ABOUT ME My na y name me i is Da Davor Gu Guttierrez davor.g - - PowerPoint PPT Presentation

about me
SMART_READER_LITE
LIVE PREVIEW

ABOUT ME My na y name me i is Da Davor Gu Guttierrez davor.g - - PowerPoint PPT Presentation

Jan 30, 2023 466 likes •778 views

ABOUT ME My na y name me i is Da Davor Gu Guttierrez davor.g .guttierrez@li linu nux.c .com FOUR MYTHS ABOUT LINUX SECURITY Linu nux i is i invulne lnerable le a and nd v virus-f -free. . Virus w writers d do no

slide-1
SLIDE 1
slide-2
SLIDE 2

ABOUT ME …

My na y name me i is Da Davor Gu Guttierrez davor.g .guttierrez@li linu nux.c .com

slide-3
SLIDE 3

FOUR MYTHS ABOUT LINUX SECURITY

  • Linu

nux i is i invulne lnerable le a and nd v virus-f

  • free.

.

  • Virus w

writers d do no not t target L Linu nux b because i it ha has a a lo low ma market s sha hare. .

  • Wind

ndows ma malw lware c canno nnot r run o n on L n Linu nux. .

  • On L

n Linu nux y you i ins nstall s ll software f from s m software r repositories, w , whi hich h cont ntain o n only t nly trusted s software. .

slide-4
SLIDE 4

LINUX DESKTOP SECURITY

  • The

he ma majo jority o y of ne new u users a are c comi ming ng f from W m Wind ndows e environme nment nts, w , whe here s security y focuses mo mostly o ly on a n ant nti-v

  • virus s
  • software. T

. To u und nderstand nd s security o y on L n Linu nux, y , you mu must s shi hift your t thi hinki nking ng f from t m thi his p point nt o

  • f v

view. .

  • If I install an anti-virus program I'll be fine.
  • Security through obscurity keeps me safe.
  • I can browse however I want to because malware on the web is mostly designed for

Windows.

  • I don't need to use fancy browser add-ons when using public access wifi because I use

Ubuntu.

  • I don't need a firewall because Ubuntu has no open ports by default.
  • Windows malware can not compromise Ubuntu.
  • Ubuntu is harder to exploit than Windows, Mac OSX, whatever else - and it's targeted

less than those other operating systems as well.

slide-5
SLIDE 5

LINUX SERVER SECURITY

My f y first 1 15 mi minu nutes o

  • n ne

n new s server i ins nstalla llation: n:

  • Our servers are conf

nfigured with h two account nts: : root and nd user account nts in n IP IPA Server. . The he user account nts ha has sudo sudo access via an n arbitrarily long password and is the account that system m admi mini nistrators lo log int nto. . Sys ysadmi mins ns lo log in n with h the heir publi lic keys ys, , no not passw passwords, s, so so ad administ ministrat atio ion is is as as sim simple ple as as keeping ping the he authorized ed_k _keys file le up-t

  • to-d
  • date across servers.

. Root lo login n over ssh ssh i is disable led, a , and nd t the he u users c can o n only lo nly log i in f n from o m our o

  • ffice IP

IP b blo lock. .

slide-6
SLIDE 6

ON VIRGIN SYSTEM

Ub Ubunt ntu, , Cent ntOS o

  • r O

Oracle le L Linu nux – – c comma mmand nds a are s simi mila lar

  • passwd

passwd

  • apt-g
  • get u

update; a ; apt-g

  • get u

upgrade o

  • r yu

yum u m update

  • fail2

l2ban i n ins nstalla llation n

  • conf

nfiguration f n for L LDAP o

  • r S

SSSD D

  • sudoer

sudoers c conf nfiguration i n in IP n IPA S Server

  • setup f

firewall ( ll (ufw ufw, , csf csf o

  • r apf

apf) a and nd SELinu nux o

  • r AppArmo

mor

  • ins

nstall ll lo logwatch a and nd Zab Zabbix A Agent nt

  • ins

nstall T ll TSM

slide-7
SLIDE 7

BASIC SECURITY ON LAMP SERVER - UBUNTU

  • Ins

Install a ll and nd c conf nfigure F Firewall – ll – ufw ufw

  • SSH - K
  • Key b

y based lo login, d n, disable le r root lo login a n and nd c cha hang nge p port

