd config PermitRootLogin no #stops people from login into root over ssh PubkeyAuthentication yes #uses key authentication for login over ssh AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKey file to check for public keys PasswordAuthenticiation no #Disable password login PermitEmptyPassword no #No empty passwords UsePAM yes #Use PAM settings 33
Firewall 34
iptables Iptables allows you to set firewall rules throughout the system opening and closing ports This also allows you to block or allow certain ip address Very important to open only needed ip address and ports for security, unused ports should not be left open 35
Firewalld and UFW All these programs interface with iptables and write to the ruleset but giver easier use Firewalld - acts like an api with iptables to add/subtract/view rules default in centos/fedora UFW - full gui built to be used standalone but uses iptable to add/subtract/view rules default in ubuntu 36
Firewalld/Firewall-cmd Start on boot = sudo systemctl enable firewalld Start in session = sudo systemctl start firewalld Status = sudo firewall-cmd --state Add Rule = firewall-cmd --zone=public --add-service=https(or anyservice) --permanent(if you want permanent) Reload rules = firewall-cmd --reload 37
UFW Start = ufw enable Check status = ufw status Allow port = ufw allow 22 || ufw allow 22/tcp Deny Rule = ufw deny 22 || ufw deny 22/tcp 38
Intrusion Detection 39
AIDE - Linux Configuration 40 Linux is primarily configured through text files Users - /etc/passwd Passwords - /etc/shadow Authentication - /etc/pam.d/*
Advanced Intrusion Detection Environment Stores the file system state and compares it on subsequent runs 41
AIDE - Cron checking Running AIDE in check mode on a cronjob can quickly detect configuration changes Cron can send email on task failure 42
Compliance 43
Compliance 44 Corporate Standards Legal Standards (PCI, FIPS)
Security Content Automation Protocol NIST Standard to allow automated configuration for a secure environment Linux implementation - OpenSCAP GUI - SCAP Workbench 45
OpenSCAP 46 https://www.open-scap.org
Linux Security Crash Course 1. Authentication a. PAM 2. Authorization a. sudo b. setuid & setgid c. capabilities d. ACL 3. Audit a. auditd 47 4. Services a. sshd 5. Firewall a. iptables b. firewalld 6. Intrusion Detection a. AIDE 7. Compliance a. OpenSCAP
Further reading SELinux AppArmor 48
Get in touch with us Mailing List - Sign in and check “Add to Mailing List” Website - csg.utdallas.edu Slack - #csg on ecsutd.slack.com Email - utdcsg@gmail.com 49

Recommended

Network Security
Network SecurityNetwork Security
Network SecurityUTD Computer Security Group
 
Intro to Exploitation
Intro to ExploitationIntro to Exploitation
Intro to ExploitationUTD Computer Security Group
 
Infrastructure Security
Infrastructure SecurityInfrastructure Security
Infrastructure SecurityUTD Computer Security Group
 
Enumeration
EnumerationEnumeration
EnumerationUTD Computer Security Group
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhydn|u - The Open Security Community
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
Snort
SnortSnort
Snortbala150985
 
Nginx
NginxNginx
NginxShaopeng He
 

Recommended

Network Security
Network SecurityNetwork Security
Network SecurityUTD Computer Security Group
 
Intro to Exploitation
Intro to ExploitationIntro to Exploitation
Intro to ExploitationUTD Computer Security Group
 
Infrastructure Security
Infrastructure SecurityInfrastructure Security
Infrastructure SecurityUTD Computer Security Group
 
Enumeration
EnumerationEnumeration
EnumerationUTD Computer Security Group
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhydn|u - The Open Security Community
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
Snort
SnortSnort
Snortbala150985
 
Nginx
NginxNginx
NginxShaopeng He
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
 
Recon
ReconRecon
ReconUTD Computer Security Group
 
Cisco Ios Suneet
Cisco Ios SuneetCisco Ios Suneet
Cisco Ios Suneetguest575e9c
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideHarris Andrea
 
How to train your L3DSR with PBR - MEMO -
How to train your L3DSR with PBR - MEMO -How to train your L3DSR with PBR - MEMO -
How to train your L3DSR with PBR - MEMO -Naoto MATSUMOTO
 
Rdo mitaka
Rdo mitakaRdo mitaka
Rdo mitakaNarasimha sreeram
 
Devstack
DevstackDevstack
DevstackNarasimha sreeram
 
Project on squid proxy in rhel 6
Project on squid proxy in rhel 6Project on squid proxy in rhel 6
Project on squid proxy in rhel 6Nutan Kumar Panda
 
