| In a word, No. No machine connected to
| |
| | 10 How to know if you are being
|
| the internet is 100% secure. This doesn't
| |
| | hacked?To find out if your box is
|
| mean that you are helpless. You can take
| |
| | compromised or not, follow these
|
| measures to avoid hacks, but you cannot
| |
| | steps. These are the steps which I used
|
| avoid them completely. This is like a
| |
| | to do and will be handy in most of the
|
| house - when the windows and doors are
| |
| | situations.10.1 Check your box to see if
|
| open then the probability of a thief
| |
| | your performance has degraded or
|
| coming in is high, but if the doors and
| |
| | if your machine is being over used.For
|
| windows are closed and locked the
| |
| | that, use the commandsvmstat - Displays
|
| probability of being robbed is less, but
| |
| | information about memory, cpu and
|
| still not nil.1 What is Information
| |
| | disk.Ex: bash# vmstat 1 4 (where 1 is
|
| Security?For our purposes, Information
| |
| | delay and 4 is count)mpstat - Displays
|
| Security means the methods we use
| |
| | statistics about cpu utilization. This
|
| to protect sensitive data from
| |
| | will help us to see if your cpu is over
|
| unauthorized users.2 Why do we need
| |
| | worked or not.Ex: bash# mpstat 1 4 (where
|
| Information Sec?The entire world is
| |
| | 1 is
|
| rapidly becoming IT enabled. Wherever you
| |
| | delay and 4 is count)iostat - This
|
| look, computer technology has
| |
| | command displays statistics about the
|
| revolutionized the way things operate.
| |
| | disk system.Useful options:-d - Gives the
|
| Some examples
| |
| | device utilization report.-k - Display
|
| are airports, seaports,
| |
| | statistics in kilobytes per
|
| telecommunication industries, and TV
| |
| | second.Ex: bash# iostat -dk 1 4 (where 1
|
| broadcasting, all of which are thriving
| |
| | is
|
| as a result of the use of
| |
| | delay and 4 is count)sar - Displays
|
| IT. "IT is everywhere."A lot of
| |
| | overall system performance.10.2 Check to
|
| sensitive information passes through the
| |
| | see if your server has any hidden
|
| Internet, such
| |
| | processes
|
| as credit card data, mission critical
| |
| | running.ps - Displays the status of all
|
| server passwords, and
| |
| | known processes.lsof - List all open
|
| important files. There is always a
| |
| | files. In Linux everything is considered
|
| chance of some one viewing
| |
| | a file, so you will be able to see almost
|
| and/or modifying the data while it is in
| |
| | all of the activity on your system with
|
| transmission. There are
| |
| | this command.10.3 Use Intrusion Detection
|
| countless horror stories of what happens
| |
| | Tools
|
| when an outsider gets
| |
| | rkHunter ( )chkrootkit (
|
| someone's credit card or financial
| |
| | 10.4 Check your machine's uptime.If the
|
| information. He or she can use
| |
| | uptime is less than it should be, this
|
| it in any way they like and could even
| |
| | can mean that your machine's resources
|
| destroy you and your
| |
| | are being used by someone. Linux doesn't
|
| business by taking or destroying all
| |
| | crash or reboot under normal conditions
|
| your assets. As we all know
| |
| | because it is such a stable OS.
|
| "An ounce of prevention beats a pound of
| |
| | If your machine has been rebooted try to
|
| cure," so to avoid such
| |
| | find out the actual reason
|
| critical situations, it is advisable to
| |
| | behind it.10.5 Determine what your
|
| have a good security policy and security
| |
| | unknown processes are and what they are
|
| implementation.3 Security FrameworkThe
| |
| | doing.10.5.1 Use commands like the
|
| following illustrates the framework
| |
| | following to take apart unknown
|
| needed to implement a
| |
| | programsreadelfThis command will display
|
| functioning security implementation:[
| |
| | what the executable's program is
|
| Risk Analysis ] [ Business Requirements
| |
| | performing.ldd - This command will show
|
| ]|[ Security Policy ]|[ Security Service,
| |
| | the details of libraries used by a
|
| Mechanisms, and Objects ]|[ Security
| |
| | executable.string - This command will
|
| Management, Monitoring, Detection and
| |
| | display the strings in the binary.strace
|
| Response ]This framework shows the basic
| |
| | - This command will display the system
|
| steps in the life cycle of
| |
| | calls a program makes as it runs.11
|
| securing a system. "Risk Analysis" deals
| |
| | Hardening Methodology
|
| with the risk associated
| |
| | Read all security related sites and keep
|
| with the data in the server to be
| |
| | up to date. This is
|
| secured. "Business Requirements"
| |
| | one of the main things a security
|
| is the study which deals with the actual
| |
| | administrator or server owner
|
| requirements for
| |
| | should do. Server owners should be made
|
| conducting business. These two
| |
| | aware of security and its
|
| components cover the business
| |
| | importance. Security training is an
|
| aspects of the security
| |
| | important part of an overall
|
| implementation.The "Security Policy"
| |
| | security package.Create a good security
|
| covers 8 specific areas of the security
| |
| | policy. Conduct security audits on the
|
| implementation, and is discussed in more
| |
| | basis of this policy.Keep your OS
|
| detail in section 4below. "Security
| |
| | updated by applying all patches.Install a
|
| Service, Mechanisms and Objects" is
| |
| | custom kernel with all unwanted services
|
| actually the
| |
| | removed and patched with either
|
| implementation part of security.
