| In a word, No. No machine connected to the | | | | |
| internet is 100% secure. This doesn't mean | | | | steps. These are the steps which I used to |
| that you are helpless. You can take measures | | | | do and will be handy in most of the |
| to avoid hacks, but you cannot avoid them | | | | situations.10.1 Check your box to see if your |
| completely. This is like a house - when the | | | | performance has degraded or |
| windows and doors are open then the | | | | |
| probability of a thief coming in is high, but | | | | if your machine is being over used.For that, |
| if the doors and windows are closed and | | | | use the commandsvmstat - Displays information |
| locked the probability of being robbed is | | | | about memory, cpu and disk.Ex: bash# vmstat 1 |
| less, but still not nil.1 What is Information | | | | 4 (where 1 is |
| Security?For our purposes, Information | | | | |
| Security means the methods we use | | | | delay and 4 is count)mpstat - Displays |
| | | | statistics about cpu utilization. This will |
| to protect sensitive data from unauthorized | | | | help us to see if your cpu is over worked or |
| users.2 Why do we need Information Sec?The | | | | not.Ex: bash# mpstat 1 4 (where 1 is |
| entire world is rapidly becoming IT enabled. | | | | |
| Wherever you look, computer technology has | | | | delay and 4 is count)iostat - This command |
| revolutionized the way things operate. Some | | | | displays statistics about the disk |
| examples | | | | system.Useful options:-d - Gives the device |
| | | | utilization report.-k - Display statistics in |
| are airports, seaports, telecommunication | | | | kilobytes per |
| industries, and TV | | | | |
| | | | second.Ex: bash# iostat -dk 1 4 (where 1 is |
| broadcasting, all of which are thriving as a | | | | |
| result of the use of | | | | delay and 4 is count)sar - Displays overall |
| | | | system performance.10.2 Check to see if your |
| IT. "IT is everywhere."A lot of sensitive | | | | server has any hidden processes |
| information passes through the Internet, such | | | | |
| | | | running.ps - Displays the status of all |
| as credit card data, mission critical server | | | | known processes.lsof - List all open files. |
| passwords, and | | | | In Linux everything is considered a file, so |
| | | | you will be able to see almost all of the |
| important files. There is always a chance of | | | | activity on your system with this |
| some one viewing | | | | command.10.3 Use Intrusion Detection Tools |
| | | | |
| and/or modifying the data while it is in | | | | rkHunter ( )chkrootkit ( |
| transmission. There are | | | | |
| | | | 10.4 Check your machine's uptime.If the |
| countless horror stories of what happens | | | | uptime is less than it should be, this can |
| when an outsider gets | | | | mean that your machine's resources are being |
| | | | used by someone. Linux doesn't crash or |
| someone's credit card or financial | | | | reboot under normal conditions because it is |
| information. He or she can use | | | | such a stable OS. |
| | | | |
| it in any way they like and could even | | | | If your machine has been rebooted try to |
| destroy you and your | | | | find out the actual reason |
| | | | |
| business by taking or destroying all your | | | | behind it.10.5 Determine what your unknown |
| assets. As we all know | | | | processes are and what they are |
| | | | |
| "An ounce of prevention beats a pound of | | | | doing.10.5.1 Use commands like the following |
| cure," so to avoid such | | | | to take apart unknown |
| | | | |
| critical situations, it is advisable to have | | | | programsreadelfThis command will display |
| a good security policy and security | | | | what the executable's program is |
| implementation.3 Security FrameworkThe | | | | |
| following illustrates the framework needed to | | | | performing.ldd - This command will show the |
| implement a | | | | details of libraries used by a |
| | | | executable.string - This command will display |
| functioning security implementation:[ Risk | | | | the strings in the binary.strace - This |
| Analysis ] [ Business Requirements ]|[ | | | | command will display the system calls a |
| Security Policy ]|[ Security Service, | | | | program makes as it runs.11 Hardening |
| Mechanisms, and Objects ]|[ Security | | | | Methodology |
| Management, Monitoring, Detection and | | | | |
| Response ]This framework shows the basic | | | | Read all security related sites and keep up |
| steps in the life cycle of | | | | to date. This is |
| | | | |
| securing a system. "Risk Analysis" deals | | | | one of the main things a security |
| with the risk associated | | | | administrator or server owner |
| | | | |
| with the data in the server to be secured. | | | | should do. Server owners should be made |
| "Business Requirements" | | | | aware of security and its |
| | | | |
| is the study which deals with the actual | | | | importance. Security training is an |
| requirements for | | | | important part of an overall |
