1 / 11

Introduction to Unix Security

Introduction to Unix Security. Greg Porter Data Processing Manager USPFO For California. A True Story.

Download Presentation

Introduction to Unix Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Introduction to Unix Security Greg Porter Data Processing Manager USPFO For California

  2. A True Story We loaded linux on a PC, and connected it to the network. Some ‘script kiddie’ came along with a scanner and determined that the linux box had an unpatched bind service. Within hours, they hacked the box, got root access, and installed a ‘root kit’ to hide their tracks. Fortunately we run tools that allow us to detect and deny unauthorized access. Our Intrusion Detection System (IDS) found them. WITHOUT IDS YOU WILL NEVER KNOW. Proactive detection is your frontline defense. Don’t wait until bad guys are attacking the CP…. Go to dpnet.caus.ca.ngb.army.mil for the latest information

  3. Disclaimers • IANASE I Am Not A Security Expert • Existing CERT teams are unix illiterate • ACERT approves security tools • NT point and click, no knowledge needed • You can’t afford them • Proactive DP shops must do ‘self-help’ • DP shops are not CERT teams Go to dpnet.caus.ca.ngb.army.mil for the latest information

  4. Basic Security Steps • Detect Them • Stop them • Document them • Turn them in • Harden your systems Go to dpnet.caus.ca.ngb.army.mil for the latest information

  5. Detect Them • Intrusion Detection System (IDS) • Not a firewall, more like a radar detector • Watches network traffic • Notifies you if suspect traffic is found • A good free system is snort, www.snort.org • Will run on low powered Pentium • READ YOUR LOGS!!!! Use an automatic log reader (Logcheck, www.psionic.com). No one has the time to read logs by hand. Go to dpnet.caus.ca.ngb.army.mil for the latest information

  6. Stop Them • Have a local firewall you control • OK, so it’s not an official ‘firewall’ • Could be same system as IDS • IDS could trigger firewall response • Will run on low powered Pentium with free software • We use OpenBSD (www.openbsd.org) • Refer to it as a ‘bridge’ or a ‘router’ Go to dpnet.caus.ca.ngb.army.mil for the latest information

  7. Document Them • Compromise should be in your COOP plan • Think ‘crime scene’, don’t destroy evidence • Disconnect system from network • Make an entire system backup for evidence • Reload from media, binaries may be hacked • If they got one, they probably got all • They sniffed your local net, all passwords stolen • Consider reload from media on all systems Go to dpnet.caus.ca.ngb.army.mil for the latest information

  8. Turn Them In • Your state CERT is your direct support • Probably new and inexperienced • Usually NT oriented, no unix knowledge • Assist them in escalating to NGB • NGB CERT has some of the same problems, probably will be of little help • LET SOMEONE HIGHER CALL THE FEDS or ACERT! Go to dpnet.caus.ca.ngb.army.mil for the latest information

  9. Harden Your Systems • Ideally they didn’t get in the door, the IDS and ‘firewall’ stopped them • A good source of unix (and NT) hardening info is at www.sans.org • The Bastille Linux hardening scripts have good ideas, but need tweaks for HP-UX http://www.bastille-linux.org/ Go to dpnet.caus.ca.ngb.army.mil for the latest information

  10. Harden Your Systems, Cont. • Some things you can do now • CHECK YOUR LOGS!!! Use Logcheck, www.psionic.com • Turn off non-essential network services • Consider loading network related patches • Know if you are port-scanned, use PortSentry, www.psionic.com • Load TCPWrappers • Implement Secure Shell, kill telnet and ftp Go to dpnet.caus.ca.ngb.army.mil for the latest information

  11. For More Information Check out DPNet • DP specific web site • Lots of topics, DP security discussion • Links to lots of good security sites • Our ‘how-tos’ on how to load for HP-UX • Get help in real-time http://dpnet.caus.ca.ngb.army.mil Go to dpnet.caus.ca.ngb.army.mil for the latest information

More Related