1 / 0

CT 320: Network and System Administration

CT 320: Network and System Administration. SECURITY Colorado State University Computer Science Department Chris Wilcox Fall 2012. Original slides from Dr. James Walden at Northern Kentucky University. Topics. Risk Management OS Hardening PAM Passwords iptables. Risk Management.

egan
Download Presentation

CT 320: Network and System Administration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CT 320: Network and System Administration

    SECURITY Colorado State University Computer Science Department Chris Wilcox Fall 2012 Original slides from Dr. James Walden at Northern Kentucky University.
  2. Topics Risk Management OS Hardening PAM Passwords iptables CT320, Fall Semester 2012
  3. Risk Management Risk is the relationship between your assets, the vulnerabilities characteristic to those assets, and attackers who wish to access or modify those assets. CT320, Fall Semester 2012
  4. Assets Login account. Network bandwidth. Disk space. Confidential Data: company, customers, … Reputation. CT320, Fall Semester 2012
  5. Security Goals Data confidentiality Customer account data (credit cards, identity) Trade secrets Administrative data (passwords, configuration) Data integrity Administrative data Software downloads (patches, free tools) Web pages CT320, Fall Semester 2012
  6. Security Goals System integrity System binaries Kernel Device Drivers System/network availability Network bandwidth Network services (authorization, file, mail, print) Disk space CT320, Fall Semester 2012
  7. Threats Financial motives Identity theft Phishing Spam Extortion Botnets Political motives Danish sites hacked after Mohammed cartoons. Personal motives Just for fun. Insider revenge. CT320, Fall Semester 2012
  8. Vulnerabilities Bad/default passwords. Unused services with open ports. Unpatched software vulnerabilities. Transmitting confidential data in cleartext. Open modems or wireless networks. Physical access to critical systems. Uneducated users. CT320, Fall Semester 2012
  9. Attack Trees CT320, Fall Semester 2012
  10. Defenses Vulnerability mitigation Use secure authentication systems. Deploy software in secure configuration. Patch security flaws quickly. Attack mitigation Firewalls to prevent network attacks. Intrusion Detection Systems (IDS) to detect attacks. Virus and spyware scanners. CT320, Fall Semester 2012
  11. OS Hardening Secure the physical system. Install only necessary software. Keep security patches up to date. Delete or disable unnecessary user accounts. Use secure passwords. Disable remote access except where necessary. Use sudo instead of su. Run publicly accessible services in “jails”. Check logs regularly. Configure firewall on each host. Run security scanner to check security. Document security configuration. CT320, Fall Semester 2012
  12. Secure the physical system Place servers in a physically secure location. Physically secure the case or rack. Place identification tags on all hardware. Password protect the BIOS. Disable booting from removable media. CT320, Fall Semester 2012
  13. Install only Necessary Software Put different services on different hosts. A compromise in ftp should not compromise mail. Improves reliability and maintainability too. Common unnecessary packages X-Windows Software development (gcc, gdb, etc.) CT320, Fall Semester 2012
  14. Security Patches Subscribe to vendor security patch list. Or know vendor’s update schedule. Microsoft Windows updates “Patch Tuesday”. Update test host first. up2date -u Patches can sometimes break services. Update other hosts after that. May need to schedule downtown if reboot required. This alone justifies push method for software distribution. CT320, Fall Semester 2012
  15. Use Secure Passwords Attacks against Passwords Password sniffing Password guessing via login Password cracking Defences Do not transfer passwords over the network. Secure /etc/{passwd,shadow} Configure password quality/aging rules. Test your passwords by cracking them. CT320, Fall Semester 2012
  16. PAM Problem: Many programs require authentication. Ex: ftp, rlogin, ssh, etc. New authentication schemes require rewrites. Ex: longer passwords, keys, one-time passwords Solution: Separate authentication from programs. Store authentication in Pluggable Authentication Modules. Programs choose PAMs to use at runtime by reading config files. CT320, Fall Semester 2012
  17. PAM Configuration Configured under /etc/pam.d Each PAM-aware service has a file there. Format: <module interface><control flag><module name><module arguments> Module interface: one of 4 module types. Control flag: how module will react to failure or success (multiple successes may be required.) Module name: PAM shared library. Module args: Files to use, other options. CT320, Fall Semester 2012
  18. Module Interfaces auth — Authenticates use of service. For example, it may request and verify a password. account — Verifies that access is permitted, e.g. check for expired accounts or location and time. password — Sets and verifies passwords. session — Configures and manages user sessions, e.g. mounting user home directories or mailboxes. CT320, Fall Semester 2012
  19. Module Stacking Example rlogin PAM requirements The file /etc/nologin must not be present. Root may not login over network. Environment variables may be loaded. ~/.rhosts entry allows login without password. Otherwise perform standard password login. PAM config file auth required pam_nologin.so auth required pam_securetty.so auth required pam_env.so auth sufficient pam_rhosts_auth.so auth required pam_stack.so service=system-auth CT320, Fall Semester 2012
  20. Control Flags required: Module result must be successful for authentication to continue. User is not notified on failure until results on all modules referencing that interface are available. requisite: Module result must be successful for authentication to continue. User is notified immediately with a message reflecting the first failed required or requisite module. sufficient: Module result ignored if it fails. If a sufficient flagged module result is successful and no required flagged modules above it have failed, then no other results are required and the user is authenticated to the service. optional: Module result is ignored. Only necessary for successful authentication when no other modules reference the interface. CT320, Fall Semester 2012
