Linux Hardening By Michael Rebultan
-
Upload
art-rebultan -
Category
Software
-
view
363 -
download
2
Transcript of Linux Hardening By Michael Rebultan
![Page 1: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/1.jpg)
Linux Hardening
</Michael “art” Rebultan> 27-January-2016
NULL Singapore @SMU
Lockdown
![Page 2: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/2.jpg)
</AGENDA>
• Linux System Hardening and Audit
Lockdown
![Page 3: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/3.jpg)
</OBJECTIVE>
• Know and understand the different ways to lockdown Linux Server and how to audit them in chillax mode.
Lockdown
![Page 4: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/4.jpg)
</SCOPE>
• Getting to Know – 15min
• Intro to Information Security (Theory) 15min
• System Inventory (Hand-On) 15min
• Linux System Security (Hands-On) 30min
• Linux Network Security (Hands-On) 30min
• Auditing and Compliance (Hands-On) 30min
• Open Discussion (Theory/Demo) 15min
Lockdown
![Page 5: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/5.jpg)
</OUT-of-SCOPE>
• HARDENING
SELinux, AuditD, Web, FTP, VPN, SAMBA, MAIL, Clustering, Docker, Dbase, Content Mgt, Proxy, VoIP, Virtualization, Subversion, etc…
Lockdown
![Page 6: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/6.jpg)
</House Rules>
• Cell Phone on Silent Mode
• Food/Drink is to be share
• Raise your hand for any question
• Toilet is 24 x 7
• Respect begets respect
Lockdown
![Page 7: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/7.jpg)
</GETTING TO KNOW>
• 15min
Lockdown
![Page 8: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/8.jpg)
</UID>
• Your name or alias
• Your day-to-day job
• How the workshop can help
Lockdown
![Page 9: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/9.jpg)
</WHOAMI>
• 13 Years in Linux (RedHat)
• SecSysOps Engineer by day
• Paranormal Investigator by night
• Exorcist Priest by divine call
Lockdown
![Page 10: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/10.jpg)
</INTRO to SECURITY>
• 15min
Lockdown
![Page 11: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/11.jpg)
</WHATIS>
• IT Security? - is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide.
Lockdown
![Page 12: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/12.jpg)
</WHICH>
• What are you trying to protect?
Risk vs Threat vs Vulnerability
Risk = Asset x Threat x Weakness
Lockdown
![Page 13: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/13.jpg)
</KICKSTART> • System Requirement Specification - Mount Points - Storage Space - RAM - CPU - SW Dependencies - IP Address / Segment - Hostname - Ports / Services - Users / Group
Lockdown
![Page 14: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/14.jpg)
</PRE-INSTALLATION>
Lockdown
![Page 15: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/15.jpg)
</POST-INSTALLATION>
• Disconnect from Public Network
• Patching
• Disable Unnecessary Services
• Close Unneeded Ports
• Stress Test
Lockdown
![Page 16: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/16.jpg)
</LIFECYCLE>
Lockdown
![Page 17: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/17.jpg)
</SYSTEM INVENTORY>
• 15min
Lockdown
![Page 18: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/18.jpg)
</BASELINE>
• rpm -qa > /tmp/rpm.txt • service --status-all > /tmp/service.txt • chkconfig --list | grep on • cat /etc/passwd > /tmp/user.txt • netstat -tulpn > /tmp/connections.txt • route -n > /tmp/route.txt • ifconfig -a > /tmp/ifconfig.txt
Lockdown
![Page 19: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/19.jpg)
</INVENTORY DEMO>
• Custom Script (BASH)
• ./linux-local-enum.sh
Lockdown
![Page 20: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/20.jpg)
</SYSTEM SECURITY>
• 30min
Lockdown
![Page 21: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/21.jpg)
</ACESS NOTIFICATION>
Config File- /etc/pam.d/system-auth
Add the following line after this: session required pam_limits.so
session required pam_lastlog.so showfailed
Lockdown
![Page 22: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/22.jpg)
</BRUTEFORCE>
• Configure passwords against a dictionary attack
/etc/pam.d/system-auth
password required /lib/security/pam_cracklib.so retry=2 minlen=10 difok=6
Lockdown
![Page 23: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/23.jpg)
</ACCOUNT AUTHENTICATION> • CONFIG FILES
/etc/pam.d/system-auth /etc/pam.d/password-auth
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
Lockdown
![Page 24: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/24.jpg)
</PASSWD AGE>
• chage [-m mindays] [-M maxdays] [-d lastday] [-I inactive] [-E expiredate] [-W warndays] user
• chage –l user
• Exercise:
Create 3 UID with different Password aging
Lockdown
![Page 25: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/25.jpg)
</SSH CONFIG>
• Protocol 2 • PermitEmptyPasswords no • MaxAuthTries 3 • PermitRootLogin no • AllowGroups • AllowUsers • DenyUsers Exercise – Block the 3 users created and test
Lockdown
![Page 26: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/26.jpg)
</LYNIS DEMO>
• cd /opt/lynis-1.3.8
• ./lynis --check-all
Lockdown
![Page 27: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/27.jpg)
</NETWORK SECURITY>
• 30min
Lockdown
![Page 28: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/28.jpg)
</IPTABLES>
• XMAS TREE ATTACK
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
“sends a large number of Christmas tree packets to an end device”
Lockdown
![Page 29: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/29.jpg)
</IPTABLES>
• Smurf Attack - sends a large number of ICMP echo broadcast packet, with source IP address spoofed to that of target's IP address.