NAT with ASA & ASA Security Context
NAT with ASA & ASA Security ContextNAT with ASA & ASA Security Context
NAT with ASA & ASA Security ContextNetProtocol Xpert
 
Setting up Cisco WSA Proxy in Transparent and Explicit Mode
Setting up Cisco WSA Proxy in Transparent and Explicit ModeSetting up Cisco WSA Proxy in Transparent and Explicit Mode
Setting up Cisco WSA Proxy in Transparent and Explicit ModeDhruv Sharma
 
论文答辩
论文答辩论文答辩
论文答辩wensheng wei
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxSecurity Session
 
Squid Caching for Web Content Accerlation
Squid Caching for Web Content AccerlationSquid Caching for Web Content Accerlation
Squid Caching for Web Content Accerlationrahul8590
 
Sistemas operacionais 8
Sistemas operacionais 8Sistemas operacionais 8
Sistemas operacionais 8Nauber Gois
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEANGINX, Inc.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetNGINX, Inc.
 
opensuse conference 2015: security processes and technologies for Tumbleweed
opensuse conference 2015: security processes and technologies for Tumbleweedopensuse conference 2015: security processes and technologies for Tumbleweed
opensuse conference 2015: security processes and technologies for TumbleweedMarcus Meissner
 
Fully Automated Nagios (FAN)
Fully Automated Nagios (FAN)Fully Automated Nagios (FAN)
Fully Automated Nagios (FAN)Kaustubh Padwad
 
Squid
SquidSquid
SquidSyeda Javeria
 
Unidade3 roteiro proxy
Unidade3 roteiro proxyUnidade3 roteiro proxy
Unidade3 roteiro proxyLeandro Almeida
 
Install and configure linux
Install and configure linuxInstall and configure linux
Install and configure linuxVicent Selfa
 
7 unixsecurity
7 unixsecurity7 unixsecurity
7 unixsecurityricharddxd
 

More Related Content

What's hot

CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
 
Cisco Ios Suneet
Cisco Ios SuneetCisco Ios Suneet
Cisco Ios Suneetguest575e9c
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideHarris Andrea
 
How to train your L3DSR with PBR - MEMO -
How to train your L3DSR with PBR - MEMO -How to train your L3DSR with PBR - MEMO -
How to train your L3DSR with PBR - MEMO -Naoto MATSUMOTO
 
Project on squid proxy in rhel 6
Project on squid proxy in rhel 6Project on squid proxy in rhel 6
Project on squid proxy in rhel 6Nutan Kumar Panda
 
NAT with ASA & ASA Security Context
NAT with ASA & ASA Security ContextNAT with ASA & ASA Security Context
NAT with ASA & ASA Security ContextNetProtocol Xpert
 
Setting up Cisco WSA Proxy in Transparent and Explicit Mode
Setting up Cisco WSA Proxy in Transparent and Explicit ModeSetting up Cisco WSA Proxy in Transparent and Explicit Mode
Setting up Cisco WSA Proxy in Transparent and Explicit ModeDhruv Sharma
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxSecurity Session
 
Squid Caching for Web Content Accerlation
Squid Caching for Web Content AccerlationSquid Caching for Web Content Accerlation
Squid Caching for Web Content Accerlationrahul8590
 
Sistemas operacionais 8
Sistemas operacionais 8Sistemas operacionais 8
Sistemas operacionais 8Nauber Gois
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEANGINX, Inc.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetNGINX, Inc.
 
opensuse conference 2015: security processes and technologies for Tumbleweed
opensuse conference 2015: security processes and technologies for Tumbleweedopensuse conference 2015: security processes and technologies for Tumbleweed
opensuse conference 2015: security processes and technologies for TumbleweedMarcus Meissner
 
Fully Automated Nagios (FAN)
Fully Automated Nagios (FAN)Fully Automated Nagios (FAN)
Fully Automated Nagios (FAN)Kaustubh Padwad
 

What's hot (20)

CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server Hardening
 
Recon
ReconRecon
Recon
 
Cisco Ios Suneet
Cisco Ios SuneetCisco Ios Suneet
Cisco Ios Suneet
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
 
How to train your L3DSR with PBR - MEMO -
How to train your L3DSR with PBR - MEMO -How to train your L3DSR with PBR - MEMO -
How to train your L3DSR with PBR - MEMO -
 
Rdo mitaka
Rdo mitakaRdo mitaka
Rdo mitaka
 
Devstack
DevstackDevstack
Devstack
 
Project on squid proxy in rhel 6
Project on squid proxy in rhel 6Project on squid proxy in rhel 6
Project on squid proxy in rhel 6
 
NAT with ASA & ASA Security Context
NAT with ASA & ASA Security ContextNAT with ASA & ASA Security Context
NAT with ASA & ASA Security Context
 