| | | | |
| conducting business. These two components | | | | security package.Create a good security |
| cover the business | | | | policy. Conduct security audits on the |
| | | | |
| aspects of the security implementation.The | | | | basis of this policy.Keep your OS updated by |
| "Security Policy" covers 8 specific areas of | | | | applying all patches.Install a custom kernel |
| the security | | | | with all unwanted services removed and |
| | | | patched with either grsecurity or |
| implementation, and is discussed in more | | | | openwall.Disable all unwanted services and |
| detail in section 4below. "Security Service, | | | | harden the services you leave running; Change |
| Mechanisms and Objects" is actually the | | | | file and directory permissions so that |
| | | | security is tightened.Install a firewall and |
| implementation part of security. "Security | | | | create good rule sets.Test and audit the |
| Management, Monitoring, Detection and | | | | server on regular basisInstall an intrusion |
| Response" is the operational face of | | | | detection system, log monitor, all of the |
| security, where we cover the specifics of how | | | | |
| we find a security breach, and how we react | | | | Apache security modules, bfd, faf and tmp |
| if a breach is found.4 Security PolicyThe | | | | monitor. Make your |
| Security Policy is a document which addresses | | | | |
| the following | | | | partitions secure.Run a good backup system |
| | | | to recover data in case of an |
| areas: | | | | |
| | | | intrusion, crash, or other destructive |
| Authentication: This section deals with what | | | | incident.Install a log analyzer and check |
| methods are used | | | | your logs for any suspicious |
| | | | |
| to determine if a user is real or not, which | | | | entries.Install scripts to send out mail or |
| users can or cannot | | | | enable notifications when a security breach |
| | | | occurs.After a security breach try to find |
| access the system, the minimum length of | | | | out how, when and through |
| password allowed, how long | | | | |
| | | | what the breach occurred. When you find a |
| can a user be idle before he is logged out, | | | | fix for it, document the details for future |
| etc.Authorization: This area deals with | | | | reference.12 SummaryNow lets conclude by |
| classifying user levels and | | | | covering the main steps by which a |
| | | | |
| what each level is allowed to do on the | | | | hosting server can be secured.12.1 Determine |
| system, which users can | | | | the business requirements and risk factors |
| | | | |
| become root, etc.Data Protection: Data | | | | which are applicable to this system12.2 |
| protection deals with the details like | | | | Devise a security policy with the above data |
| | | | in mind. |
| what data should be protected and who can | | | | |
| access which levels of | | | | Get management's approval and signoff on |
| | | | this security |
| data on the system.Internet Access: This | | | | |
| area deals with the details of the users | | | | policy.12.3 On approval of the policy, do a |
| | | | security audit on any |
| having access to the internet and what they | | | | |
| can do there.Internet Services: This section | | | | existing systems to determine the current |
| deals with what services on the | | | | vulnerabilities and |
| | | | |
| server are accessible from the internet and | | | | submit a report regarding this to the |
| which are not.Security Audit: This area | | | | management.The report should also cover the |
| addresses how audit and review of | | | | methods needed to improve existing security. |
| | | | |
| security related areas and processes will be | | | | A quick checklist: |
| done.Incident Handling: This area addresses | | | | |
| the steps and measures | | | | Software Vulnerabilities.Kernel Upgrades and |
| | | | vulnerabilities.Check for any Trojans.Run |
| to be taken if there is a breach of | | | | chkrootkit.Check ports.Check for any hidden |
| security. This also covers the | | | | processes.Use audittools to check |
| | | | system.Check logs.Check binaries and |
| steps to find out the actual culprit and the | | | | RPMS.Check for open email relays.Check for |
| methods to prevent | | | | malicious cron entries.Check /dev /tmp /var |
| | | | directories.Check whether backups are |
| future incidents.Responsibilities: This part | | | | maintained.Check for unwanted users, groups, |
| covers who will be contacted at any | | | | etc. on the system.Check for and disable any |
| | | | unneeded services.Locate malicious |
| given stage of an incident and the | | | | scripts.Querylog in DNS.Check for the suid |
| responsibilities of the | | | | scripts and nouser scripts.Check valid |
| | | | scripts in /tmp.Use intrusion detection |
| administrator(s) during and after the | | | | tools.Check the system performance.Check |
| incident. This is a very | | | | memory performance (run memtest).12.4 |