  • Apache

he SSL - Di

  • Disable

le S SSL v v3 s support

  • Pr

Protect ct su su b by li y limi miting ng a access o

  • nly t

nly to a admi min g n group

  • Harden ne

n network w k with h sys ysctl s setting ngs

  • Di

Disable le O Open DN n DNS R Recursion a n and nd R Remo move V Version Inf n Info - B

  • Bind

nd9 DN DNS

  • Prevent

nt IP IP S Spoofing ng

  • Harden P

n PHP f for s security

slide-8
SLIDE 8

BASIC SECURITY ON LAMP SERVER - UBUNTU

  • Restrict A

Apache he Inf Informa mation L n Leakage

  • Ins

Install a ll and nd c conf nfigure A Apache he a appli lication f n firewall - ll - Mo ModSe Secu curit ity

  • Protect f

from DDO m DDOS ( (De Deni nial o l of S Service) a attacks ks w with h Mo ModEv Evasiv asive

  • Scan lo

n logs a and nd b ban s n suspicious ho hosts -

  • De

DenyH yHosts a and nd F Fail2 l2Ban n

  • Int

Intrusion De n Detection - P n - PSAD D

  • Che

heck f k for Ro RootKits -

  • RKHunt

nter and nd CH CHKR KRootKit Kit

  • Scan o

n open P n Ports – – Nma map, , Lyni ynis

  • Ana

nalys lyse s sys ystem L m LOG f G file les -

  • Log

LogWatch atch

  • SELinu

nux -

  • Apparmo

mor

  • Audit y

your s sys ystem s m security - T y - Tiger

slide-9
SLIDE 9

INSTALL AND CONFIGURE FIREWALL

  • ins

nstall ll ufw ufw

  • allo

llow a access t to ssh ssh a and nd ht http

  • ena

nable le ufw ufw

  • lo

look a k at ufw ufw s status

slide-10
SLIDE 10

SSH HARDENING

  • key b

y based lo login n

  • disable

le r root lo login a n and nd

  • cha

hang nge S SSH p port

  • allo

llowed u users f from a m allo llowed IP IP’s ’s

  • TCP W

Wrappers s setup f for d different nt ne networks ks

slide-11
SLIDE 11

APACHE SSL HARDENING

  • disable

le u uns nsecure p protocols ls

  • BEAST A

Attack k

  • CRIM

IME A Attack k

  • Heartble

leed

  • FREAK A

Attack k

  • Perfect F

Forward S Secrecy y

slide-12
SLIDE 12

DISABLE UNSECURE PROTOCOLS

SSLv2 a and nd S SSLv3 SSL v v2 i is i ins nsecure, s , so w we ne need t to d disable le i

  • it. W

. We a als lso d disable le S SSLv3, a , as T TLS 1 1.0 .0 suffers a a d downg ngrade a attack, a , allo llowing ng a an a n attacker t to f force a a c conne nnection t n to u use SSLv3 a and nd t the herefore d disable le f forward s secrecy. . SSLv3 a allo llows e explo loiting ng o

  • f t

the he POODL DLE b bug. . Edit t the he conf nfig f file le: : SSL SSLPr Protocol A All -S ll -SSLv2 -S

  • SSLv3

All i ll is a a s sho hortcut f for + +SSLv2 + +SSLv3 + +TLSv1 o

  • r - w
  • whe

hen u n using ng OpenS nSSL 1 1.0 .0.1 a and nd la later - +

  • +SSLv2 +

+SSLv3 + +TLSv1 + +TLSv1.1 + +TLSv1.2 .2, r , respectively ly. .

slide-13
SLIDE 13

BEAST ATTACK

In s In sho hort, b , by t y tampering ng w with a h an e n enc ncryp yption a n alg lgorithm' hm's C CBC - c

