ABOUT ME My na y name me i is Da Davor Gu Guttierrez davor.g - PowerPoint PPT Presentation

ABOUT ME … My na y name me i is Da Davor Gu Guttierrez davor.g .guttierrez@li linu nux.c .com

FOUR MYTHS ABOUT LINUX SECURITY • Linu nux i is i invulne lnerable le a and nd v virus-f -free. . • Virus w writers d do no not t target L Linu nux b because i it ha has a a lo low ma market s sha hare. . • Wind ndows ma malw lware c canno nnot r run o n on L n Linu nux. . • On L n Linu nux y you i ins nstall s ll software f from s m software r repositories, w , whi hich h cont ntain o n only t nly trusted s software. .

LINUX DESKTOP SECURITY The he ma majo jority o y of ne new u users a are c comi ming ng f from W m Wind ndows e environme nment nts, w , whe here s security y • focuses mo mostly o ly on a n ant nti-v -virus s software. T . To u und nderstand nd s security o y on L n Linu nux, y , you mu must s shi hift your t thi hinki nking ng f from t m thi his p point nt o of v view. . • If I install an anti-virus program I'll be fine. • Security through obscurity keeps me safe. • I can browse however I want to because malware on the web is mostly designed for Windows. • I don't need to use fancy browser add-ons when using public access wifi because I use Ubuntu. • I don't need a firewall because Ubuntu has no open ports by default. • Windows malware can not compromise Ubuntu. • Ubuntu is harder to exploit than Windows, Mac OSX, whatever else - and it's targeted less than those other operating systems as well.

LINUX SERVER SECURITY My f y first 1 15 mi minu nutes o on ne n new s server i ins nstalla llation: n: • Our servers are conf nfigured with h two account nts: : root and nd user account nts in n IP IPA Server. . The he user account nts ha has sudo sudo access via an n arbitrarily long password and is the account that system m admi mini nistrators lo log int nto. . Sys ysadmi mins ns lo log in n with h the heir publi lic keys ys, , no not passw passwords, s, so so ad administ ministrat atio ion is is as as sim simple ple as as keeping ping the he authorized ed_k _keys file le up-t -to-d -date across servers. . Root lo login n over ssh ssh i is disable led, a , and nd t the he u users c can o n only lo nly log i in f n from o m our o office IP IP b blo lock. .

ON VIRGIN SYSTEM Ub Ubunt ntu, , Cent ntOS o or O Oracle le L Linu nux – – c comma mmand nds a are s simi mila lar - passwd passwd - apt-g -get u update; a ; apt-g -get u upgrade o or yu yum u m update - fail2 l2ban i n ins nstalla llation n - conf nfiguration f n for L LDAP o or S SSSD D - sudoer sudoers c conf nfiguration i n in IP n IPA S Server - setup f firewall ( ll (ufw ufw, , csf csf o or apf apf) a and nd SELinu nux o or AppArmo mor - ins nstall ll lo logwatch a and nd Zab Zabbix A Agent nt - ins nstall T ll TSM

BASIC SECURITY ON LAMP SERVER - UBUNTU • Ins Install a ll and nd c conf nfigure F Firewall – ll – ufw ufw • SSH - K - Key b y based lo login, d n, disable le r root lo login a n and nd c cha hang nge p port • Apache he SSL - Di - Disable le S SSL v v3 s support • Pr Protect ct su su b by li y limi miting ng a access o only t nly to a admi min g n group • Harden ne n network w k with h sys ysctl s setting ngs • Di Disable le O Open DN n DNS R Recursion a n and nd R Remo move V Version Inf n Info - B - Bind nd9 DN DNS • Prevent nt IP IP S Spoofing ng • Harden P n PHP f for s security

BASIC SECURITY ON LAMP SERVER - UBUNTU Restrict A Apache he Inf Informa mation L n Leakage • Ins Install a ll and nd c conf nfigure A Apache he a appli lication f n firewall - ll - Mo ModSe Secu curit ity • Protect f from DDO m DDOS ( (De Deni nial o l of S Service) a attacks ks w with h Mo ModEv Evasiv asive • Scan lo n logs a and nd b ban s n suspicious ho hosts - - De DenyH yHosts a and nd F Fail2 l2Ban n • Int Intrusion De n Detection - P n - PSAD D • Che heck f k for Ro RootKits - - RKHunt nter and nd CH CHKR KRootKit Kit • Scan o n open P n Ports – – Nma map, , Lyni ynis • Ana nalys lyse s sys ystem L m LOG f G file les - - Log LogWatch atch • SELinu nux - - Apparmo mor • Audit y your s sys ystem s m security - T y - Tiger •

INSTALL AND CONFIGURE FIREWALL ins nstall ll ufw ufw • allo llow a access t to ssh ssh a and nd ht http • ena nable le ufw ufw • lo look a k at ufw ufw s status •

