| In a word, No. No machine connected to the internet is | | | | whether the kernel has a ptrace vulnerability.Check the |
| 100% secure. This doesn't mean that you are helpless. | | | | memory (Another system health check.)Check if the |
| You can take measures to avoid hacks, but you | | | | server is an open e-mail relay.Check if the partitions |
| cannot avoid them completely. This is like a house - | | | | have enough free space.Check the size of the log |
| when the windows and doors are open then the | | | | files. It's better that the log size remains in megabytes. |
| probability of a thief coming in is high, but if the doors | | | | 10 How to know if you are being hacked?To find out |
| and windows are closed and locked the probability of | | | | if your box is compromised or not, follow these |
| being robbed is less, but still not nil.1 What is Information | | | | steps. These are the steps which I used to do and will |
| Security?For our purposes, Information Security means | | | | be handy in most of the situations.10.1 Check your box |
| the methods we use | | | | to see if your performance has degraded or |
| to protect sensitive data from unauthorized users.2 | | | | if your machine is being over used.For that, use the |
| Why do we need Information Sec?The entire world is | | | | commandsvmstat - Displays information about |
| rapidly becoming IT enabled. Wherever you look, | | | | memory, cpu and disk.Ex: bash# vmstat 1 4 (where 1 is |
| computer technology has revolutionized the way things | | | | delay and 4 is count)mpstat - Displays statistics about |
| operate. Some examples | | | | cpu utilization. This will help us to see if your cpu is over |
| are airports, seaports, telecommunication industries, | | | | worked or not.Ex: bash# mpstat 1 4 (where 1 is |
| and TV | | | | delay and 4 is count)iostat - This command displays |
| broadcasting, all of which are thriving as a result of | | | | statistics about the disk system.Useful options:-d - |
| the use of | | | | Gives the device utilization report.-k - Display statistics |
| IT. "IT is everywhere."A lot of sensitive information | | | | in kilobytes per |
| passes through the Internet, such | | | | second.Ex: bash# iostat -dk 1 4 (where 1 is |
| as credit card data, mission critical server passwords, | | | | delay and 4 is count)sar - Displays overall system |
| and | | | | performance.10.2 Check to see if your server has any |
| important files. There is always a chance of some | | | | hidden processes |
| one viewing | | | | running.ps - Displays the status of all known |
| and/or modifying the data while it is in transmission. | | | | processes.lsof - List all open files. In Linux everything is |
| There are | | | | considered a file, so you will be able to see almost all |
| countless horror stories of what happens when an | | | | of the activity on your system with this command.10.3 |
| outsider gets | | | | Use Intrusion Detection Tools |
| someone's credit card or financial information. He or | | | | rkHunter ( )chkrootkit ( |
| she can use | | | | 10.4 Check your machine's uptime.If the uptime is less |
| it in any way they like and could even destroy you | | | | than it should be, this can mean that your machine's |
| and your | | | | resources are being used by someone. Linux doesn't |
| business by taking or destroying all your assets. As | | | | crash or reboot under normal conditions because it is |
| we all know | | | | such a stable OS. |
| "An ounce of prevention beats a pound of cure," so | | | | If your machine has been rebooted try to find out the |
| to avoid such | | | | actual reason |
| critical situations, it is advisable to have a good | | | | behind it.10.5 Determine what your unknown |
| security policy and security implementation.3 Security | | | | processes are and what they are |
| FrameworkThe following illustrates the framework | | | | doing.10.5.1 Use commands like the following to take |
| needed to implement a | | | | apart unknown |
| functioning security implementation:[ Risk Analysis ] [ | | | | programsreadelfThis command will display what the |
| Business Requirements ]|[ Security Policy ]|[ Security | | | | executable's program is |
| Service, Mechanisms, and Objects ]|[ Security | | | | performing.ldd - This command will show the details of |
| Management, Monitoring, Detection and Response | | | | libraries used by a executable.string - This command |
| ]This framework shows the basic steps in the life | | | | will display the strings in the binary.strace - This |
| cycle of | | | | command will display the system calls a program |
| securing a system. "Risk Analysis" deals with the risk | | | | makes as it runs.11 Hardening Methodology |