  • ciphe

her b blo lock c k cha haini ning ng - mo

  • mode's,

, portions ns o

  • f t

the he e enc ncryp ypted t traffic c can b n be s secretly d ly decryp ypted. . Recent nt b browser v versions ns ha have e ena nable led c cli lient nt s side mi mitigation f n for t the he b beast a

  • attack. T

. The he recomme mmend ndation w n was t to d disable le a all T ll TLS 1 1.0 .0 c ciphe hers a and nd o

  • nly o

nly offer R

  • RC4. H

. However, [ , [RC4 ha has a a growing ng li list o

  • f a

attacks ks a agains nst i it],( ,(ht http:/ ://www.i .isg.r .rhu hul.a l.ac.u .uk/tls ls/) ma many o y of w whi hich ha h have c crossed the he li line ne f from t m the heoretical t l to p

  • practical. M
  • l. Moreover, t

, the here i is r reason t n to b beli lieve t tha hat t the he N NSA ha has broken R n RC4, t , the heir s so-c

  • calle

lled " "big b breakt kthr hrough." h." Di Disabli ling ng R RC4 ha has s several r l rami mifications

  • ns. O

. One ne, u , users w with b h bad b browsers s such a h as Int Interne net Explo lorer o

  • n W

n Wind ndows XP XP w will u ll use 3 3DE

  • DES. T

. Triple le-DE

  • DES i

is mo more s secure t tha han R n RC4, b , but i it i is signi nificant ntly mo ly more e expens

  • nsive. Y

. Your s server w will p ll pay t y the he c cost f for t the hese u

  • users. T

. Two, R , RC4 mi mitigates

  • BEAST. T

. Thu hus, d , disabli ling ng R RC4 ma makes T TLS 1 1.0 .0 u users s susceptible le t to t tha hat a attack, b , by mo y moving ng t the hem m to A AES-C

  • CBC (

(the he u usual s l server-s

  • side B

BEAST " "fix" i is t to p prioritize R RC4 a above a all e ll els lse) Ind Indeed, w , with c h cli lient nt-s

  • side mi

mitigation ( n (whi hich C h Chr hrome me a and nd F Firefox b both p h provide), B , BEAST i is a a no noni

  • nissue. B

. But t the he r risk f k from R m RC4 o

  • nly g

nly grows: M : More c cryp yptana nalys lysis w will s ll surface o

  • ver t

time me. .

slide-14
SLIDE 14

CRIME ATTACK

The he C CRIM IME a attack u k uses S SSL C Compression t n to d do i its ma magic, s , so w we ne need t to d disable le tha

  • hat. O

. On A n Apache he 2 2.2 .2.2 .24+ w we c can a n add t the he f follo llowing ng li line ne t to t the he S SSL conf nfig f file le w we als lso e edited a above: : SSL SSLCo Compr pressio ssion o

  • ff

If If y you a are u using ng a al e l earli lier v version o n of A Apache he a and nd y your di distr stro ha has no not backp kported thi his o

  • ption t

n the hen y n you ne need t to r recompile le OpenS nSSL w witho hout Z ZLIB IB s

  • support. T

. Thi his w will ll disable le t the he u use o

  • f OpenS

nSSL u using ng t the he DE DEFLATE c compression me n metho

  • hod. If

. If y you d do thi his t the hen y n you c can s n still u ll use r regula lar H HTML DE DEFLATE c compression. n.

slide-15
SLIDE 15

HEARTBLEED

Heartble leed i is a a s security b y bug d disclo losed i in A n April 2 l 2014 i in t n the he OpenS nSSL c cryp yptography y li library, w , whi hich i h is a a w widely u ly used i imple leme ment ntation o n of t the he T Trans nsport L Layer S Security y (TLS) p protocol.