| |
| | grsecurity or openwall.Disable all
|
| "Security Management, Monitoring,
| |
| | unwanted services and harden the services
|
| Detection and Response" is the
| |
| | you leave running; Change file and
|
| operational face of security, where we
| |
| | directory permissions so that security is
|
| cover the specifics of how we find a
| |
| | tightened.Install a firewall and create
|
| security breach, and how we react if a
| |
| | good rule sets.Test and audit the server
|
| breach is found.4 Security PolicyThe
| |
| | on regular basisInstall an intrusion
|
| Security Policy is a document which
| |
| | detection system, log monitor, all of the
|
| addresses the following
| |
| | Apache security modules, bfd, faf and
|
| areas:
| |
| | tmp monitor. Make your
|
| Authentication: This section deals with
| |
| | partitions secure.Run a good backup
|
| what methods are used
| |
| | system to recover data in case of an
|
| to determine if a user is real or not,
| |
| | intrusion, crash, or other destructive
|
| which users can or cannot
| |
| | incident.Install a log analyzer and check
|
| access the system, the minimum length of
| |
| | your logs for any suspicious
|
| password allowed, how long
| |
| | entries.Install scripts to send out mail
|
| can a user be idle before he is logged
| |
| | or enable notifications when a security
|
| out, etc.Authorization: This area deals
| |
| | breach occurs.After a security breach try
|
| with classifying user levels and
| |
| | to find out how, when and through
|
| what each level is allowed to do on the
| |
| | what the breach occurred. When you find
|
| system, which users can
| |
| | a fix for it, document the details for
|
| become root, etc.Data Protection: Data
| |
| | future reference.12 SummaryNow lets
|
| protection deals with the details like
| |
| | conclude by covering the main steps by
|
| what data should be protected and who
| |
| | which a
|
| can access which levels of
| |
| | hosting server can be secured.12.1
|
| data on the system.Internet Access: This
| |
| | Determine the business requirements and
|
| area deals with the details of the users
| |
| | risk factors
|
| having access to the internet and what
| |
| | which are applicable to this system12.2
|
| they can do there.Internet Services: This
| |
| | Devise a security policy with the above
|
| section deals with what services on the
| |
| | data in mind.
|
| server are accessible from the internet
| |
| | Get management's approval and signoff on
|
| and which are not.Security Audit: This
| |
| | this security
|
| area addresses how audit and review of
| |
| | policy.12.3 On approval of the policy,
|
| security related areas and processes
| |
| | do a security audit on any
|
| will be done.Incident Handling: This area
| |
| | existing systems to determine the
|
| addresses the steps and measures
| |
| | current vulnerabilities and
|
| to be taken if there is a breach of
| |
| | submit a report regarding this to the
|
| security. This also covers the
| |
| | management.The report should also cover
|
| steps to find out the actual culprit and
| |
| | the methods needed to improve existing
|
| the methods to prevent
| |
| | security.
|
| future incidents.Responsibilities: This
| |
| | A quick checklist:
|
| part covers who will be contacted at any
| |
| | Software Vulnerabilities.Kernel Upgrades
|
| given stage of an incident and the
| |
| | and vulnerabilities.Check for any
|
| responsibilities of the
| |
| | Trojans.Run chkrootkit.Check ports.Check
|
| administrator(s) during and after the
| |
| | for any hidden processes.Use audittools
|
| incident. This is a very
| |
| | to check system.Check logs.Check binaries
|
| important area, since the operation of
| |
| | and RPMS.Check for open email
|
| the incident handling
| |
| | relays.Check for malicious cron
|
| mechanism is dependent on it.
