security strategies in linux platforms and applications lesson 6
DESCRIPTION
Security Strategies in Linux Platforms and Applications Lesson 6 Every Service Is a Potential Risk. Learning Objective. Describe vulnerabilities in Linux services and the appropriate steps to mitigate the risks. Key Concepts. Commonly installed Linux services Bastion hosts - PowerPoint PPT PresentationTRANSCRIPT
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Security Strategies in Linux Platforms and Applications
Lesson 6Every Service Is a Potential Risk
Page 2Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Learning ObjectiveDescribe vulnerabilities in Linux services
and the appropriate steps to mitigate the risks.
Page 3Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Key ConceptsCommonly installed Linux services Bastion hostsBastion host hardeningDisabling unneeded services and removing
unneeded packageschroot jails
Page 4Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: CONCEPTS
Page 5Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Service Scripts in /etc/init.d/
Page 6Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Vulnerabilities in Linux ServicesDenial of Service (DoS)Buffer overflows and misconfigured serversUnpatched servers and rootkitsWeb applicationsDefault settings and weak passwords
Page 7Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Bastion Servers in the DMZ
Page 8Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Bastion HostsWeb Server
Database Server
SMTP Server
Bastion Hosts
Multipurpose Server
H
Black-hat hacker exploits a bug in the Simple Mail Transfer Protocol (SMTP) Server
Now has access to all the server services
Only has access to the one server and service
Page 9Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: PROCESS
Page 10Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Configuring a Bastion Host
Install an administrative service like SSH
Start with minimal Linux installation
Set up at least basic IPv4 networking
Remove unnecessary services
Remove unnecessary packages
Page 11Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Active Services in Runlevel 3 Start with “S”
Page 12Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Getting Rid of Unneeded Services
• Use yum or apt-get• Watch for dependenciesUninstall
• Stop a service• Kill a PID• Change service defaults
Deactivate
Page 13Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Dependency Processing
Page 14Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Mitigating Other Service Risks
Turn off the X Display Manager Control Protocol (XDMCP).
Keep only those productivity tools that are necessary.
Don't run any network services that are not needed.
Run the logwatch tool to monitor any attempted access to the Linux system.
Page 15Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: ROLES
Page 16Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Linux System AdministratorTurns off or uninstalls unused services.Ensures services do not run as root.Runs services in chroot jail when appropriate. Restricts access to services only to necessary
users and applications. Uses bastion hosts for server services and
keeps services updated with latest security fixes.
Page 17Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: CONTEXTS
Page 18Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
chroot JailUse chroot jail:To enable an application access its own set of
libraries and directory structureTo restrict access to users on a systemTo run software such as Berkeley Internet
Name Domain (BIND)
Page 19Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
DISCOVER: RATIONALE
Page 20Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Benefits of Disabling or Uninstalling Unneeded ServicesTo eliminate the possibility of a black-hat
hacker exploiting a vulnerability to a service when the service is not running
To improve system performance by running only the required services
To save hard drive space by uninstallingTo eliminate the need to update or patch a
service when security vulnerabilities are discovered
Page 21Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
SummaryCommonly installed Linux services Bastion hostsBastion host hardeningDisabling unneeded services and removing
unneeded packageschroot jails
Page 22Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
OPTIONAL SLIDES
Page 23Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Aptitude as a Package Browser
Page 24Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Categories of Red Hat Development Tools
Page 25Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
Categories of Ubuntu Development Tools
Page 26Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.
The elinks Web Browser