| associated | | | | Read all security related sites and keep up to date. |
| with the data in the server to be secured. "Business | | | | This is |
| Requirements" | | | | one of the main things a security administrator or |
| is the study which deals with the actual requirements | | | | server owner |
| for | | | | should do. Server owners should be made aware of |
| conducting business. These two components cover | | | | security and its |
| the business | | | | importance. Security training is an important part of an |
| aspects of the security implementation.The "Security | | | | overall |
| Policy" covers 8 specific areas of the security | | | | security package.Create a good security policy. |
| implementation, and is discussed in more detail in | | | | Conduct security audits on the |
| section 4below. "Security Service, Mechanisms and | | | | basis of this policy.Keep your OS updated by applying |
| Objects" is actually the | | | | all patches.Install a custom kernel with all unwanted |
| implementation part of security. "Security | | | | services removed and patched with either grsecurity |
| Management, Monitoring, Detection and Response" is | | | | or openwall.Disable all unwanted services and harden |
| the operational face of security, where we cover the | | | | the services you leave running; Change file and |
| specifics of how we find a security breach, and how | | | | directory permissions so that security is tightened.Install |
| we react if a breach is found.4 Security PolicyThe | | | | a firewall and create good rule sets.Test and audit the |
| Security Policy is a document which addresses the | | | | server on regular basisInstall an intrusion detection |
| following | | | | system, log monitor, all of the |
| areas: | | | | Apache security modules, bfd, faf and tmp monitor. |
| Authentication: This section deals with what methods | | | | Make your |
| are used | | | | partitions secure.Run a good backup system to |
| to determine if a user is real or not, which users can | | | | recover data in case of an |
| or cannot | | | | intrusion, crash, or other destructive incident.Install a log |
| access the system, the minimum length of password | | | | analyzer and check your logs for any suspicious |
| allowed, how long | | | | entries.Install scripts to send out mail or enable |
| can a user be idle before he is logged out, | | | | notifications when a security breach occurs.After a |
| etc.Authorization: This area deals with classifying user | | | | security breach try to find out how, when and through |
| levels and | | | | what the breach occurred. When you find a fix for it, |
| what each level is allowed to do on the system, which | | | | document the details for future reference.12 |
| users can | | | | SummaryNow lets conclude by covering the main |
| become root, etc.Data Protection: Data protection | | | | steps by which a |
| deals with the details like | | | | hosting server can be secured.12.1 Determine the |
| what data should be protected and who can access | | | | business requirements and risk factors |
| which levels of | | | | which are applicable to this system12.2 Devise a |
| data on the system.Internet Access: This area deals | | | | security policy with the above data in mind. |
| with the details of the users | | | | Get management's approval and signoff on this |
| having access to the internet and what they can do | | | | security |
| there.Internet Services: This section deals with what | | | | policy.12.3 On approval of the policy, do a security |
| services on the | | | | audit on any |
| server are accessible from the internet and which are | | | | existing systems to determine the current |
| not.Security Audit: This area addresses how audit and | | | | vulnerabilities and |
| review of | | | | submit a report regarding this to the management.The |
| security related areas and processes will be | | | | report should also cover the methods needed to |
| done.Incident Handling: This area addresses the steps | | | | improve existing security. |
| and measures | | | | A quick checklist: |
| to be taken if there is a breach of security. This also | | | | Software Vulnerabilities.Kernel Upgrades and |
| covers the | | | | vulnerabilities.Check for any Trojans.Run |
| steps to find out the actual culprit and the methods to | | | | chkrootkit.Check ports.Check for any hidden |
| prevent | | | | processes.Use audittools to check system.Check |
| future incidents.Responsibilities: This part covers who | | | | logs.Check binaries and RPMS.Check for open email |
| will be contacted at any | | | | relays.Check for malicious cron entries.Check /dev |
| given stage of an incident and the responsibilities of | | | | tmp /var directories.Check whether backups are |