| |
| | entries.Check /dev /tmp /var
|
| 5 Types of Information SecurityThere are
| |
| | directories.Check whether backups are
|
| 2 types of security. (1) Physical
| |
| | maintained.Check for unwanted users,
|
| security / Host
| |
| | groups, etc. on the system.Check for and
|
| Security and (2) Network security. Each
| |
| | disable any unneeded services.Locate
|
| of these sections has 3
| |
| | malicious scripts.Querylog in DNS.Check
|
| parts:
| |
| | for the suid scripts and nouser
|
| Protection: Slow down or stop intrusions
| |
| | scripts.Check valid scripts in /tmp.Use
|
| or damageDetection: Alert someone if a
| |
| | intrusion detection tools.Check the
|
| breach (or attempted breach) of
| |
| | system performance.Check memory
|
| security occurs, and quantify and
| |
| | performance (run memtest).12.4 Implement
|
| qualify what sort of damage
| |
| | the security policy12.4.1 Correct all
|
| occurred or would have
| |
| | known existing software vulnerabilities
|
| occurred.Recovery: Re-secure the system
| |
| | either by applying patches or by
|
| or data after the breach or
| |
| | upgrading the software.12.4.2 Implement
|
| damage and where possible, undo whatever
| |
| | host security
|
| damage occurred
| |
| | Protect your systems with passwordsCheck
|
| 5.1 Host Security / Physical
| |
| | the file systems and set correct
|
| SecurityHost Security / Physical Security
| |
| | permissions and
|
| means securing the server from
| |
| | ownerships on all directories and
|
| unauthorized access. For that we can
| |
| | fileschmod -R 700 /etc/rc.d/init.d/*Use
|
| password protect the box with such steps
| |
| | rpm -Va to find out if an rpm is
|
| as setting up a bios password, placing
| |
| | modified
|
| the computer box in a locked room where
| |
| | Apply security patches to vulnerable
|
| only authorized users have access,
| |
| | software (ie. patch
|
| applying OS security patches, and
| |
| | -p1 < patch file)Remove all unneeded
|
| checking logs on regular basis for any
| |
| | ttys and console logins by removing the
|
| intrusion and attacks. In Host security
| |
| | entry from /etc/securettyCheck system
|
| we check and correct the permissions on
| |
| | logs (eg: /var/log/messages, /var/log
|
| all OS related files.5.2 Network
| |
| | secure,
|
| securityNetwork security is one of the
| |
| | etc.)Set a password on the boot loader
|
| most important aspects of overall
| |
| | (lilo and grub both support
|
| security. As I mentioned earlier, no
| |
| | this)Monitor the system (nagios or big
|
| machine connected to the
| |
| | brother)
|
| internet is completely secure, so
| |
| | 12.4.3 Implement Network security
|
| security administrators and server owners
| |
| | Remove all unwanted users and groups.Use
|
| need to be alert, and make sure that they
| |
| | custom security scripts which will send
|
| are informed of all new bugs and exploits
| |
| | out notification
|
| that are discovered. Failure to keep up
| |
| | when sshing as root or while creating a
|
| with these may leave you at the mercy of
| |
| | user with uid of 0,
|
| some script kiddy.5.3 Which operating
| |
| | etc.Require passwords with 16 characters
|
| system is the most secure?Every OS has
| |
| | (can be done by making
|
| its own pros and cons. There are ways to
| |
| | changes in login.def).Disable unwanted
|
| make Windows more secure, but the
| |
| | services using tcpwrapper (unwanted
|
| implementation is quite costly. Linux is
| |
| | services
|
| stable and reasonably secure, but many
| |
| | can also be disabled through xinet.d or
|
| companies perceive it as having little
| |
| | xinetd.Conf).Set up an idle timeout, so
|
| vendor support. My vote for the best OS
| |
| | that idle users will be logged out
|
| for security purposes goes to FreeBSD,
| |
| | after a certain amount of time.Disable
|
| another free Unix-like OS, but not many
| |
| | all console program access (eg: rm -rf
|
| people are aware of its existence.6 Is a
| |
| | /etc/security/console.app/.)Enable
|
| firewall the final solution to the
| |
| | nospoof option in /etc/host.conf.Specify
|
| Network Security problem?No, a firewall
| |
| | the order in which domain names should be
|
| is just a part of the security
| |
| | resolved (eg:
|
| implementation.
| |
| | order bind hosts).Lock the /etc/services
|
| Again, we will use the example of a
| |
| | file so that no one can modify
|
| house. In a house all the
| |
| | it.Restrict direct root login (comment
|
| windows and doors can be closed but if
| |
| | out the PermitRootLogin
|
| the lock on the front door
| |
| | login option in sshd_config).Restrict
|
| of the house is so bad that someone can
| |
| | su, so that only wheel group members are
|
| put just any key-like thing in and open
| |
| | able to su.
