Securing Linux Servers

download Securing Linux Servers

of 55

  • date post

    27-Apr-2015
  • Category

    Documents

  • view

    72
  • download

    2

Embed Size (px)

Transcript of Securing Linux Servers

Securing Linux Servers for Service Providers

December 21, 2001

Bill Hilf Sr. Consulting I/T Architect IBM Corporation billhilf@us.ibm.com

Copyright IBM. Corp. 2001. All rights reserved.

-1-

Table of ContentsOverview of Linux in the Service Provider, or xSP, Space ....................................................................... 3 Intent and Background............................................................................................................................... 4 SANS/FBI Top 20 ................................................................................................................................ 5 Security Philosophy ................................................................................................................................... 6 Securing Linux Servers.............................................................................................................................. 6 General Practices .................................................................................................................................. 6 Develop a patch and upgrade strategy .................................................................................................. 7 Understand which programs have Set-UID and Set-GID ..................................................................... 8 Develop a password strategy................................................................................................................. 9 If you are not using a service, turn it off ............................................................................................. 11 Log intelligently.................................................................................................................................. 12 Use tools where possible..................................................................................................................... 14 Application security is critical ............................................................................................................ 16 Kernel level security ........................................................................................................................... 18 Know Your Enemy ............................................................................................................................. 20 Linux Firewalls........................................................................................................................................ 24 What is a packet filter? ....................................................................................................................... 24 Identification and Testing ................................................................................................................... 27 Linux FTP Servers................................................................................................................................... 30 Non-Anonymous FTP......................................................................................................................... 30 Anonymous FTP ................................................................................................................................. 30 General Linux FTP Server suggestions............................................................................................... 31 Linux Mail Servers .................................................................................................................................. 32 Sendmail ............................................................................................................................................. 32 Postfix ................................................................................................................................................. 34 Qmail .................................................................................................................................................. 35 Linux Mail Virus and Spam Filters..................................................................................................... 36 Linux Web and Application Servers........................................................................................................ 37 Apache Security Configuration Tips................................................................................................... 38 Web server diagnosis .......................................................................................................................... 43 Web Services ...................................................................................................................................... 44 Web proxies ........................................................................................................................................ 45 Conclusion ............................................................................................................................................... 46 Acknowledgements.................................................................................................................................. 47 Appendix - Resources.............................................................................................................................. 48 Resources - Mailing Lists ................................................................................................................... 48 Resources - Web Sites ........................................................................................................................ 48 Resources - Books............................................................................................................................... 48 Resources - Tools................................................................................................................................ 49 Application Security ........................................................................................................................... 49 Intrusion Detection Systems ............................................................................................................... 49 Security Testing Tools ........................................................................................................................ 50 Password Tools ................................................................................................................................... 51 Network Scanners ............................................................................................................................... 52 Port Scan Detectors............................................................................................................................. 52 Encryption........................................................................................................................................... 53 Log and Traffic Monitors.................................................................................................................... 53 Sniffers................................................................................................................................................ 55

Copyright IBM. Corp. 2001. All rights reserved.

-2-

Overview of Linux in the Service Provider, or xSP, SpaceThe term xSP is simply the consolidation of the Service Provider acronyms. Initially only ISPs and ASPs were known in this domain, but as the Internet and eBusiness matured, new service provider business models quickly followed. Infrastructure SPs such as managed service providers (MSPs) which provide fully managed services (network, storage, servers, administration, etc.) and business service providers (BSPs), who provide business value to their customers through application access or aggregation (ASPs), content providers or increasingly through outsourced business processes. But lets not get lost in the acronym soup, but rather focus on the common elements among service providers and how these elements need to be secured under Linux. One of the clear similarities among service providers is the ability to supply network enabled customer services. Be it in the form of a dial-up service, a Web-enabled application, relational databases, storage solutions, hosting, or an email account, these services all share multiple traits. Sharing infrastructure and services are primary components in the economies of scale for building a service provider business. The degree that these components are shared will vary at the hardware, network, server, or application layer but there are few, if any, scenarios where some part of the service provider fabric is not shared by multiple customers. This is a critical factor to understanding security in a service provider environment. Since these services are essentially available to the public, they must be considered un-trusted. Although a service provider may not consider their customers the public or un-trustworthy, if the service is accessible to users over the Internet (regardless if they have to pay for that service) it could potentially be exploited by any other machine on the Internet. Operating system security in Internet based services is more important then ever. Beyond the obvious heightened awareness around security after the tragedies of September 11th, there are multiple financial trends that have elevated security as a critical IT issue. Recently, PricewaterhouseCoopers updated its Security Benchmarking Service1 to include new data from InformationWeek's 2001 Global Information Security Survey. The survey, fielded by PricewaterhouseCoopers, reveals that these global corporations realized over $1.39 trillion in lost revenue due to security breaches over the past year. Globally, the propagation of computer viruses is a significant contributor to the trillion dollar losses