Setting up Cisco WSA Proxy in Transparent and Explicit Mode
Setting up Cisco WSA Proxy in Transparent and Explicit ModeSetting up Cisco WSA Proxy in Transparent and Explicit Mode
Setting up Cisco WSA Proxy in Transparent and Explicit Mode
 
论文答辩
论文答辩论文答辩
论文答辩
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix Linux
 
Squid Caching for Web Content Accerlation
Squid Caching for Web Content AccerlationSquid Caching for Web Content Accerlation
Squid Caching for Web Content Accerlation
 
Sistemas operacionais 8
Sistemas operacionais 8Sistemas operacionais 8
Sistemas operacionais 8
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEAModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule SetModSecurity and NGINX: Tuning the OWASP Core Rule Set
ModSecurity and NGINX: Tuning the OWASP Core Rule Set
 
opensuse conference 2015: security processes and technologies for Tumbleweed
opensuse conference 2015: security processes and technologies for Tumbleweedopensuse conference 2015: security processes and technologies for Tumbleweed
opensuse conference 2015: security processes and technologies for Tumbleweed
 
Fully Automated Nagios (FAN)
Fully Automated Nagios (FAN)Fully Automated Nagios (FAN)
Fully Automated Nagios (FAN)
 
Squid
SquidSquid
Squid
 
Unidade3 roteiro proxy
Unidade3 roteiro proxyUnidade3 roteiro proxy
Unidade3 roteiro proxy
 

Similar to Linux Security Crash Course

Install and configure linux
Install and configure linuxInstall and configure linux
Install and configure linuxVicent Selfa
 
7 unixsecurity
7 unixsecurity7 unixsecurity
7 unixsecurityricharddxd
 
Introduction To Unix
Introduction To UnixIntroduction To Unix
Introduction To UnixCTIN
 
How to secure ubuntu 12.04
How to secure ubuntu 12.04 How to secure ubuntu 12.04
How to secure ubuntu 12.04 John Richard
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guideCraig Cannon
 
How To Install and Configure SUDO on RHEL 7
How To Install and Configure SUDO on RHEL 7How To Install and Configure SUDO on RHEL 7
How To Install and Configure SUDO on RHEL 7VCP Muthukrishna
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
Pluggable authentication modules
Pluggable authentication modulesPluggable authentication modules
Pluggable authentication modulesYahia Kandeel
 
linux_Commads
linux_Commadslinux_Commads
linux_Commadstastedone
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
 
What’s new in Sudo 1.8?
What’s new in Sudo 1.8?What’s new in Sudo 1.8?
What’s new in Sudo 1.8?Tyler Reese
 

Similar to Linux Security Crash Course (20)

Install and configure linux
Install and configure linuxInstall and configure linux
Install and configure linux
 
7 unixsecurity
7 unixsecurity7 unixsecurity
7 unixsecurity
 
Unit+eight+ +ubuntu+security
Unit+eight+ +ubuntu+securityUnit+eight+ +ubuntu+security
Unit+eight+ +ubuntu+security
 
Unit+eight+ +ubuntu+security
Unit+eight+ +ubuntu+securityUnit+eight+ +ubuntu+security
Unit+eight+ +ubuntu+security
 
Linux audit framework
Linux audit frameworkLinux audit framework
Linux audit framework
 
Introduction To Unix
Introduction To UnixIntroduction To Unix
Introduction To Unix
 
How to secure ubuntu 12.04
How to secure ubuntu 12.04 How to secure ubuntu 12.04
How to secure ubuntu 12.04
 
Solaris basics
Solaris basicsSolaris basics
Solaris basics
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
 
Sudo
SudoSudo
Sudo
 
How To Install and Configure SUDO on RHEL 7
How To Install and Configure SUDO on RHEL 7How To Install and Configure SUDO on RHEL 7
How To Install and Configure SUDO on RHEL 7
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Pluggable authentication modules
Pluggable authentication modulesPluggable authentication modules
Pluggable authentication modules
 
linux_Commads
linux_Commadslinux_Commads
linux_Commads
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
The Domino 10 RHEL 7 Primer
The Domino 10 RHEL 7 PrimerThe Domino 10 RHEL 7 Primer
The Domino 10 RHEL 7 Primer
 
Linux lecture6
Linux lecture6Linux lecture6
Linux lecture6
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
 
What’s new in Sudo 1.8?
What’s new in Sudo 1.8?What’s new in Sudo 1.8?
What’s new in Sudo 1.8?
 