  21. Password Quality Use pam_cracklib.so in system-auth Options retry=#: Maximum # of retries. minlen=#: Minimum password length. lcredit=#: Min # of lower case letters. ucredit=#: Min # of upper case letters. dcredit=#: Min # of digits. ocredit=#: Min # of other chars. CT320, Fall Semester 2012
  22. Password Aging Configure /etc/login.defs before creating accounts. PASS_MAX_DAYS: Max # of days before password expires. PASS_MIN_DAYS: Min # of days before user can change pw. PASS_WARN_AGE: # of days for pw change notice given. Also configure /etc/default/useradd INACTIVE: # of days after pw expiration that account is disabled. EXPIRE: Account expiration date in format YYYY-MM-DD. Remember old passwords with pam_unix.so Prevents users from changing password back to old value. Modify /etc/pam.d/system-auth Set pam_unix.so option remember=26 Create /etc/security/opasswd to store old passwords. CT320, Fall Semester 2012
  23. Disable Unnecessary Accounts /etc/passwd contains application accounts. Delete unnecessary application accounts. Common ex: uucp, games, gdm, xfs, rpcuser, rpc All should have locked passwords. Set shell to /bin/noshell or /bin/false. Disable user accounts immediately on termination of employment. CT320, Fall Semester 2012
  24. Disabling Remote Access Disable cleartext protocols telnet, ftp, rsh, rlogin Disable root access via ssh. Set PermitRootLogin to “no” in sshd_config Remove root non-terminal consoles Set in /etc/securetty Disable password access via ssh Use keys instead. CT320, Fall Semester 2012
  25. sudo Login as root only for single-user mode. Use sudo instead of su. sudo command Advantages: Uses user password instead of root’s password. Logs who executed what commands as root. Can delegate limited powers to some users. CT320, Fall Semester 2012
  26. Jails Complete isolation: virtual machines. Partial isolation: chroot chroot /var/httpd httpd chroot filesystem needs: /var/httpd/etc: limited /etc/{passwd,shadow,group} /var/httpd/usr/lib shared libraries /var/httpd/bin: extra binaries /var/httpd/var/log: log space /var/httpd/tmp: temporary space CT320, Fall Semester 2012
  27. Check Logs Review logs every morning. Better yet, have a program scan them. Send logs to a central server for security: attacker can’t hide tracks by deleting ease of use: you can read all logs in one place CT320, Fall Semester 2012
  28. Configure Firewall Defense in Depth Use host firewall + network firewall. Failsafe Defaults Disable all access by default on each host. Enable necessary services. Protects against Insider attacks. Running vulnerable services by mistake. CT320, Fall Semester 2012
  29. iptables iptables [-t table] cmd [matches] [target] Commands: -A chain rule-spec: Append rule to chain. -D chain rule-spec: Delete a rule from chain -L chain: List all rules in chain. -F chain: Flush all rules from chain. -P chain target: Set default policy for chain. -N chain: Create a new chain. -X chain: Remove a user-defined chain. CT320, Fall Semester 2012
  30. iptables Matches -p protocol: Specify protocol to match. tcp, udp, icmp, etc. -s address/mask: Source IP address to match. -d address/mask: Dest IP address to match. --sport: Source port (TCP/UDP) to match. --dport: Dest port (TCP/UDP) to match. CT320, Fall Semester 2012
  31. iptables Extended Matches -m match: Specify match module to use. Example: limit Only accept 3 ICMP packets per hour. -m limit --limit 3/hour -p icmp -j REJECT Example: state Useful stateful packet filtering. -m state --state NEW: match only new conns -m state --state ESTABLISHED: match only established connections. CT320, Fall Semester 2012
  32. iptables Targets -j ACCEPT Accept packet. -j DROP Drop packet w/o reply. -j REJECT Drop packet with reply. -j RETURN Return from this chain to calling chain. -j LOG Log packet; chain processing continues. CT320, Fall Semester 2012
  33. Chain Targets INPUT test -p ICMP -j DROP -s 192.168.1.1 -p TCP -j test -d 192.168.1.1 -p UDP -j DROP CT320, Fall Semester 2012
  34. Creating a Packet Filter Create a security policy for each service. for example: allow only outgoing telnet service Specify security policy in terms of which types of packets are allowed/forbidden Write packet filter in terms of vendor’s filtering language CT320, Fall Semester 2012
  35. Example: outgoing telnet TCP-based service Outbound packets Destination port is 23 Source port is random port >1023 Outgoing connection established by first packet with no ACK flag set Following packets will have ACK flag set Incoming packets Source port is 23, as server runs on port 23 Destination port is high port used for outbound packets All incoming packets will have ACK flag set CT320, Fall Semester 2012
  36. Example: outgoing telnet First rule allows outgoing telnet packets Second rule allows response packets back in Third rule denies all else, following Principle of Fail-Safe Defaults CT320, Fall Semester 2012
  37. Implementing the Filter with iptables # iptables –A INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT # iptables -A INPUT -m state --state ESTABLISHED,RELATED –m tcp –d tcp --sport 23 -j ACCEPT # iptables -A INPUT -j REJECT CT320, Fall Semester 2012
  38. Security Scanning Scan host security Run Bastilleautomated security tool on host. www.bastille-linux.sourceforge.net Scan network security Scan for open ports with nmap, a network port scanning tool for detecting available ports. Scan for vulnerabilities with Nessus, a vulnerability scanning program. CT320, Fall Semester 2012
  39. Intrusion Detection Host-based intrusion detection (HIDS) Check if system files are modified. Check for config / process modifications. Tools: tripwrite, osiris, samhain Network-based intrusion detection (NIDS) Sniffer + traffic analysis + alert system. Check for suspicious activities: port scans, etc. Check for attack signatures: worms, etc. Tools: snort, air snort CT320, Fall Semester 2012
More Related