1 / 16

Steps to Secure A Unix System

Steps to Secure A Unix System. Joseph Carnahan Information System Security Class November 25, 2002. Disclaimers. The term “ Unix ” covers a very diverse family of operating systems I will try to be general

abiola
Download Presentation

Steps to Secure A Unix System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Steps to Secure A Unix System Joseph Carnahan Information System Security Class November 25, 2002

  2. Disclaimers • The term “Unix” covers a very diverse family of operating systems • I will try to be general • Examples are from Red Hat Linux, which is popular with business users and “newbies” • This talk is way too short • There are a billion other things you can do, each making a system a bit more secure • Security is always relative, never absolute

  3. A Couple Scenarios • You get a new computer, and you want to put Linux on the old one, just to play around with it. • You get a new job. There’s a Unix workstation on your desk, and you’re expected to administer your own machine, since your boss doesn’t want to pay for a sysadmin.

  4. The Problem • Vendors, whether they are informal groups of hackers or successful publicly-traded corporations, do not like to have to provide tech support • Systems are designed to work as well as possible out-of-the-box • In this context, this means turning on every service that anyone could possibly want, setting up default accounts, etc.

  5. Your Mission Secure this computer!

  6. The Main Idea • If you don’t need it, get rid of it • Software installed • Services running • Access permitted • If you do need it, patch it

  7. Delete Unneeded Software • Any software on your system • Takes up disk space • Could have bugs • Could be used by an attacker • So, get rid of it • Use your system’s package manager, if possible

  8. Red Hat Linux Example • List installed packages: rpm -qa • Find out info about an installed package: rpm –qi <package> • Remove a package (checks for dependencies, so it shouldn’t break other programs): rpm –e <package>

  9. Turn Off Unneeded Services • Definition of “service”: A program that runs on your system either regularly or continuously • Synonym for “daemon” • Any running service is a possible chink in your system’s armor, particularly network-based services • If you don’t want an FTP server, why are you running one?

  10. Red Hat Linux Example • Turn off a particular service: chkconfig <service> off • Graphical interface for turning services on and off: tksysv • Text-based menu of services (my favorite tool for this): ntsysv

  11. Set Up Access Controls • Often, access to network services is only needed from specific systems • Access work from home • Access home from work • Access work from other systems at work

  12. Red Hat Linux Example • Service controls with TCP wrappers: • Put this in /etc/hosts.allow: <service>: <hostname> • Wildcard “all” can be used (with caution) • Put this in /etc/hosts.deny: all: all

  13. Red Hat Linux Example • Service controls with iptables firewall: • Allow all established connections: iptables –A INPUT –j ALLOW –m state –state established,related • Allow traffic to specific ports: iptables –A INPUT –j ALLOW –p tcp --dport 80 • Deny everything else: iptables –P INPUT DROP

  14. Patch It! • All software has bugs, and all supported software has updates to fix those bugs • A large percentage of bugs are security problems • Updates can usually be obtained from a vendor FTP site or web site • Process to check for updates should be automated, if possible

  15. Red Hat Linux Example • There is a paid-subscription “up2date” service that you can use • Otherwise, just go to ftp://updates.redhat.com or a mirror listed on http://www.redhat.com/mirrors • Download RPMs for your architecture • Update RPMs with the command rpm –Fvh *.rpm

  16. Variations • Some systems (Mandrake Linux, SuSE Linux) are similar to Red Hat Linux • Some systems (Debian GNU/Linux, Solaris, *BSD) have their own package managers • Some systems (BSD ports system, Gentoo Linux) build from source, but allow you to track and upgrade versions

More Related