  • l. Heartble

leed ma may b y be e explo loited r regardle less o

  • f w

whe hethe her t the he p party u y using ng a v vulne lnerable le OpenS nSSL i ins nstanc nce f for T TLS i is a a s server o

  • r a

a c cli lient

  • nt. It

. It r result lts f from m improper i input v vali lidation ( n (due t to a a mi missing ng b bound nds c che heck) k) i in t n the he i imple leme ment ntation n

  • f t

the he D DTLS he heartbeat e extens nsion ( n (RFC6520), t , thu hus t the he b bug's na name me d derives f from m "he heartbeat". T . The he v vulne lnerabili lity i y is c cla lassified a as a a b buffer o

  • ver-r
  • read, a

, a s situation w n whe here mo more d data c can b n be r read t tha han s n sho hould ld b be a allo llowed. .

slide-16
SLIDE 16

FREAK ATTACK

FREAK i is a a ma man-i n-in-t n-the he-mi

  • middle

le ( (MIT ITM) v vulne lnerabili lity d y discovered b by a y a g group o

  • f

cryp yptographe hers a at IN INRIA IA, M , Microsoft R Research a h and nd IM IMDE

  • DEA. F

. FREAK s stand nds f for " "Factoring ng R RSA-E

  • EXP

XPORT Keys ys." ." The he v vulne lnerabili lity d y dates b back t k to t the he 1 1990s, w , whe hen t n the he US US g governme nment nt b banne nned selli lling ng c cryp ypto s software o

  • verseas, u

, unle nless i it u used e export c ciphe her s suites w whi hich h involv lved e enc ncryp yption k n keys ys no no lo long nger t tha han 5 n 512-b

  • bits.

.

slide-17
SLIDE 17

PERFECT FORWARD SECRECY

The he c conc ncept o

  • f f

forward s secrecy i y is s simple le: c : cli lient nt a and nd s server ne negotiate a a k key t y tha hat ne never hi hits t the he w wire, a , and nd i is destroyed a at t the he e end nd o

  • f t

the he s

  • session. T
  • n. The

he R RSA p private f from t m the he s server i is u used t to s sign a n a Di Diffie-H

  • Hellma

llman k n key y excha hang nge b between t n the he c cli lient nt a and nd t the he s

  • server. T

. The he p pre-ma

  • master k

key o y obtaine ned f from t m the he Di Diffie-H

  • Hellma

llman ha n hand ndsha hake is t the hen u n used f for e enc ncryp

  • yption. S
  • n. Sinc

nce t the he p pre-ma

  • master k

key i y is s specific t to a a c conne nnection b n between a n a c cli lient nt a and nd a a server, a , and nd u used o

  • nly f

nly for a a li limi mited a amo mount nt o

  • f t

time me, i , it i is c calle lled E Ephe heme meral. l. With F h Forward S Secrecy, i , if a an a n attacker g gets a a ho hold ld o

  • f t

the he s server's p private k key, i , it w will no ll not b be a able le t to d decryp ypt p past commu mmuni nications

  • ns. T

. The he p private k key i y is o

  • nly u

nly used t to s sign t n the he DH DH ha hand ndsha hake, w , whi hich d h does no not r reveal t l the he p pre- ma master k key. . Di Diffie-H

  • Hellma

llman e n ens nsures t tha hat t the he p pre-ma

  • master k

keys ys ne never le leave t the he c cli lient nt a and nd t the he s server, a , and nd canno nnot b be i int ntercepted b by a y a M MIT ITM. . Apache he p prior t to v version 2 n 2.4 .4.7 .7 a and nd a all v ll versions ns o

  • f Nginx

nx a as o

  • f 1

1.4 .4.4 .4 r rely o ly on n OpenS nSSL f for i input p parame meters t to Di Diffie-H

  • Hellma

llman ( n (DH DH). U . Unf nfortuna nately ly, t , thi his me means ns t tha hat E Ephe heme meral l Di Diffie-H

  • Hellma

llman ( n (DH DHE) w will u ll use OpenS nSSL's default lts, w , whi hich i h inc nclu lude a a 1 1024-b