| | | | Implement the security policy12.4.1 Correct |
| important area, since the operation of the | | | | all known existing software vulnerabilities |
| incident handling | | | | either by applying patches or by upgrading |
| | | | the software.12.4.2 Implement host security |
| mechanism is dependent on it. | | | | |
| | | | Protect your systems with passwordsCheck the |
| 5 Types of Information SecurityThere are 2 | | | | file systems and set correct permissions and |
| types of security. (1) Physical security / | | | | |
| Host | | | | ownerships on all directories and fileschmod |
| | | | -R 700 /etc/rc.d/init.d/*Use rpm -Va to find |
| Security and (2) Network security. Each of | | | | out if an rpm is |
| these sections has 3 | | | | |
| | | | modified |
| parts: | | | | |
| | | | Apply security patches to vulnerable |
| Protection: Slow down or stop intrusions or | | | | software (ie. patch |
| damageDetection: Alert someone if a breach | | | | |
| (or attempted breach) of | | | | -p1 < patch file)Remove all unneeded ttys |
| | | | and console logins by removing the |
| security occurs, and quantify and qualify | | | | |
| what sort of damage | | | | entry from /etc/securettyCheck system logs |
| | | | (eg: /var/log/messages, /var/log/secure, |
| occurred or would have occurred.Recovery: | | | | |
| Re-secure the system or data after the breach | | | | etc.)Set a password on the boot loader (lilo |
| or | | | | and grub both support |
| | | | |
| damage and where possible, undo whatever | | | | this)Monitor the system (nagios or big |
| damage occurred | | | | brother) |
| | | | |
| 5.1 Host Security / Physical SecurityHost | | | | 12.4.3 Implement Network security |
| Security / Physical Security means securing | | | | |
| the server from | | | | Remove all unwanted users and groups.Use |
| | | | custom security scripts which will send out |
| unauthorized access. For that we can | | | | notification |
| password protect the box with such steps as | | | | |
| setting up a bios password, placing the | | | | when sshing as root or while creating a user |
| computer box in a locked room where only | | | | with uid of 0, |
| authorized users have access, applying OS | | | | |
| security patches, and checking logs on | | | | etc.Require passwords with 16 characters |
| regular basis for any intrusion and attacks. | | | | (can be done by making |
| In Host security we check and correct the | | | | |
| permissions on all OS related files.5.2 | | | | changes in login.def).Disable unwanted |
| Network securityNetwork security is one of | | | | services using tcpwrapper (unwanted services |
| the most important aspects of overall | | | | |
| | | | can also be disabled through xinet.d or |
| security. As I mentioned earlier, no machine | | | | xinetd.Conf).Set up an idle timeout, so that |
| connected to the | | | | idle users will be logged out |
| | | | |
| internet is completely secure, so security | | | | after a certain amount of time.Disable all |
| administrators and server owners need to be | | | | console program access (eg: rm -rf |
| alert, and make sure that they are informed | | | | |
| of all new bugs and exploits that are | | | | /etc/security/console.app/.)Enable nospoof |
| discovered. Failure to keep up with these may | | | | option in /etc/host.conf.Specify the order in |
| leave you at the mercy of some script | | | | which domain names should be resolved (eg: |
| kiddy.5.3 Which operating system is the most | | | | |
| secure?Every OS has its own pros and cons. | | | | order bind hosts).Lock the /etc/services |
| There are ways to make Windows more secure, | | | | file so that no one can modify it.Restrict |
| but the implementation is quite costly. Linux | | | | direct root login (comment out the |
| is stable and reasonably secure, but many | | | | PermitRootLogin |
| companies perceive it as having little vendor | | | | |
| support. My vote for the best OS for security | | | | login option in sshd_config).Restrict su, so |
| purposes goes to FreeBSD, another free | | | | that only wheel group members are able to su. |
| Unix-like OS, but not many people are aware | | | | |
| of its existence.6 Is a firewall the final | | | | (can use pam or disable the permission of |
| solution to the Network Security problem?No, | | | | other for the su |
| a firewall is just a part of the security | | | | |
| implementation. | | | | binary).Limit users resources (using pam, |
| | | | specify the limits for each |
| Again, we will use the example of a house. | | | | |
| In a house all the | | | | user in /etc/security/limit.conf).Secure |
| | | | tmp (mount /tmp with |
| windows and doors can be closed but if the | | | | noexec,nodev,nosuid).Hide the server details. |
| lock on the front door | | | | Remove /etc/issues and |
| | | | |
| of the house is so bad that someone can put | | | | /etc/issues.net.Disable unwanted suid and |
| just any key-like thing in and open it, then | | | | sgid files (eg: find -type -perm |
