Uploaded byvidalinux
PDF, PPTX252 views

Linux Server Security and Hardering

This document discusses various topics relating to Linux server security and hardening. It begins with an introduction of the author and their background/experience. It then addresses common myths about Linux security and provides statistics on Linux kernel vulnerabilities over time. The document outlines several historical exploits and vulnerabilities like Dirty Cow, Heartbleed, and Shellshock. It provides recommendations for securing aspects like disk partitions, password policies, SSH, SELinux, PHP, Apache, intrusion detection/prevention tools, and auditing/scanning tools. Live demonstrations are given for OpenSCAP and Lynis. Overall the document serves as a guide to properly secure Linux servers.

Embed presentation

Download as PDF, PPTX
Linux Server Security and Hardering Antonio C. Vélez Báez 24, october 2018
ABOUT ME ... • Antonio C. Vélez Báez • OSCP, RHCE, RHCSA-RHOS, Linux+ • Vidalinux.com Founder • OVOX LLC. Co-Founder • Red Hat Certified Instructor and examiner • Red Hat Certified Training Center • First Linux distribution made in Puerto Rico https://en.wikipedia.org/wiki/VidaLinux • Email: acvelez@vidalinux.com • Website: www.vidalinux.com
MYTHS ABOUT LINUX SECURITY • Linux is invulnerable and virus-free. • Virus writers do not target Linux because it has a low market share. • Windows malware cannot run on Linux. • On Linux you install software from software repositories, which contain only trusted software. • I don't need a firewall because Linux has no open ports by default.
VULNERABILITIES STATS Linux kernel Vulnerabilities Stats 1999 - present Vulnerabilities Stats by Vendor 1999 - present source: https://www.cvedetails.com
EXPLOITS STATS
TOP VULNERABILITIES • Dirty Cow: CVE-2016-5195 (Privilege escalation vulnerability) • Heatbleed: CVE-2014-0160 (OpenSSL library vulnerability) • Shellshock: CVE-2014-6271 (GNU Bash Remote Code Execution Vulnerability) • Glibc: CVE-2015-7547 (getaddrinfo stack-based buffer overflow) • VENOM: CVE-2015-3456 (security vulnerability in the virtual floppy drive code) • Misconfiguration of Enterprise Services NIS/NFS • Misconfiguration of Simple Network Management Protocol (SNMP) • User account weak password • Application vulnerabilities • No updates or OS end-of-life
SHELLSHOCK Live demo
NFS MISCONFIGURATION If no_root_squash is used, remote root users are able to change any file on the shared file system and leave applications infected by Trojans for other users to inadvertently execute
ENTERPRISE LINUX Red Hat offers subscription services for each major release of Red Hat Enterprise Linux throughout four life-cycle phases—called Full Support, Maintenance Support 1, Maintenance Support 2, and an Extended Life Phase.
ENTERPRISE LINUX LTS or ‘Long Term Support’ releases are published every two years in April. LTS releases are the ‘enterprise grade’ releases of Ubuntu, and they are much more heavily used (something like 95% of all Ubuntu installations are LTS releases).
LINUX SEC ADVISORIES At the OS level, major distro vendors regularly publish details on security issues with their platform. Examples include: • https://access.redhat.com/security/ • https://www.suse.com/support/security/ • https://www.ubuntu.com/usn/ • https://security.gentoo.org/glsa • https://security.archlinux.org/ • https://www.debian.org/security/
DISK PARTITIONS Servers should have separate file systems for /, /boot, /usr, /dev, /var, /tmp, and /home.
POST INSTALLATION • Install latest updates • Terminate unauthorized users • Identify and shut down unused daemons • Set firewall rules • Disable USB devices • Set GRUB boot loader password • Configure root user timeout
ACCOUNTS & PASSWORDS • Unused Accounts • Enabling Password Aging • Stronger Password Enforcement • Restricting Use of Previous Passwords • Locking User Accounts After Too Many Login Failures • Set password expiration
FILE PERMISSIONS • SUID/SGID Files • World-Writable Files • Orphaned or Unowned Files
SSH SECURITY • Configure idle timeout interval • Limit users for ssh access • Disable password login • Disable root login • Disable empty passwords • Use public/private keys for authentication • Display login Banner • Change default port
KERNEL SECURITY • Disable IP Forwarding (also known as Internet routing) net.ipv4.ip_forward parameter = 0 • Disable the Send Packet Redirects (send routing information to other hosts) net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 • Ignore all to ICMP (ping) net.ipv4.icmp_echo_ignore_all = 1 • Enable Bad Error Message Protection (alert about error messages in network) net.ipv4.icmp_ignore_bogus_error_responses = 1 • Enable IP spoofing protection (packets which claim to be from another host) net.ipv4.conf.all.rp_filter = 1 https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/
SELINUX SELinux disable SELinux enable SELinux, Security-Enhanced Linux, is an additional method to protect your system. SELinux is a set of security rules that determine which process can access which files, directories, ports, etc. Every file, process, directory and port has a special security label called SELinux contexts. A context is simply a name that is used by the SELinux policy to determine whether or not a process can access a file, directory or port.
PHP SECURITY • disable_functions = exec,system,shell_exec,passthru • register_globals = Off • expose_php = Off • display_errors = Off • track_errors = Off • html_errors = Off • magic_quotes_gpc = Off
APACHE INFO LEAKAGE • ServerTokens Prod • ServerSignature Off • TraceEnable Off • Header unset ETag • FileETag None • Header always unset "X-Powered-By" • Header unset "X-Powered-By"
MODSECURITY ModSecurity is a web application firewall for the Apache web server. In addition to providing logging capabilities, ModSecurity can monitor the HTTP traffic in real time in order to detect attacks. ModSecurity also operates as a web intrusion detection tool, allowing you to react to suspicious events that take place at your web systems.
MODEVASIVE Mod Evasive is an evasive maneuvers module for Apache that provides evasive action in the event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and more. mod_evasive presently reports abuse via email and syslog facilities.
BAN SUSPICIOUS HOSTS • Fail2ban • SshGuard • Denyhosts • HeatShield • Portknocking
SCANNER AND AUDITING • Lynis • Logwatch • Nmap • Openscap • Metasploit • Nikto • Nessus • OpenVAS
OPENSCAP Live demo
LYNIS Live demo
¿QUESTIONS?