  • bit k

key f y for t the he k key-e

  • excha

hang

  • nge. S

. Sinc nce w we're u using ng a a 2 2048-b

  • bit c

certificate, DH , DHE cli lient nts w will u ll use a a w weaker k key-e

  • excha

hang nge t tha han no n non-e n-ephe heme meral DH l DH c cli lient nts. . For A Apache he, t , the here i is no no f fix e except t to u upgrade t to 2 2.4 .4.7 .7 o

  • r la
  • later. W

. With t h tha hat v version, A n, Apache he a automa matically s lly sele lects a s strong nger k key. . If If y you ha have A Apache he 2 2.4 .4.8 .8 o

  • r la

later a and nd OpenS nSSL 1 1.0 .0.2 .2 o

  • r la

later, y , you c can g n gene nerate a and nd s specify y y your DH DH params ms file le. .

slide-18
SLIDE 18

PROTECT SU BY LIMITING ACCESS

  • sudo

sudo gr groupad padd a admi min n

  • sudo

sudo usermo mod -a

  • a -G a
  • G admi

min < n <YOUR UR A ADM DMIN IN US USERNAME>

  • sudo

sudo dpkg-s

  • statoverride --u
  • -update --a
  • -add r

root a admi min 4 n 4750 / /bin/ n/su su

  • r u

use p pam li m libraries f for su su

slide-19
SLIDE 19

HARDEN NETWORK WITH SYSCTL SETTINGS

# IP IP S Spoofing ng p protection n ne net.i .ipv4.c .conf nf.a .all.r ll.rp_f _filt lter = = 1 1 ne net.i .ipv4.c .conf nf.d .default lt.r .rp_f _filt lter = = 1 1 # Ig Igno nore IC ICMP b broadcast r requests ne net.i .ipv4.i .icmp_e _echo ho_i _igno nore_b _broadcasts = = 1 1 # Di Disable le s source p packet r routing ng ne net.i .ipv4.c .conf nf.a .all.a ll.accept_s _source_r _route = = 0 ne net.i .ipv6.c .conf nf.a .all.a ll.accept_s _source_r _route = = 0 ne net.i .ipv4.c .conf nf.d .default lt.a .accept_s _source_r _route = = 0 ne net.i .ipv6.c .conf nf.d .default lt.a .accept_s _source_r _route = = 0 # Ig Igno nore s send nd r redirects ne net.i .ipv4.c .conf nf.a .all.s ll.send nd_r _redirects = = 0 ne net.i .ipv4.c .conf nf.d .default lt.s .send nd_r _redirects = = 0

slide-20
SLIDE 20

# B Blo lock S k SYN a attacks ks ne net.i .ipv4.t .tcp_s _sync yncooki kies = = 1 1 ne net.i .ipv4.t .tcp_ma _max_s _syn_b yn_backlo klog = = 2 2048 ne net.i .ipv4.t .tcp_s _syna ynack_r k_retries = = 2 2 ne net.i .ipv4.t .tcp_s _syn_r yn_retries = = 5 5 # L Log M Martians ns ne net.i .ipv4.c .conf nf.a .all.lo ll.log_ma _martians ns = = 1 1 ne net.i .ipv4.i .icmp_i _igno nore_b _bogus_e _error_r _respons nses = = 1 1 # Ig Igno nore IC ICMP r redirects ne net.i .ipv4.c .conf nf.a .all.a ll.accept_r _redirects = = 0 ne net.i .ipv6.c .conf nf.a .all.a ll.accept_r _redirects = = 0 ne net.i .ipv4.c .conf nf.d .default lt.a .accept_r _redirects = = 0 ne net.i .ipv6.c .conf nf.d .default lt.a .accept_r _redirects = = 0 # Ig Igno nore Di Directed p ping ngs ne net.i .ipv4.i .icmp_e _echo ho_i _igno nore_a _all = ll = 1 1

slide-21
SLIDE 21

DISABLE OPEN DNS RECURSION AND REMOVE VERSION INFO

  • recursion no

n no; ;

