Linux Hardening By Michael Rebultan
-
Upload
art-rebultan -
Category
Software
-
view
381 -
download
2
Transcript of Linux Hardening By Michael Rebultan
Linux Hardening
</Michael “art” Rebultan> 27-January-2016
NULL Singapore @SMU
Lockdown
</AGENDA>
• Linux System Hardening and Audit
Lockdown
</OBJECTIVE>
• Know and understand the different ways to lockdown Linux Server and how to audit them in chillax mode.
Lockdown
</SCOPE>
• Getting to Know – 15min
• Intro to Information Security (Theory) 15min
• System Inventory (Hand-On) 15min
• Linux System Security (Hands-On) 30min
• Linux Network Security (Hands-On) 30min
• Auditing and Compliance (Hands-On) 30min
• Open Discussion (Theory/Demo) 15min
Lockdown
</OUT-of-SCOPE>
• HARDENING
SELinux, AuditD, Web, FTP, VPN, SAMBA, MAIL, Clustering, Docker, Dbase, Content Mgt, Proxy, VoIP, Virtualization, Subversion, etc…
Lockdown
</House Rules>
• Cell Phone on Silent Mode
• Food/Drink is to be share
• Raise your hand for any question
• Toilet is 24 x 7
• Respect begets respect
Lockdown
</GETTING TO KNOW>
• 15min
Lockdown
</UID>
• Your name or alias
• Your day-to-day job
• How the workshop can help
Lockdown
</WHOAMI>
• 13 Years in Linux (RedHat)
• SecSysOps Engineer by day
• Paranormal Investigator by night
• Exorcist Priest by divine call
Lockdown
</INTRO to SECURITY>
• 15min
Lockdown
</WHATIS>
• IT Security? - is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide.
Lockdown
</WHICH>
• What are you trying to protect?
Risk vs Threat vs Vulnerability
Risk = Asset x Threat x Weakness
Lockdown
</KICKSTART> • System Requirement Specification - Mount Points - Storage Space - RAM - CPU - SW Dependencies - IP Address / Segment - Hostname - Ports / Services - Users / Group
Lockdown
</PRE-INSTALLATION>
Lockdown
</POST-INSTALLATION>
• Disconnect from Public Network
• Patching
• Disable Unnecessary Services
• Close Unneeded Ports
• Stress Test
Lockdown
</LIFECYCLE>
Lockdown
</SYSTEM INVENTORY>
• 15min
Lockdown
</BASELINE>
• rpm -qa > /tmp/rpm.txt • service --status-all > /tmp/service.txt • chkconfig --list | grep on • cat /etc/passwd > /tmp/user.txt • netstat -tulpn > /tmp/connections.txt • route -n > /tmp/route.txt • ifconfig -a > /tmp/ifconfig.txt
Lockdown
</INVENTORY DEMO>
• Custom Script (BASH)
• ./linux-local-enum.sh
Lockdown
</SYSTEM SECURITY>
• 30min
Lockdown
</ACESS NOTIFICATION>
Config File- /etc/pam.d/system-auth
Add the following line after this: session required pam_limits.so
session required pam_lastlog.so showfailed
Lockdown
</BRUTEFORCE>
• Configure passwords against a dictionary attack
/etc/pam.d/system-auth
password required /lib/security/pam_cracklib.so retry=2 minlen=10 difok=6
Lockdown
</ACCOUNT AUTHENTICATION> • CONFIG FILES
/etc/pam.d/system-auth /etc/pam.d/password-auth
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
Lockdown
</PASSWD AGE>
• chage [-m mindays] [-M maxdays] [-d lastday] [-I inactive] [-E expiredate] [-W warndays] user
• chage –l user
• Exercise:
Create 3 UID with different Password aging
Lockdown
</SSH CONFIG>
• Protocol 2 • PermitEmptyPasswords no • MaxAuthTries 3 • PermitRootLogin no • AllowGroups • AllowUsers • DenyUsers Exercise – Block the 3 users created and test
Lockdown
</LYNIS DEMO>
• cd /opt/lynis-1.3.8
• ./lynis --check-all
Lockdown
</NETWORK SECURITY>
• 30min
Lockdown
</IPTABLES>
• XMAS TREE ATTACK
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
“sends a large number of Christmas tree packets to an end device”
Lockdown
</IPTABLES>
• Smurf Attack - sends a large number of ICMP echo broadcast packet, with source IP address spoofed to that of target's IP address.