How to manage Azure with open source
How to manage Azure with open sourceHow to manage Azure with open source
How to manage Azure with open source
 

More from UTD Computer Security Group

UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group
 

More from UTD Computer Security Group (20)

Py jail talk
Py jail talkPy jail talk
Py jail talk
 
22S kickoff 2.0 (kickoff + anonymity talk)
22S kickoff 2.0 (kickoff + anonymity talk)22S kickoff 2.0 (kickoff + anonymity talk)
22S kickoff 2.0 (kickoff + anonymity talk)
 
Cloud talk
Cloud talkCloud talk
Cloud talk
 
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domain
 
Forensics audio and video
Forensics audio and videoForensics audio and video
Forensics audio and video
 
Computer networks and network security
Computer networks and network securityComputer networks and network security
Computer networks and network security
 
Intro to python
Intro to pythonIntro to python
Intro to python
 
Powershell crash course
Powershell crash coursePowershell crash course
Powershell crash course
 
Intro to cybersecurity
Intro to cybersecurityIntro to cybersecurity
Intro to cybersecurity
 
Intro to Bash
Intro to BashIntro to Bash
Intro to Bash
 
Web Exploitation
Web ExploitationWeb Exploitation
Web Exploitation
 
Network Exploitation
Network ExploitationNetwork Exploitation
Network Exploitation
 
Penetration Testing: Celestial
Penetration Testing: CelestialPenetration Testing: Celestial
Penetration Testing: Celestial
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
 
Cryptography Crash Course
Cryptography Crash CourseCryptography Crash Course
Cryptography Crash Course
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1
 
Protostar VM - Heap3
Protostar VM - Heap3Protostar VM - Heap3
Protostar VM - Heap3
 
Heap Base Exploitation
Heap Base ExploitationHeap Base Exploitation
Heap Base Exploitation
 

Recently uploaded

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Recently uploaded (20)