iptables -A INPUT -p icmp -m limit --limit 2/second --
limit-burst 2 -j ACCEPT
Or block all the ICMP packets
iptables -A INPUT -p icmp -j DROP
Lockdown
![Page 30: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/30.jpg)
</IPTABLES>
• SYN Flood
iptables -A INPUT -p tcp -m state --state NEW -m limit --limit 2/second --limit-burst 2 -j ACCEPT
The attacker creates a large number of forged SYN requests that have their source IP addresses spoofed, and sends it to the target.
Lockdown
![Page 31: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/31.jpg)
</TCP WRAPPERS>
• echo "ALL:ALL" >> /etc/hosts.deny
• echo "sshd:ALL" >> /etc/hosts.allow
Lockdown
![Page 32: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/32.jpg)
</UNCOMMON PROTOCOLS>
• Datagram Congestion Control Protocol (DCCP)
• Stream Control Transmission Protocol (SCTP)
• Reliable Datagram Sockets (RDS)
• Transparent Inter-Process Communication (TIPC)
echo "install dccp /bin/false" > /etc/modprobe.d/dccp.conf
echo "install sctp /bin/false" > /etc/modprobe.d/sctp.conf
echo "install rds /bin/false" > /etc/modprobe.d/rds.conf
echo "install tipc /bin/false" > /etc/modprobe.d/tipc.conf
Lockdown
![Page 33: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/33.jpg)
</IPTABLES DEMO>
• Custom Script (BASH)
• ./iptables.sh
Lockdown
![Page 34: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/34.jpg)
</KERNEL>
• Securing Systems and Network on Kernel
• Config File
/etc/sysconfig/sysctl.conf
/etc/rc.d/init.d/network restart
/sbin/sysctl -p
Lockdown
![Page 35: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/35.jpg)
</KERNEL>
• DIFFERENT WAYS TO LOCKDOWN • Prevent your system responding to Ping • Refuse responding to broadcasts request • Routing Protocols • Enable TCP SYN Cookie Protection • Disable ICMP Redirect Acceptance • Enable always-defragging Protection • Enable bad error message Protection • Enable IP spoofing protection • Log Spoofed, Source Routed and Redirect Packets
Lockdown
![Page 36: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/36.jpg)
</KERNEL>
• Disable IP source routing - It's information in an IP header that allows the source host to dictate the path the packet uses to get to the destination rather than leaving the path to be determined by intermediate gateways. This could allow a source to go around security devices that are typically in the path between source and destination.
Lockdown
![Page 37: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/37.jpg)
</KERNEL>
• Disable IP source routing net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
/etc/rc.d/init.d/network restart
Lockdown
![Page 38: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/38.jpg)
</KERNEL>
• Enable IP spoofing protection, turn on source route verification
- The spoofing protection prevents your network from being the source of spoofed
i.e.
forged communications that are often used in DoS attacks.
Lockdown
![Page 39: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/39.jpg)
</KERNEL>
• Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
/etc/rc.d/init.d/network restart
Lockdown
![Page 40: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/40.jpg)
</KERNEL>
• Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
This protection will log all Spoofed Packets, Source Routed Packets, and Redirect Packets to your log files.
net.ipv4.conf.all.log_martians = 1
/etc/rc.d/init.d/network restart
Lockdown
![Page 41: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/41.jpg)
</KERNEL>
• Disables the magic-sysrq key
kernel.sysrq = 0
Lockdown
![Page 42: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/42.jpg)
</KERNEL>
• Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
Lockdown
![Page 43: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/43.jpg)
</KERNEL>
• Prevent SYN Flood Attack
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 4096
Lockdown
![Page 44: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/44.jpg)
</KERNEL>
• Ignoring Ping
net.ipv4.icmp_echo_ignore_all = 1
Lockdown
![Page 45: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/45.jpg)
</KERNEL>
• Turn on execshield
- Against Remote Attack Tool (RAT)
kernel.exec-shield=1
kernel.randomize_va_space=1
Lockdown
![Page 46: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/46.jpg)
</AUDIT>
• 30min
Lockdown
![Page 47: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/47.jpg)
</AUDITING>
• TOOLS
- Tripwire
- Auditd
- AIDE
Lockdown
![Page 48: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/48.jpg)
</COMPLIANCE SCORING>
• OpenScap Demo
Lockdown
![Page 49: Linux Hardening By Michael Rebultan](https://reader036.fdocuments.in/reader036/viewer/2022062503/58f1a7e41a28abb62f8b4583/html5/thumbnails/49.jpg)
</END>
• Thank you!
http://mrebultan.simplesite.com/
Lockdown