  • version "

n "Not Di Disclo losed"; ;

slide-22
SLIDE 22

PREVENT IP SPOOFING

  • r
  • rder

der bind nd,ho ,hosts

  • no

nospoof o

  • n

n

slide-23
SLIDE 23

HARDEN PHP FOR SECURITY

  • disable

le_f _func nctions ns = = exec,s ,sys ystem,s m,she hell_e ll_exec,p ,passthr hru

  • register_g

_glo lobals ls = = O Off

  • expose_p

_php hp = = O Off

  • displa

lay_e y_errors = = O Off

  • track_e

k_errors = = O Off

  • ht

html_e ml_errors = = O Off

  • ma

magic_q _quotes_g _gpc = = O Off

slide-24
SLIDE 24

RESTRICT APACHE INFORMATION LEAKAGE

  • ServerTokens

ns P Prod

  • ServerSigna

nature O Off

  • TraceEna

nable le O Off

  • Header u

uns nset ET ETag ag

  • File

leETag N None ne

slide-25
SLIDE 25

WEB APPLICATION FIREWALL - MODSECURITY

  • Mo

ModSe Secu curit ity i is a a w web a appli lication f n firewall f ll for t the he A Apache he w web

  • server. In a

. In addition t n to p providing ng lo logging ng c capabili lities, , Mo ModSe Secu curit ity can mo n moni nitor t the he H HTTP t traffic i in r n real t l time me i in o n order t to d detect attacks ks. . Mo ModSe Secu curit ity a als lso o

  • perates a

as a a w web i int ntrusion d n detection n tool, a l, allo llowing ng y you t to r react t to s suspicious e event nts t tha hat t take p pla lace a at your w web s sys ystems ms. .

slide-26
SLIDE 26

PROTECT FROM DDOS ATTACKS - MODEVASIVE

  • Mod E

Evasive i is a an e n evasive ma mane neuvers mo module le f for A Apache he t tha hat provides e evasive a action i n in t n the he e event nt o

  • f a

an H n HTTP Do DoS a attack o k or brute f force a

  • attack. It

. It i is a als lso d designe ned t to b be a a d detection a n and nd ne network ma k mana nageme ment nt t tool, a l, and nd c can b n be e easily c ly conf nfigured t to t talk t lk to ipcha hains ns, f , firewalls lls, r , routers, a , and nd mo more. . mo mod_e _evasive p present ntly ly reports a abuse v via e ema mail a l and nd s sys yslo log f facili lities. .

slide-27
SLIDE 27

SCAN LOGS AND BAN SUSPICIOUS HOSTS

  • De

DenyH yHosts a and nd F Fail2 l2Ban n

slide-28
SLIDE 28

SELINUX - APPARMOR

  • Nationa

nal l Security y Agenc ncy y (NSA) ha has taken n Linu nux to the he ne next le level l with the introd

  • duc

uction

  • n of
  • f Sec

ecur urity-Enhanced ed Linux ux (SELinux ux). . SELinu nux takes the he existing ng GN GNU/ U/Linu nux operating ng sys ystem m and nd extend nds it with h kerne nel l and nd user-s

  • space mo

modifications ns to ma make it bulle llet-p

  • proof.

.

slide-29
SLIDE 29

SECURITY SCANNER AND AUDITING

  • nma

nmap

  • Lyni

ynis

  • Kali

li L Linu nux d distribution n

slide-30
SLIDE 30

THINGS I HAVEN'T COVERED

  • Onc

nce y you've ha hardene ned y your s server, y , you're a advised t to r run s n some me vulne lnerabili lity s y scans ns a and nd p pene netration t n tests a agains nst i it i in o n order t to che heck t k tha hat i it's a actually a lly as i invinc ncible le a as y you're no now ho hoping ng i it i is. . Thi his i is a a t topic w whi hich r h requires a a p post a all o ll of i its o

  • wn s

n so I w I won' n't b be covering ng i it i in a n any d y detail he l here, b , but a a g good s starting ng p point nt i if y you're no not a alr lready f y fami mili liar w with i h it i is t the he e excelle llent nt Nma map s security y scanne nner. .