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

Linux Security Crash Course

  • 2. Get in touch with us Mailing List - Sign in and check “Add to Mailing List” Website - csg.utdallas.edu Slack - #csg on ecsutd.slack.com Email - utdcsg@gmail.com 2
  • 3. Announcements Lab Hangouts - ECSS 4.619 - 4 PM Thursday - February 15 Pentesting Session - FO 1.202 February 24th, 1 - 4pm State Farm CTF Sign-up - March 5th - 12th 3
  • 4. Linux Security Crash Course 1. Authentication a. PAM 2. Authorization a. sudo b. setuid & setgid c. capabilities d. ACL 3. Audit a. auditd 4 4. Services a. sshd 5. Firewall a. iptables b. firewalld 6. Intrusion Detection a. AIDE 7. Compliance a. OpenSCAP
  • 6. Pluggable Authentication Modules (PAM) Provide authentication for Linux A configurable collection of modules used to authenticate users Used by most services that want to authenticate the user 6
  • 8. PAM - Tasks PAM supports the following tasks: ● auth - verify the user’s identity ● account - confirm the user can do the requested action ● session - control tasks at the beginning and end of a session ● password - control steps around changing passwords 8
  • 9. PAM - Controls Modules support the following controls: ● required - fails after the stack is processed ● requisite - fails immediately ● sufficient - if succeeds (with no prior failures), stack succeeds ● optional - only matters if it is the only module in the stack 9
  • 10. PAM - Useful Modules pam_faildelay - How long the user is delayed after failure pam_unix - Authentication from /etc/passwd and /etc/shadow pam_succeed_if - Set constraints on attributes like uid pam_pwquality - Set constraints on new passwords 10
  • 11. PAM - Malicious Uses Given a user with root access to the system: ● Add a malicious module that logs user’s passwords ● Add a malicious module that sets a password backdoor ● Change to configuration to lock out users 11
  • 14. Sudo ● A Program that allows users to run programs with different security privileges ● Sudo defaults to the superuser or root allowing for greater privileges ● Different from the command su because users supply personal password instead of root ● Configuration file in /etc/sudoers, this contains a list of all users allow to sudo 14
  • 15. Sudo Sudo su username -- switches user to username Sudo -i -- switches to root user environment Sudo -s -- runs root shell in current directory Sudo -l -U username -- checks to see what commands the user generic can run/capabilities 15
  • 16. Sudo Replay To start sudoreplay : Sudo visudo: Defaults log_output Defaults!/usr/bin/sudoreplay !log_output Defaults!/sbin/reboot !log_output Sudo replay -l (this will list all sudo commands and users that used the command) 16
  • 17. setuid & setgid Part of the “mysterious” first octet of chmod setuid - sets the process owner to the owner of the file setgid - sets the process group to the group of the file Generally used to grant root permissions to an executable (i.e. sudo) 17
  • 18. Finding setuid and setgid binaries setuid - find <path> -perm -4000 setgid - find <path> -perm -2000 18
  • 19. Consequences of setuid & setgid binaries ● System is only secure as your root setuid & setgid binaries ● GNU Screen Exploit ● Makes for fun CTF/Wargame Challenges 19
  • 20. Capabilities Added in Kernel 2.2 (1999) Switches the traditional permissions (root or not) into granular capabilities Follows the idea of least privileges 20
  • 21. Capabilities - Actively in use /usr/bin/ping = cap_net_raw+p As ping requires access to a raw socket, systems without capabilities require ping to be suid root 21
  • 22. Managing Capabilities getcap - List the capabilities for a file setcap - set the capabilities for a file capsh - list the capabilities for the current process 22
  • 23. Capabilities - Consequences (?) Some claim many capabilities can be abused to achieve root access https://forums.grsecurity.net/viewtopic.php?f=7&t=2522&sid=c6fbc f62fd5d3472562540a7e608ce4e#p10271 - February 2002 23
  • 24. File Access Control List (ACL) Similar to chmod Be able to set user groups and user access to files and directories Give more in depth permissions for different files with user groups and users 24
  • 25. File ACL getfacl Directory or File -- show owner, group and permissions setfacl -m (modify) user:username:rwx , group:group:rwx directory -This will set a directory to be owned by user and group with read write and execute permissions 25
  • 27. Auditd ● Provides more information should an incident occur ● Designed to allow admins to quickly show what activity has been happening ● Rule based, so can be hard to manage 27
  • 28. Auditd - Auditing Events ● File Access ● System Calls ● Commands Run ● Failed Logins ● Firewall Changes 28
  • 29. Auditd - RedHat Examples File System Changes: auditctl -w /etc/passwd -p wa -k passwd_changes File Execution: auditctl -w /sbin/insmod -p x -k module_insertion System Call: auditctl -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time_change 29
  • 30. Auditd - Utilities ausearch - query audit logs for events aureport - show and overview of the events audited 30
  • 32. SSHD Service of SSH, SSH daemon Config located in /etc/ssh/sshd_config Restart ssh or sshd for ever change in config file 32
  • 33. SSHD Config After opening sshd config PermitRootLogin no #stops people from login into root over ssh PubkeyAuthentication yes #uses key authentication for login over ssh AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKey file to check for public keys PasswordAuthenticiation no #Disable password login PermitEmptyPassword no #No empty passwords UsePAM yes #Use PAM settings 33
  • 35. iptables Iptables allows you to set firewall rules throughout the system opening and closing ports This also allows you to block or allow certain ip address Very important to open only needed ip address and ports for security, unused ports should not be left open 35
  • 36. Firewalld and UFW All these programs interface with iptables and write to the ruleset but giver easier use Firewalld - acts like an api with iptables to add/subtract/view rules default in centos/fedora UFW - full gui built to be used standalone but uses iptable to add/subtract/view rules default in ubuntu 36
  • 37. Firewalld/Firewall-cmd Start on boot = sudo systemctl enable firewalld Start in session = sudo systemctl start firewalld Status = sudo firewall-cmd --state Add Rule = firewall-cmd --zone=public --add-service=https(or anyservice) --permanent(if you want permanent) Reload rules = firewall-cmd --reload 37
  • 38. UFW Start = ufw enable Check status = ufw status Allow port = ufw allow 22 || ufw allow 22/tcp Deny Rule = ufw deny 22 || ufw deny 22/tcp 38
  • 40. AIDE - Linux Configuration 40 Linux is primarily configured through text files Users - /etc/passwd Passwords - /etc/shadow Authentication - /etc/pam.d/*
  • 41. Advanced Intrusion Detection Environment Stores the file system state and compares it on subsequent runs 41
  • 42. AIDE - Cron checking Running AIDE in check mode on a cronjob can quickly detect configuration changes Cron can send email on task failure 42
  • 45. Security Content Automation Protocol NIST Standard to allow automated configuration for a secure environment Linux implementation - OpenSCAP GUI - SCAP Workbench 45
  • 47. Linux Security Crash Course 1. Authentication a. PAM 2. Authorization a. sudo b. setuid & setgid c. capabilities d. ACL 3. Audit a. auditd 47 4. Services a. sshd 5. Firewall a. iptables b. firewalld 6. Intrusion Detection a. AIDE 7. Compliance a. OpenSCAP
  • 49. Get in touch with us Mailing List - Sign in and check “Add to Mailing List” Website - csg.utdallas.edu Slack - #csg on ecsutd.slack.com Email - utdcsg@gmail.com 49