More Related Content

PPTX
Arch linux
byAniket Sinha
 
PPTX
ZendCon - Linux 101
byJustin Reock
 
PPTX
College copy
byNikhil Kumar
 
PDF
Red Hat Linux 5 Hardening Tips - National Security Agency
bysanchetanparmar
 
PPTX
The Benefits of POSIX
byWhitfield Thomas
 
PDF
Technical Introduction to RHEL8
byvidalinux
 
PPT
Centos operating system
byAgbada
 
PPT
Red hat linux 9 ppt2003
byashishsjcit
 
Arch linux
byAniket Sinha
 
ZendCon - Linux 101
byJustin Reock
 
College copy
byNikhil Kumar
 
Red Hat Linux 5 Hardening Tips - National Security Agency
bysanchetanparmar
 
The Benefits of POSIX
byWhitfield Thomas
 
Technical Introduction to RHEL8
byvidalinux
 
Centos operating system
byAgbada
 
Red hat linux 9 ppt2003
byashishsjcit
 

What's hot

PPT
Apache
byFathima Ashraf
 
ODP
Elastix4.0 High Availability without ElastixHA module
byHani Perkasa
 
PDF
FreeBSD is not Linux
byMuhammad Moinur Rahman
 
PDF
FreeBSD and Hardening Web Server
byMuhammad Moinur Rahman
 
PDF
Hackweek 20 Open Door - Support Windows clients in Uyuni/SUSE Manager
byPau Garcia Quiles
 
PPTX
Operating Systems: A History of Linux
byDamian T. Gordon
 
PDF
Introduction to “X86 PCC Software”
byHermesDDS2015
 
PDF
Terminal Access Controller
byKHNOG
 
PDF
Distro Recipes 2013 : Introduction to Arch Linux: a simple, rolling-release d...
byAnne Nicolas
 