SSH HARDENING key b y based lo login n • disable le r root lo login a n and nd • cha hang nge S SSH p port • allo llowed u users f from a m allo llowed IP IP’s ’s • TCP W Wrappers s setup f for d different nt ne networks ks •

APACHE SSL HARDENING disable le u uns nsecure p protocols ls • BEAST A Attack k • CRIM IME A Attack k • Heartble leed • FREAK A Attack k • Perfect F Forward S Secrecy y •

DISABLE UNSECURE PROTOCOLS SSLv2 a and nd S SSLv3 SSL v v2 i is i ins nsecure, s , so w we ne need t to d disable le i it. W . We a als lso d disable le S SSLv3, a , as T TLS 1 1.0 .0 suffers a a d downg ngrade a attack, a , allo llowing ng a an a n attacker t to f force a a c conne nnection t n to u use SSLv3 a and nd t the herefore d disable le f forward s secrecy. . SSLv3 a allo llows e explo loiting ng o of t the he POODL DLE b bug. . Edit t the he conf nfig f file le: : SSL SSLPr Protocol A All -S ll -SSLv2 -S -SSLv3 All i ll is a a s sho hortcut f for + +SSLv2 + +SSLv3 + +TLSv1 o or - w - whe hen u n using ng OpenS nSSL 1 1.0 .0.1 a and nd la later - + - +SSLv2 + +SSLv3 + +TLSv1 + +TLSv1.1 + +TLSv1.2 .2, r , respectively ly. .

BEAST ATTACK In s In sho hort, b , by t y tampering ng w with a h an e n enc ncryp yption a n alg lgorithm' hm's C CBC - c - ciphe her b blo lock c k cha haini ning ng - mo - mode's, , portions ns o of t the he e enc ncryp ypted t traffic c can b n be s secretly d ly decryp ypted. . Recent nt b browser v versions ns ha have e ena nable led c cli lient nt s side mi mitigation f n for t the he b beast a attack. T . The he recomme mmend ndation w n was t to d disable le a all T ll TLS 1 1.0 .0 c ciphe hers a and nd o only o nly offer R RC4. H . However, [ , [RC4 ha has a a growing ng li list o of a attacks ks a agains nst i it],( ,(ht http:/ ://www.i .isg.r .rhu hul.a l.ac.u .uk/tls ls/) ma many o y of w whi hich ha h have c crossed the he li line ne f from t m the heoretical t l to p practical. M l. Moreover, t , the here i is r reason t n to b beli lieve t tha hat t the he N NSA ha has broken R n RC4, t , the heir s so-c -calle lled " "big b breakt kthr hrough." h." Di Disabli ling ng R RC4 ha has s several r l rami mifications ns. O . One ne, u , users w with b h bad b browsers s such a h as Int Interne net Explo lorer o on W n Wind ndows XP XP w will u ll use 3 3DE DES. T . Triple le-DE -DES i is mo more s secure t tha han R n RC4, b , but i it i is signi nificant ntly mo ly more e expens nsive. Y . Your s server w will p ll pay t y the he c cost f for t the hese u users. T . Two, R , RC4 mi mitigates BEAST. T . Thu hus, d , disabli ling ng R RC4 ma makes T TLS 1 1.0 .0 u users s susceptible le t to t tha hat a attack, b , by mo y moving ng t the hem m to A AES-C -CBC ( (the he u usual s l server-s -side B BEAST " "fix" i is t to p prioritize R RC4 a above a all e ll els lse) Ind Indeed, w , with c h cli lient nt-s -side mi mitigation ( n (whi hich C h Chr hrome me a and nd F Firefox b both p h provide), B , BEAST i is a a no noni nissue. B . But t the he r risk f k from R m RC4 o only g nly grows: M : More c cryp yptana nalys lysis w will s ll surface o over t time me. .

CRIME ATTACK The he C CRIM IME a attack u k uses S SSL C Compression t n to d do i its ma magic, s , so w we ne need t to d disable le tha hat. O . On A n Apache he 2 2.2 .2.2 .24+ w we c can a n add t the he f follo llowing ng li line ne t to t the he S SSL conf nfig f file le w we als lso e edited a above: : SSL SSLCo Compr pressio ssion o off If If y you a are u using ng a al e l earli lier v version o n of A Apache he a and nd y your di distr stro ha has no not backp kported thi his o option t n the hen y n you ne need t to r recompile le OpenS nSSL w witho hout Z ZLIB IB s support. T . Thi his w will ll disable le t the he u use o of OpenS nSSL u using ng t the he DE DEFLATE c compression me n metho hod. If . If y you d do thi his t the hen y n you c can s n still u ll use r regula lar H HTML DE DEFLATE c compression. n.