| what is the use of the house being all closed | | | | |
| up? Similarly, if we have a strong firewall | | | | -04000 -o perm 02000.) |
| policy, it will restrict unauthorized access, | | | | |
| but if the software running on the box is | | | | Examples of these: gpasswd, wall, |
| outdated or full of bugs then crackers can | | | | |
| use it to intrude into the server and gain | | | | and traceroute |
| root access. This shows that a firewall is | | | | |
| not the final solution. A planned security | | | | Using iptables, allow only pings from a |
| implementation is the only real quality | | | | specific locations (for |
| solution to this issue.7 Security is a | | | | |
| continuous processContinuing security is a | | | | monitoring systems to work).Take preventive |
| on-going process. Security | | | | measures against DOS, "ping of death" |
| | | | attacks, etc.Install a firewall (eg: apf and |
| administrators can only conduct their work | | | | iptables) and only allow ports to operate |
| on the basis of the | | | | which the box needs for its normal functions; |
| | | | block all other ports to prevent mischief. |
| alerts and bugfixes released up to the date | | | | |
| of securing, so in | | | | Links: and |
| | | | |
| order to accommodate all of the fixes for | | | | Install intrusion detection (eg: install |
| the latest bugs, security work has to be done | | | | tripwire or |
| on a regular basis.8 Does Security | | | | |
| implementation create overhead and/or reduce | | | | aide). |
| | | | |
| performance?Yes, Security implementation | | | | Links: |
| creates a small amount of overhead, | | | | |
| | | | and |
| but it need not reduce overall performance | | | | |
| drastically. In order to take care of such | | | | |
| things, a well done security implementation | | | | |
| has an optimization section where the | | | | Install sxid to keep an eye on suid and sgid |
| security administration gives priority to | | | | scripts. |
| both performance and security. While securing | | | | |
| any software, we should secure it in such a | | | | Link: ssh to specific IP addresses and |
| way that it provides | | | | specific users (I |
| | | | |
| maximum performance.9 Security Audits - What | | | | suggest key authentication using |
| Should be CheckedA security audit is a part | | | | passphrase).Install logcheck to check the |
| of security implementation where we | | | | logs.Install tmpwatch to delete the unused |
| | | | files from /tmp |
| try to find out the vulnerabilities of the | | | | |
| system and suggest actions to improve the | | | | directory.Install and setup portsentry and |
| security. In a normal audit, the points below | | | | configure it to use iptables |
| should be checked, and a report with the | | | | |
| results of that audit should be created. | | | | to block IPs.Install mod_security and |
| | | | mod_dosevasive to safe guard |
| Check intrusion detection. Use chkrootkit or | | | | |
| rkhunter for this | | | | apache.Delete files with nouser and |
| | | | nogroup.Deleted unwanted files/folders in |
| purpose.Check for known bugs in the software | | | | htdocs, disable directory |
| installed on the server - | | | | |
| | | | indexing.Check for unwanted scripts in |
| the kernel, openssl, openssh, etc.Scan all | | | | root, /usr/local, |
| network ports and find out which ports are | | | | |
| open. | | | | /var/spool/mbox.Install BFD and FAF for |
| | | | additional security.Disable open email |
| Report the ports that should not be open and | | | | relaying.Submit a status report to management |
| what program is | | | | detailing all discovered |
| | | | |
| listening on them.Check whether /tmp is | | | | vulnerabilities and fixes. |
| secured.Check for hidden processes.Check for | | | | |
| bad disk blocks in all partitions. (This is | | | | 12.5 Testing phaseUse tools like nessus, |
| just to | | | | nikto, and nmap to do a penetration test |
| | | | |
| make sure that the system is reasonably | | | | and see how well your server is secured. |
| healthy.)Check for unsafe file | | | | Also do a stress test.Security is of utmost |
| permissions.Check whether the kernel has a | | | | importance to a server, compromising |
| ptrace vulnerability.Check the memory | | | | |
| (Another system health check.)Check if the | | | | security is compromising the server itself. |
| server is an open e-mail relay.Check if the | | | | Hence, an understanding of the same is a |
| partitions have enough free space.Check the | | | | prerequisite to server ownership and |
| size of the log files. It's better that the | | | | administration.Blessen works as Executive |
| log size remains in megabytes. | | | | team member in He is an Engineer in Computer |
| | | | Science from the College of Engineering, |
| 10 How to know if you are being hacked?To | | | | Chengannur. He is passionate about Linux |
| find out if your box is compromised or not, | | | | security and looks forward to grow in that |
| follow these | | | | field. |