Linux system security

Linux system security talks---------------outline * Note: course content mainly oriented □ and to page information to the Deputy.

---------------Internet security-level network service system system security physical security access system geography defense social engineering P2-13 room protection Cabinet host power keyboard screen splash protection key power button BIOS boot device: hard disk floppy discs OSLoader LILOP8-2 GRUBinfogrub (refer to example a) bootloader (runlevel&rc) P7-1 system login Login PAMP1-20 ls/usr/share/doc/pam-0.75/Limitmore/etc/security/limits.con Nologintouch/etc/nologin Consolvsremotemore/etc/securetty Listfile (refer to example 2) account management account names and UIDP1-5 group P2-2 ~ P2-7 account password Crack/P2-12-11 Jon shadowP1 chageinfocange usermodinfousermod gpasswdinfogpasswd rights management ugo&rwxP3-8 x archival vs directory? Trojans and viruses rootornon-root? SUID&SGID&StickyBitP4-2 archives directory detection skills vs P4-4 suvssudo su missing passwd? privilege? Sudoers design infosudoers archives property P4-8 appandonly readonly file system design filetypeP3-2 inode&blockP3-6 http://www.study-area.org/linux/system/linux_fs.htm#fstab mountpoint quotahttp://www.study-area.org/linux/system/linux_fs.htm#fquota readonly/usr/bin/usr/sbin ... nodev/ome nosuid/nosgid noexec security download Trust website rpmfind, sourceforge ... GPG signature * .sign MD5checksuminfomd5sum software test execution code generation stalls line/generate packet source tracking intrusion detection exception behavior superfluous line record stalls incomplete files replace files permissions change hidden file owner change the suid/sgid device files tool: chkrootkit http://linux.tnc.edu.tw/techdoc/check-rootkit-by-u-self.htm tripwire http://www.study-area.org/tips/tripwire.htm tiger ftp://coast.cs.purdue.edu/pub/tools/unix/tamu log protection yanzeng property chattr + a access privileges (rootonly) size control logrotate http://www.study-area.org/linux/system/linux_conf.htm#log authenticity (modifications) & nbsp @ central/printer record analysis tools: logceck logwatc data back up the original backup system backup vs data backup a full backup vs differential backup http://www.study-area.org/linux/system/linux_conf.htm#backup backup media & save backup sampling tar, cpio/apio post-disaster recovery risk assessment of the degree of fault tolerance level rehabilitation programmes/equipment: connections: redundentconnection loadbalance cluster: RAIDS SAN&NAS Mirror&rsync patch P14-3 version select the most secure version □ ftp://linux.sinica.edu.tw/update mirror/APT/rn test------------Internet security security information website http://www.cert.org.tw http://www.vtcif.telstra.com.au/info/security.html http://www.redhat.com/apps/support/errata/wu-tp　　zlib　　UWimap　　openss 　　ssnldap　　..... Http://www.securityfocus.com/http://safe.ip-market.com/discussion groups/news group news: comp.security.announce MailList/technology forum? A HREF = "mailto: listserv@securityfocus.com" > listserv@securityfocus.com? A HREF = "mailto: digest@sams.org" > digest@sams.org magazine service program vulnerability remediation services program number P12-3 centralized vs distributed version update wu-ftp, bind, sendmail test time possible to use chroot skills software http://www.study-area.org/tips/dns_chr.htm difficult points of application Compiletimevsruntime tcpwrapper Supperdaemonvstcp_wrapperP15-2 InetdvsxinetdP11-2 hosts.allowvshosts.denyP15-9 services * Appendix a firewall and NAT firewall types proxyvsfilteringP16-1/P17-1 Firewall works http://www.study-area.org/network/network_fw.htm basics http://www.study-area.org/linux/servers/linux_nat.htm firewall rules for applications of ACLvsstatelist NAT NAT type SNATvsDNAT StaticevsDynamic http://www.study-area.org/tips/nat-howto/nat-howto-chn-3.html network architecture design and deploy trusted network vs non-trusted Internet application physical DMZ segment ProtocolSwitcing common attack method DoS PingofdeathP13-2 SynFloodP13-6 other P13-8 light P13-9 self attack test netstat http://www.study-area.org/linux/servers/linux_net.htm#network nmapP25-8 portsentry/snort-------------information encrypted plaintext vs redaction screen display vs packet content http://www.study-area.org/network/network_enscp.htm eavesdropping techniques and prevent eavesdropping premise packet? Eavesdropping tool tcpdump snifit intercept point routing? HubvsSwtichCSMA/CD? Encryption methods and principles of the original principles of encryption encryption method http://www.study-area.org/network/network_enscp.htm algorithm patents symmetric key encryption technique vs non-symmetric key http://www.study-area.org/network/network_enscp.htm United States export restrictions on electronic signature paper vs electronic confirmation of/non-repudiation of electronic transactions and future security company line ssl&ss crack cost http://www.study-area.org/tips/security.htm (http://www.nchu.edu.tw/trnc/90-2/firewall.ppt) ssh works http://www.study-area.org/tips/security.htm establishment of vpn VPN VPN scenarios where principle: ss vpnd http://www.study-area.org/tips/vpn.htm ipsecP21-3 Web Design vs implementation technology subnet/routing? Implement reference secure server environment (1) ensure the security of Linux http://safe.ip-market.com/article.php?sid=5 ten tips http://safe.ip-market.com/article.php?sid=26 Linux security settings manual (posted) http://phorum.study-area.org/viewtopic.php?t=5080&highlight=time-out%3d00---------------* examples: GRUB password protection 1) enter gRub into which generate MD5 password: grub > md5crypt Password: * ** * ** * ** * Encrypted: $ 1 $ U $ JK7xFegdxWH6VuppCUSIb. ** Complete with mouse left button will select a password and enter quit to exit the grub. 2) changes to password-protect setting/etc/grub.conf: password--md5 $ 1 $ U $ JK7xFegdxWH6VuppCUSIb. ** Please use the right mouse button to paste the password. TitleRedHatLinux7.3 (2.4.18-3) lock root (hd0, 1) kernel/vmlinuz-2.4.18-3roroot =/dev/da12 initrd/initrd-2.4.18-3) in the post 3.img when enter p and the password. * Example 2: PAM's listfile (ss) 1) reference set of ready-to-ftp: greplistfile/etc/pam.d/tp 2) imitation of and set the ssh: vi/etc/pam.d/ssd in the preceding accession: authrequired/lib/security/pam_listfile.soitem = user\ sense = denyfile =/etc/sshusersonerr = succeed---------------Appendix 1: System service recommends that finger is strongly recommended to close the ftp if you do not need to close the. □ In particular it should turn off anonymous. Gopher closes the imap if you do not need to close the. □ Pop2 pop3 off if you do not need to close the. □ Talk off ntalk close telnet if you do not need to close the. □ Please replace it with ssh. Uucp is closed only on internal open samba nfs/nis only on internal open to close □ r-command to ssh. x-protoco