| the | | | | maintained.Check for unwanted users, groups, etc. on |
| administrator(s) during and after the incident. This is a | | | | the system.Check for and disable any unneeded |
| very | | | | services.Locate malicious scripts.Querylog in |
| important area, since the operation of the incident | | | | DNS.Check for the suid scripts and nouser |
| handling | | | | scripts.Check valid scripts in /tmp.Use intrusion |
| mechanism is dependent on it. | | | | detection tools.Check the system performance.Check |
| 5 Types of Information SecurityThere are 2 types of | | | | memory performance (run memtest).12.4 Implement |
| security. (1) Physical security / Host | | | | the security policy12.4.1 Correct all known existing |
| Security and (2) Network security. Each of these | | | | software vulnerabilities either by applying patches or |
| sections has 3 | | | | by upgrading the software.12.4.2 Implement host |
| parts: | | | | security |
| Protection: Slow down or stop intrusions or | | | | Protect your systems with passwordsCheck the file |
| damageDetection: Alert someone if a breach (or | | | | systems and set correct permissions and |
| attempted breach) of | | | | ownerships on all directories and fileschmod -R 700 |
| security occurs, and quantify and qualify what sort of | | | | etc/rc.d/init.d/*Use rpm -Va to find out if an rpm is |
| damage | | | | modified |
| occurred or would have occurred.Recovery: | | | | Apply security patches to vulnerable software (ie. |
| Re-secure the system or data after the breach or | | | | patch |
| damage and where possible, undo whatever damage | | | | -p1 < patch file)Remove all unneeded ttys and console |
| occurred | | | | logins by removing the |
| 5.1 Host Security / Physical SecurityHost Security / | | | | entry from /etc/securettyCheck system logs (eg: /var |
| Physical Security means securing the server from | | | | log/messages, /var/log/secure, |
| unauthorized access. For that we can password | | | | etc.)Set a password on the boot loader (lilo and grub |
| protect the box with such steps as setting up a bios | | | | both support |
| password, placing the computer box in a locked room | | | | this)Monitor the system (nagios or big brother) |
| where only authorized users have access, applying | | | | 12.4.3 Implement Network security |
| OS security patches, and checking logs on regular | | | | Remove all unwanted users and groups.Use custom |
| basis for any intrusion and attacks. In Host security we | | | | security scripts which will send out notification |
| check and correct the permissions on all OS related | | | | when sshing as root or while creating a user with uid |
| files.5.2 Network securityNetwork security is one of | | | | of 0, |
| the most important aspects of overall | | | | etc.Require passwords with 16 characters (can be |
| security. As I mentioned earlier, no machine connected | | | | done by making |
| to the | | | | changes in login.def).Disable unwanted services using |
| internet is completely secure, so security | | | | tcpwrapper (unwanted services |
| administrators and server owners need to be alert, | | | | can also be disabled through xinet.d or |
| and make sure that they are informed of all new bugs | | | | xinetd.Conf).Set up an idle timeout, so that idle users will |
| and exploits that are discovered. Failure to keep up | | | | be logged out |
| with these may leave you at the mercy of some | | | | after a certain amount of time.Disable all console |
| script kiddy.5.3 Which operating system is the most | | | | program access (eg: rm -rf |
| secure?Every OS has its own pros and cons. There | | | | /etc/security/console.app/.)Enable nospoof option in |
| are ways to make Windows more secure, but the | | | | etc/host.conf.Specify the order in which domain names |
| implementation is quite costly. Linux is stable and | | | | should be resolved (eg: |
| reasonably secure, but many companies perceive it as | | | | order bind hosts).Lock the /etc/services file so that no |
| having little vendor support. My vote for the best OS | | | | one can modify it.Restrict direct root login (comment |
| for security purposes goes to FreeBSD, another free | | | | out the PermitRootLogin |
| Unix-like OS, but not many people are aware of its | | | | login option in sshd_config).Restrict su, so that only |
| existence.6 Is a firewall the final solution to the | | | | wheel group members are able to su. |
| Network Security problem?No, a firewall is just a part | | | | (can use pam or disable the permission of other for |
| of the security implementation. | | | | the su |
| Again, we will use the example of a house. In a house | | | | binary).Limit users resources (using pam, specify the |