PDF
Linux Kernel Development
byLinuxCon ContainerCon CloudOpen China
 
PDF
Fosscon2013
byDru Lavigne
 
PPTX
Linux
byprateek arora
 
PPTX
Expo ciberseguridad
byLuisFranciscoLopez4
 
PPTX
Kalilinux
byhaha loser
 
PPT
2. introduction to linux
byMohd yasin Karim
 
PDF
Introduction to linux
byPT Lotus Indah Textile Industries
 
PDF
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
byJames Morris
 
PPTX
Kwort Linux 4.3 the new stable version is released
byLinux Training Chennai
 
PDF
Olf2012
byDru Lavigne
 
PDF
Self2013
byDru Lavigne
 
Apache
byFathima Ashraf
 
Elastix4.0 High Availability without ElastixHA module
byHani Perkasa
 
FreeBSD is not Linux
byMuhammad Moinur Rahman
 
FreeBSD and Hardening Web Server
byMuhammad Moinur Rahman
 
Hackweek 20 Open Door - Support Windows clients in Uyuni/SUSE Manager
byPau Garcia Quiles
 
Operating Systems: A History of Linux
byDamian T. Gordon
 
Introduction to “X86 PCC Software”
byHermesDDS2015
 
Terminal Access Controller
byKHNOG
 
Distro Recipes 2013 : Introduction to Arch Linux: a simple, rolling-release d...
byAnne Nicolas
 
Linux Kernel Development
byLinuxCon ContainerCon CloudOpen China
 
Fosscon2013
byDru Lavigne
 
Linux
byprateek arora
 
Expo ciberseguridad
byLuisFranciscoLopez4
 
Kalilinux
byhaha loser
 
2. introduction to linux
byMohd yasin Karim
 
Introduction to linux
byPT Lotus Indah Textile Industries
 
Have You Driven an SELinux Lately? - An Update on the SELinux Project - OLS ...
byJames Morris
 
Kwort Linux 4.3 the new stable version is released
byLinux Training Chennai
 
Olf2012
byDru Lavigne
 
Self2013
byDru Lavigne
 

Similar to Linux Server Security and Hardering

ODP
SELinux Basic Usage
byDmytro Minochkin
 
PPTX
selinuxbasicusage.pptx
byPandiya Rajan
 
PPT
Threats, Vulnerabilities & Security measures in Linux
byAmitesh Bharti
 
ODP
SELinux for Everyday Users
byPaulWay
 
PDF
Securing & Optimizing Linux the Hacking Solution (v.3.0)
by- Mark - Fullbright
 
PPTX
linux_admin_course_full_for beginers.pptx
bytejas2429
 
PDF
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
byShawn Wells
 
PDF
Administer and Secure Enterprise Linux 2021st Edition Russell Overton
byanibeakatira
 
ODP
Introduction To Linux Security
byMichael Boman
 
PDF
Linux Hardening - nullhyd
byn|u - The Open Security Community
 
PDF
Remote security with Red Hat Enterprise Linux
byGiuseppe Paterno'
 
PDF
کارگاه امنیت با عنوان Stop Disabling SElinux
byجشنوارهٔ روز آزادی نرم‌افزار تهران
 
PPTX
Linux security
bytrilokchandra prakash
 
PDF
Stop disabling SELinux!
byMaciej Lasyk
 
PDF
The Right Way to Patch Management for Linux - JetPatch.pdf
byJetPatch
 
PPTX
11 - SELinux in Red Hat
byShafaan Khaliq Bhatti
 
PDF
LOUCA23 Yusuf Hadiwinata Linux Security BestPractice
byYusuf Hadiwinata Sutandar
 
PPT
Linux Security
bynayakslideshare
 
PDF
Step by-step installation of a secure linux web dns- and mail server
byIntegrated Circuit Design Research & Education Center (ICDREC)
 
PDF
4 effective methods to disable se linux temporarily or permanently
bychinkshady
 