|
| it, then what is the use of the house
| |
| | (can use pam or disable the permission
|
| being all closed up? Similarly, if we
| |
| | of other for the su
|
| have a strong firewall policy, it will
| |
| | binary).Limit users resources (using
|
| restrict unauthorized access, but if the
| |
| | pam, specify the limits for each
|
| software running on the box is outdated
| |
| | user in /etc/security/limit.conf).Secure
|
| or full of bugs then crackers can use it
| |
| | /tmp (mount /tmp with
|
| to intrude into the server and gain root
| |
| | noexec,nodev,nosuid).Hide the server
|
| access. This shows that a firewall is not
| |
| | details. Remove /etc/issues and
|
| the final solution. A planned security
| |
| | /etc/issues.net.Disable unwanted suid
|
| implementation is the only real quality
| |
| | and sgid files (eg: find -type -perm
|
| solution to this issue.7 Security is a
| |
| | -04000 -o perm 02000.)
|
| continuous processContinuing security is
| |
| | Examples of these: gpasswd, wall,
|
| a on-going process. Security
| |
| | and traceroute
|
| administrators can only conduct their
| |
| | Using iptables, allow only pings from a
|
| work on the basis of the
| |
| | specific locations (for
|
| alerts and bugfixes released up to the
| |
| | monitoring systems to work).Take
|
| date of securing, so in
| |
| | preventive measures against DOS, "ping of
|
| order to accommodate all of the fixes
| |
| | death" attacks, etc.Install a firewall
|
| for the latest bugs, security work has to
| |
| | (eg: apf and iptables) and only allow
|
| be done on a regular basis.8 Does
| |
| | ports to operate which the box needs for
|
| Security implementation create overhead
| |
| | its normal functions; block all other
|
| and/or reduce
| |
| | ports to prevent mischief.
|
| performance?Yes, Security implementation
| |
| | Links: and
|
| creates a small amount of overhead,
| |
| | Install intrusion detection (eg: install
|
| but it need not reduce overall
| |
| | tripwire or
|
| performance drastically. In order to take
| |
| | aide).
|
| care of such things, a well done security
| |
| | Links:
|
| implementation has an optimization
| |
| | and
|
| section where the security administration
| |
| |
|
| gives priority to both performance and
| |
| | Install sxid to keep an eye on suid and
|
| security. While securing any software, we
| |
| | sgid scripts.
|
| should secure it in such a way that it
| |
| | Link: ssh to specific IP addresses and
|
| provides
| |
| | specific users (I
|
| maximum performance.9 Security Audits -
| |
| | suggest key authentication using
|
| What Should be CheckedA security audit is
| |
| | passphrase).Install logcheck to check the
|
| a part of security implementation where
| |
| | logs.Install tmpwatch to delete the
|
| we
| |
| | unused files from /tmp
|
| try to find out the vulnerabilities of
| |
| | directory.Install and setup portsentry
|
| the system and suggest actions to improve
| |
| | and configure it to use iptables
|
| the security. In a normal audit, the
| |
| | to block IPs.Install mod_security and
|
| points below should be checked, and a
| |
| | mod_dosevasive to safe guard
|
| report with the results of that audit
| |
| | apache.Delete files with nouser and
|
| should be created.
| |
| | nogroup.Deleted unwanted files/folders in
|
| Check intrusion detection. Use
| |
| | htdocs, disable directory
|
| chkrootkit or rkhunter for this
| |
| | indexing.Check for unwanted scripts in
|
| purpose.Check for known bugs in the
| |
| | root, /usr/local,
|
| software installed on the server -
| |
| | /var/spool/mbox.Install BFD and FAF for
|
| the kernel, openssl, openssh, etc.Scan
| |
| | additional security.Disable open email
|
| all network ports and find out which
| |
| | relaying.Submit a status report to
|
| ports are open.
| |
| | management detailing all discovered
|
| Report the ports that should not be open
| |
| | vulnerabilities and fixes.
|
| and what program is
| |
| | 12.5 Testing phaseUse tools like nessus,
|
| listening on them.Check whether /tmp is
| |
| | nikto, and nmap to do a penetration test
|
| secured.Check for hidden processes.Check
| |
| | and see how well your server is secured.
|
| for bad disk blocks in all partitions.
| |
| | Also do a stress test.Security is of
|
| (This is just to
| |
| | utmost importance to a server,
|
| make sure that the system is reasonably
| |
| | compromising
|
| healthy.)Check for unsafe file
| |
| | security is compromising the server
|
| permissions.Check whether the kernel has
| |
| | itself. Hence, an understanding of the
|
| a ptrace vulnerability.Check the memory
| |
| | same is a prerequisite to server
|
| (Another system health check.)Check if
| |
| | ownership and administration.Blessen
|
| the server is an open e-mail relay.Check
| |
| | works as Executive team member in He is
|
| if the partitions have enough free
| |
| | an Engineer in Computer Science from the
|
| space.Check the size of the log files.
| |
| | College of Engineering, Chengannur. He is
|
| It's better that the log size remains in
| |
| | passionate about Linux security and looks
|
| megabytes.
| |
| | forward to grow in that field.
|