iptables -A INPUT -p icmp -m limit --limit 2/second --
limit-burst 2 -j ACCEPT
Or block all the ICMP packets
iptables -A INPUT -p icmp -j DROP
Lockdown
</IPTABLES>
• SYN Flood
iptables -A INPUT -p tcp -m state --state NEW -m limit --limit 2/second --limit-burst 2 -j ACCEPT
The attacker creates a large number of forged SYN requests that have their source IP addresses spoofed, and sends it to the target.
Lockdown
</TCP WRAPPERS>
• echo "ALL:ALL" >> /etc/hosts.deny
• echo "sshd:ALL" >> /etc/hosts.allow
Lockdown
</UNCOMMON PROTOCOLS>
• Datagram Congestion Control Protocol (DCCP)
• Stream Control Transmission Protocol (SCTP)
• Reliable Datagram Sockets (RDS)
• Transparent Inter-Process Communication (TIPC)
echo "install dccp /bin/false" > /etc/modprobe.d/dccp.conf
echo "install sctp /bin/false" > /etc/modprobe.d/sctp.conf
echo "install rds /bin/false" > /etc/modprobe.d/rds.conf
echo "install tipc /bin/false" > /etc/modprobe.d/tipc.conf
Lockdown
</IPTABLES DEMO>
• Custom Script (BASH)
• ./iptables.sh
Lockdown
</KERNEL>
• Securing Systems and Network on Kernel
• Config File
/etc/sysconfig/sysctl.conf
/etc/rc.d/init.d/network restart
/sbin/sysctl -p
Lockdown
</KERNEL>
• DIFFERENT WAYS TO LOCKDOWN • Prevent your system responding to Ping • Refuse responding to broadcasts request • Routing Protocols • Enable TCP SYN Cookie Protection • Disable ICMP Redirect Acceptance • Enable always-defragging Protection • Enable bad error message Protection • Enable IP spoofing protection • Log Spoofed, Source Routed and Redirect Packets
Lockdown
</KERNEL>
• Disable IP source routing - It's information in an IP header that allows the source host to dictate the path the packet uses to get to the destination rather than leaving the path to be determined by intermediate gateways. This could allow a source to go around security devices that are typically in the path between source and destination.
Lockdown
</KERNEL>
• Disable IP source routing net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
/etc/rc.d/init.d/network restart
Lockdown
</KERNEL>
• Enable IP spoofing protection, turn on source route verification
- The spoofing protection prevents your network from being the source of spoofed
i.e.
forged communications that are often used in DoS attacks.
Lockdown
</KERNEL>
• Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
/etc/rc.d/init.d/network restart
Lockdown
</KERNEL>
• Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
This protection will log all Spoofed Packets, Source Routed Packets, and Redirect Packets to your log files.
net.ipv4.conf.all.log_martians = 1
/etc/rc.d/init.d/network restart
Lockdown
</KERNEL>
• Disables the magic-sysrq key
kernel.sysrq = 0
Lockdown
</KERNEL>
• Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
Lockdown
</KERNEL>
• Prevent SYN Flood Attack
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 4096
Lockdown
</KERNEL>
• Ignoring Ping
net.ipv4.icmp_echo_ignore_all = 1
Lockdown
</KERNEL>
• Turn on execshield
- Against Remote Attack Tool (RAT)
kernel.exec-shield=1
kernel.randomize_va_space=1
Lockdown
</AUDIT>
• 30min
Lockdown
</AUDITING>
• TOOLS
- Tripwire
- Auditd
- AIDE
Lockdown
</COMPLIANCE SCORING>
• OpenScap Demo
Lockdown
</END>
• Thank you!
http://mrebultan.simplesite.com/
Lockdown