SELinux Basic Usage
byDmytro Minochkin
 
selinuxbasicusage.pptx
byPandiya Rajan
 
Threats, Vulnerabilities & Security measures in Linux
byAmitesh Bharti
 
SELinux for Everyday Users
byPaulWay
 
Securing & Optimizing Linux the Hacking Solution (v.3.0)
by- Mark - Fullbright
 
linux_admin_course_full_for beginers.pptx
bytejas2429
 
2009-08-11 IBM Teach the Teachers (IBM T3), Linux Security Overview
byShawn Wells
 
Administer and Secure Enterprise Linux 2021st Edition Russell Overton
byanibeakatira
 
Introduction To Linux Security
byMichael Boman
 
Linux Hardening - nullhyd
byn|u - The Open Security Community
 
Remote security with Red Hat Enterprise Linux
byGiuseppe Paterno'
 
کارگاه امنیت با عنوان Stop Disabling SElinux
byجشنوارهٔ روز آزادی نرم‌افزار تهران
 
Linux security
bytrilokchandra prakash
 
Stop disabling SELinux!
byMaciej Lasyk
 
The Right Way to Patch Management for Linux - JetPatch.pdf
byJetPatch
 
11 - SELinux in Red Hat
byShafaan Khaliq Bhatti
 
LOUCA23 Yusuf Hadiwinata Linux Security BestPractice
byYusuf Hadiwinata Sutandar
 
Linux Security
bynayakslideshare
 
Step by-step installation of a secure linux web dns- and mail server
byIntegrated Circuit Design Research & Education Center (ICDREC)
 
4 effective methods to disable se linux temporarily or permanently
bychinkshady
 

Recently uploaded

PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PDF
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
PPTX
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PDF
Supercharge Your JVM with Project Leyden
byAna-Maria Mihalceanu
 
PDF
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PDF
Getting started with Agent Framework.pdf
byNilesh Gule
 
PPTX
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
PDF
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PPTX
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
PDF
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
WebXR in Android and Linux with OpenXR
byIgalia
 
Supercharge Your JVM with Project Leyden
byAna-Maria Mihalceanu
 
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
Getting started with Agent Framework.pdf
byNilesh Gule
 