| all the | | | | limits for each |
| windows and doors can be closed but if the lock on | | | | user in /etc/security/limit.conf).Secure /tmp (mount |
| the front door | | | | tmp with noexec,nodev,nosuid).Hide the server details. |
| of the house is so bad that someone can put just any | | | | Remove /etc/issues and |
| key-like thing in and open it, then what is the use of the | | | | /etc/issues.net.Disable unwanted suid and sgid files |
| house being all closed up? Similarly, if we have a | | | | (eg: find -type -perm |
| strong firewall policy, it will restrict unauthorized access, | | | | -04000 -o perm 02000.) |
| but if the software running on the box is outdated or | | | | Examples of these: gpasswd, wall, |
| full of bugs then crackers can use it to intrude into the | | | | and traceroute |
| server and gain root access. This shows that a | | | | Using iptables, allow only pings from a specific |
| firewall is not the final solution. A planned security | | | | locations (for |
| implementation is the only real quality solution to this | | | | monitoring systems to work).Take preventive |
| issue.7 Security is a continuous processContinuing | | | | measures against DOS, "ping of death" attacks, |
| security is a on-going process. Security | | | | etc.Install a firewall (eg: apf and iptables) and only allow |
| administrators can only conduct their work on the | | | | ports to operate which the box needs for its normal |
| basis of the | | | | functions; block all other ports to prevent mischief. |
| alerts and bugfixes released up to the date of | | | | Links: and |
| securing, so in | | | | Install intrusion detection (eg: install tripwire or |
| order to accommodate all of the fixes for the latest | | | | aide). |
| bugs, security work has to be done on a regular | | | | Links: |
| basis.8 Does Security implementation create overhead | | | | and |
| and/or reduce | | | | |
| performance?Yes, Security implementation creates a | | | | Install sxid to keep an eye on suid and sgid scripts. |
| small amount of overhead, | | | | Link: ssh to specific IP addresses and specific users (I |
| but it need not reduce overall performance drastically. | | | | suggest key authentication using passphrase).Install |
| In order to take care of such things, a well done | | | | logcheck to check the logs.Install tmpwatch to delete |
| security implementation has an optimization section | | | | the unused files from /tmp |
| where the security administration gives priority to both | | | | directory.Install and setup portsentry and configure it to |
| performance and security. While securing any | | | | use iptables |
| software, we should secure it in such a way that it | | | | to block IPs.Install mod_security and mod_dosevasive |
| provides | | | | to safe guard |
| maximum performance.9 Security Audits - What | | | | apache.Delete files with nouser and nogroup.Deleted |
| Should be CheckedA security audit is a part of | | | | unwanted files/folders in htdocs, disable directory |
| security implementation where we | | | | indexing.Check for unwanted scripts in /root, /usr/local, |
| try to find out the vulnerabilities of the system and | | | | /var/spool/mbox.Install BFD and FAF for additional |
| suggest actions to improve the security. In a normal | | | | security.Disable open email relaying.Submit a status |
| audit, the points below should be checked, and a report | | | | report to management detailing all discovered |
| with the results of that audit should be created. | | | | vulnerabilities and fixes. |
| Check intrusion detection. Use chkrootkit or rkhunter | | | | 12.5 Testing phaseUse tools like nessus, nikto, and |
| for this | | | | nmap to do a penetration test |
| purpose.Check for known bugs in the software | | | | and see how well your server is secured. Also do a |
| installed on the server - | | | | stress test.Security is of utmost importance to a |
| the kernel, openssl, openssh, etc.Scan all network | | | | server, compromising |
| ports and find out which ports are open. | | | | security is compromising the server itself. Hence, an |
| Report the ports that should not be open and what | | | | understanding of the same is a prerequisite to server |
| program is | | | | ownership and administration.Blessen works as |
| listening on them.Check whether /tmp is | | | | Executive team member in He is an Engineer in |
| secured.Check for hidden processes.Check for bad | | | | Computer Science from the College of Engineering, |
| disk blocks in all partitions. (This is just to | | | | Chengannur. He is passionate about Linux security and |
| make sure that the system is reasonably | | | | looks forward to grow in that field. |
| healthy.)Check for unsafe file permissions.Check | | | | |