1 / 16

Linux Security

Linux Security. Presenter: Dolev Farhi (@0x6466) | dolev@dc416.com. Acknowledgements. ?. You need to deploy a public facing web server… - what security countermeasures do you apply?. Common hardening techniques. Limiting the attack surface by removing unnecessary packages

mladner
Download Presentation

Linux Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Linux Security Presenter: Dolev Farhi (@0x6466) | dolev@dc416.com

  2. Acknowledgements

  3. ? You need to deploy a public facing web server… - what security countermeasures do you apply?

  4. Common hardening techniques • Limiting the attack surface by removing unnecessary packages • Local Firewall rules (iptables, Firewalld) • Disabling root and using a sudo account(s) • Keeping the system up to update (rpm, dpkg) • User account management / enforcing password complexity and passwords • Locking down certain services

  5. but they won’t prevent the following scenario…

  6. SELinux & AppArmor • SELinux: Context based, installed by default (CentOS/Red Hat) • - Well defnied policy interfaces • - Flexible policies • - CLI/GUI apps exist to administer an enabled SELinux system. • - auditing features • - Permissive & Enforcing modes • AppArmor: Profile-based, controls the directories/files the app is using. • - Easy deployment • - Console app for administration • - Reports scheduling and auditing • - Complain & Enforce modes • Both mechanisms provide another layer of security, but security often comes with usability difficulties/issues.

  7. More on SELinux • …but other than that. • * Medium-High Linux skill set is required to administer SELinux • * Systems that are already deployed with apps will have to be modified to work with SELinux, it is not a pleasant sight… • …many vendors don’t support SELinux enabled. • Estimated performance hit of ~7%

  8. ? root user is compromised, is it game over?

  9. The power of SELinux

  10. root challenge http://goo.gl/ENFMOu

  11. Automating auditing processes with Lynis • Lynis is security auditing tool, for Unix, Linux and Mac OS systems. It is used by system administrators, auditors and security professionals, all over the world. Some of the features are: • Open source • Shell script • No dependencies • Easy to understand • Report on screen and details • in report file • Reporting of warnings and suggestions • Detailed logging • Hardening index • Dynamic OS detection • 300+ built-in tests • Support for custom tests • Plugin support • Compliance checks • Extensive software support • Reporting

  12. Behavioral analysis with using honeypots Kippo is a medium interaction open source SSH honeypot designed to log brute force attacks and the entire shell interaction Github project: https://github.com/desaster/kippo Features: Fake filesystem (and real), session logging, tricks user in different ways. Pros: easy to deploy, provides a relatively easy to way to create your own custom honeypot. Cons: - Easy to fingerprint - A real experienced Linux user would be able to understand he’s in a honeypot pretty quickly with out of the box configuration.

  13. Behavioral analysis with Kippo honeypot • Some of Kippo’s features: • Fake filesystem with the ability to add/remove files. A full fake filesystem resembling a Debian 5.0 installation is included • Possibility of adding fake file contents • Kippo saves files downloaded files (wget) for later inspection

  14. ~1 month old honeypot statistics Attacks statistics: Total unique IP Addresses: 115 Overall attempts: Over 9000 Top 10 targeted accounts: 3349 - root 1074 - admin 100 - support 83 - ubnt 74 - oracle 62 - user 59 - git 45 - test 36 - pi 34 - minecraft Top 10 targeted passwords: 782 - 123456 520 - !@ 216 - 111111 199 - admin 186 - root 143 - 138 - support 110 - 1234567890 107 - password 87 - changeme

  15. Honeypot trolling mechanism

More Related