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 

Linux Server Security and Hardering

  • 1.
    Linux Server Securityand Hardering Antonio C. Vélez Báez 24, october 2018
  • 2.
    ABOUT ME ... •Antonio C. Vélez Báez • OSCP, RHCE, RHCSA-RHOS, Linux+ • Vidalinux.com Founder • OVOX LLC. Co-Founder • Red Hat Certified Instructor and examiner • Red Hat Certified Training Center • First Linux distribution made in Puerto Rico https://en.wikipedia.org/wiki/VidaLinux • Email: [email protected] • Website: www.vidalinux.com
  • 3.
    MYTHS ABOUT LINUXSECURITY • Linux is invulnerable and virus-free. • Virus writers do not target Linux because it has a low market share. • Windows malware cannot run on Linux. • On Linux you install software from software repositories, which contain only trusted software. • I don't need a firewall because Linux has no open ports by default.
  • 4.
    VULNERABILITIES STATS Linux kernelVulnerabilities Stats 1999 - present Vulnerabilities Stats by Vendor 1999 - present source: https://www.cvedetails.com
  • 5.
  • 6.
    TOP VULNERABILITIES • DirtyCow: CVE-2016-5195 (Privilege escalation vulnerability) • Heatbleed: CVE-2014-0160 (OpenSSL library vulnerability) • Shellshock: CVE-2014-6271 (GNU Bash Remote Code Execution Vulnerability) • Glibc: CVE-2015-7547 (getaddrinfo stack-based buffer overflow) • VENOM: CVE-2015-3456 (security vulnerability in the virtual floppy drive code) • Misconfiguration of Enterprise Services NIS/NFS • Misconfiguration of Simple Network Management Protocol (SNMP) • User account weak password • Application vulnerabilities • No updates or OS end-of-life
  • 7.
  • 8.
    NFS MISCONFIGURATION If no_root_squashis used, remote root users are able to change any file on the shared file system and leave applications infected by Trojans for other users to inadvertently execute
  • 9.
    ENTERPRISE LINUX Red Hatoffers subscription services for each major release of Red Hat Enterprise Linux throughout four life-cycle phases—called Full Support, Maintenance Support 1, Maintenance Support 2, and an Extended Life Phase.
  • 10.
    ENTERPRISE LINUX LTS or‘Long Term Support’ releases are published every two years in April. LTS releases are the ‘enterprise grade’ releases of Ubuntu, and they are much more heavily used (something like 95% of all Ubuntu installations are LTS releases).
  • 11.
    LINUX SEC ADVISORIES Atthe OS level, major distro vendors regularly publish details on security issues with their platform. Examples include: • https://access.redhat.com/security/ • https://www.suse.com/support/security/ • https://www.ubuntu.com/usn/ • https://security.gentoo.org/glsa • https://security.archlinux.org/ • https://www.debian.org/security/
  • 12.
    DISK PARTITIONS Servers shouldhave separate file systems for /, /boot, /usr, /dev, /var, /tmp, and /home.
  • 13.
    POST INSTALLATION • Installlatest updates • Terminate unauthorized users • Identify and shut down unused daemons • Set firewall rules • Disable USB devices • Set GRUB boot loader password • Configure root user timeout
  • 14.
    ACCOUNTS & PASSWORDS •Unused Accounts • Enabling Password Aging • Stronger Password Enforcement • Restricting Use of Previous Passwords • Locking User Accounts After Too Many Login Failures • Set password expiration
  • 15.
    FILE PERMISSIONS • SUID/SGIDFiles • World-Writable Files • Orphaned or Unowned Files
  • 16.
    SSH SECURITY • Configureidle timeout interval • Limit users for ssh access • Disable password login • Disable root login • Disable empty passwords • Use public/private keys for authentication • Display login Banner • Change default port
  • 17.
    KERNEL SECURITY • DisableIP Forwarding (also known as Internet routing) net.ipv4.ip_forward parameter = 0 • Disable the Send Packet Redirects (send routing information to other hosts) net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 • Ignore all to ICMP (ping) net.ipv4.icmp_echo_ignore_all = 1 • Enable Bad Error Message Protection (alert about error messages in network) net.ipv4.icmp_ignore_bogus_error_responses = 1 • Enable IP spoofing protection (packets which claim to be from another host) net.ipv4.conf.all.rp_filter = 1 https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/
  • 18.
    SELINUX SELinux disable SELinuxenable SELinux, Security-Enhanced Linux, is an additional method to protect your system. SELinux is a set of security rules that determine which process can access which files, directories, ports, etc. Every file, process, directory and port has a special security label called SELinux contexts. A context is simply a name that is used by the SELinux policy to determine whether or not a process can access a file, directory or port.
  • 19.
    PHP SECURITY • disable_functions= exec,system,shell_exec,passthru • register_globals = Off • expose_php = Off • display_errors = Off • track_errors = Off • html_errors = Off • magic_quotes_gpc = Off
  • 20.
    APACHE INFO LEAKAGE •ServerTokens Prod • ServerSignature Off • TraceEnable Off • Header unset ETag • FileETag None • Header always unset "X-Powered-By" • Header unset "X-Powered-By"
  • 21.
    MODSECURITY ModSecurity is aweb application firewall for the Apache web server. In addition to providing logging capabilities, ModSecurity can monitor the HTTP traffic in real time in order to detect attacks. ModSecurity also operates as a web intrusion detection tool, allowing you to react to suspicious events that take place at your web systems.
  • 22.
    MODEVASIVE Mod Evasive isan evasive maneuvers module for Apache that provides evasive action in the event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and more. mod_evasive presently reports abuse via email and syslog facilities.
  • 23.
    BAN SUSPICIOUS HOSTS •Fail2ban • SshGuard • Denyhosts • HeatShield • Portknocking
  • 24.
    SCANNER AND AUDITING •Lynis • Logwatch • Nmap • Openscap • Metasploit • Nikto • Nessus • OpenVAS
  • 25.
  • 26.
  • 27.