Security for administrators
Download
1 / 26

Security for Administrators - PowerPoint PPT Presentation


  • 57 Views
  • Uploaded on

Security for Administrators. Presented by: Greg Smith Pacsec.jp 2004. Introduction. Who am I? Who do I work for, and what is my job? Why I am talking about this?. Who am I?. Greg Smith Using UNIX based operating systems for 8 years Administrator work for 5 years

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Security for Administrators' - kalila


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Security for administrators

Security for Administrators

Presented by: Greg SmithPacsec.jp2004


Introduction
Introduction

  • Who am I?

  • Who do I work for, and what is my job?

  • Why I am talking about this?


Who am i
Who am I?

  • Greg Smith

  • Using UNIX based operating systems for 8 years

  • Administrator work for 5 years

  • Working with security off and on for 4 years.


Who do i work for and what is my job
Who Do I Work For,and What is My Job?

  • I work for Secured Infrastructure Design Corporation.

  • I am a Security Analyst, and Administrator for various BSD / Linux servers


Why i am talking about this
Why I Am Talking About This?

  • I believe that administrators should be more concerned about the well being of their servers.

  • I want to try and share some of my basic views on security.


Overview
Overview

  • My Definition of security

  • Operating system level security

  • Security via log monitoring

  • Interactive security

  • Administrator security measures


My definition of security
My Definition of Security

  • Making intelligent choices

  • Being educated, and always learning

  • Perceptiveness

  • Adaptation

  • Care and attention


Operating system level security
Operating System Level Security

  • Proper application management

  • Keeping proper tabs on users’ interactions with the operating system

  • Noticing inconsistencies between the administrator and the user logins

  • Noticing inconsistencies in the file systems



Keeping proper tabs on users
Keeping Proper Tabs On Users

  • Watch login times, if you know said user was not in the office at a particular time, but appears to be logged in, check the logs further to see what this user did

  • Watch your own logins, if you notice an inconsistency with administrator logins, this would also warrant digging further into the logs.


Noticing inconsistencies in the file systems
Noticing InconsistenciesIn The File Systems

  • Is a file moved, deleted, or copied somewhere else on the system, and you don’t remember doing it?

  • Are there symlinks from logs to /dev/null.

  • Are there extra directories created with files in them you have never seen?

  • Watch for differences in the file system from the last time you logged in.


Security via logging
Security via Logging

  • Don’t be afraid to use tools like sed, awk, uniq, sort, to better navigate.

  • Interpret the logs, look for inconsistencies

  • Apache logs; look for file transfers from personal directories

  • FTP logs; look for suspicious transfers

  • Look for SSH authentication errors


Using text parsing tools to make life easier
Using Text Parsing ToolsTo Make Life Easier

  • Examples here are all based off FreeBSD 4.9’s default logging system.


Interpret the logs look for inconsistencies
Interpret The Logs, Look For Inconsistencies

  • Examples of this, in cron, 1000 entries

  • sed s/[0-9]/#/g cron.ot | sort | uniq


Secure auth log analysis
Secure/Auth Log Analysis

  • There are similar lines, parse them out better using awk and grep.


Secure auth log analysis1
Secure/Auth Log Analysis

  • cat auth.log | grep Failed | awk '{print $3" "$6" "$7" "$11" "$13}‘

  • Using simple grep/awk, weeded out a lot of useless information.


Messages log analysis
Messages Log Analysis

  • There are similar lines, parse them out better with grep.


Messages log analysis1
Messages Log Analysis

  • Using grep to parse better

  • Going even further

  • cat messages | grep root | grep BAD

  • With those simple instructions, your viewing time can be cut substantially.


More security via logging
More Security via Logging

  • Watch the last log, using the last command

  • The httpd-access and httpd-error log can be handy in tracing a possible compromise. Use the same methods as in the other examples to better parse the httpd logs.


More security via logging1
More Security Via Logging

  • Monitor logs on a regular basis

  • Learn the logging system for the particular operating system at hand

  • To save time, skim logs looking for said inconsistencies; if found then probe deeper.

  • Watch for inconsistencies in log file sizes


Interactive security
Interactive Security

  • What do I consider interactive security?

  • Why would someone use this method?


What do i consider interactive security
What Do I ConsiderInteractive Security?

  • Perceptiveness.

  • Know your system.

  • Customize your server or workstation to better suit you.

  • Understand that proper mindset can increase security substantially.


Why would someone use this method
Why Would Someone Use This Method?

  • Cut down on man-hours used maintaining systems; less time will have to be spent by administrators on tedious tasks.

  • Enhance knowledge about basic functions of the operating system.

  • Less stressful work environment.


Administrative measures
Administrative Measures

  • If a server has been compromised, learn from this, and adapt accordingly.

  • Segregation

  • Common sense


Conclusions
Conclusions

  • Administrators work closest with the actual infrastructure that needs the most attention.

  • Better education of administrators could lead to less of a chance of being compromised.


Questions

Questions?

Special Thanks to:

Richard S. Keirstead

Lars Maul

Steve Manzuik


ad