Welcome and thank you for joining our webinar today expert tips and techniques for closing Unix Linux security gaps featuring guest speaker information security trusted adviser Ron Warner you’re also joined by beyond trust David grins and after Ron’s portion David will run us through a brief overview and demo if we have time of Beyond trust our broker server suite.
For that my name is Sarah your webinar host today hello everybody a kind reminder to please submit your questions via the go-to meeting console any time throughout the webinar and we will cover.
Your questions at the end during our Q&A time so you’ll find it in the right side of the console with the little questions section and you can go ahead and submit your questions throughout also today’s session is being recorded and you will receive a follow-up email containing links to the recording and the slides.
Shown here today within one to two business days from now additionally the slides can be downloaded right now via the.
Handout section in the GoToWebinar console additionally if you are attending for CPE credits and have a nice Saka account you can download the attendance verification document in the handouts section now in order to.
Submit proof that you attended today’s session so please note that you’re responsible for reporting your own SCP hours earned to aisaka okay now that all of the housekeeping items are out of the way let’s hand it on over to Ron who’s going to.
Jump right in Ron you ready to take on this crowd today or what let’s do it sir thank you so much great intro good morning good afternoon good day to you all thank you for joining me on this adventure through Linux security I’m Ron werder a couple quick facts about me related to this talk first of all early in my career I actually worked with Thompson and Richie they’re the guys who created UNIX at 18 T Bell Labs and I grew.
Up in New Jersey so it’s easy to get a job there and I ended up meeting and working with them which was awesome second of all I.
Actually created my first UNIX security checklist in 2000 back in the day linux/unix s admin we didn’t have a separate security department we wanted to secure our stuff we learned how to do it ourselves so I did it created a checklist and actually this talk is based on it while.
The commands have changed the concepts and process hasn’t so what are we doing here well the majority of internet web systems run on some form of Linux are they all sufficiently secure good question that’s what I’m here to talk with you about today the process and some of the commands to lockdown Linux systems my objective is to.
Provide you with some nuggets on how to secure Linux systems in your world there are many different flavors of Linux the different OSS are called.
Flavors which you see on the screen I’m fairly agnostic when it comes to my favorite in this talk I’ll be using Ubuntu mainly because that’s the easiest for me to run on my VM but you might just have a different one that you use you use at your home or with your work so pick the flavor that you want to use.
Learn the command specific to it because there are some differences which I’ll be showing through this talk during the next 30 minutes or so I’ll be providing you with the process for Sogeti for setting a secure baseline.
For your Linux systems I’ll dress common issues with what’s called I quadruple a identity access authentication authorization and auditing and finishing with some ideas on how to automate there’s a lot of manual techniques it wouldn’t be nice if we could just automate what we’re doing.
And then ship it out all of the Linux systems in our environment I have.
A lot to cover and we’ll be moving very quickly some of the things I’ll be glossing over in the interest of time so I can spend time on the good stuff if you have questions please ask through the chat a few caveats to start first of all if we have any UNIX aside mins who have been around for a while some of these things are gonna seem like Oh Doug Captain Obvious what.
We missed the basics the basic blocking and tackling to use a football term the basic of how to dribble a basketball we need to make sure we’re covering those basics shouldn’t just assume that they are being done so I have.
This phrase that I use called check your assumptions cya no not that cya so don’t just assume you’re doing the basics actually go through and make sure.
That they are all being accomplished few more caveats your mileage may vary this is a security checklist that I.
Have I’m providing you with food for thought.
The choice is up to you as to what you do the idea is to balance security with usability and functionality I’m not going to be able to cover everything I have this feeling someone’s gonna come back and saying you miss this and I’ll probably be like.
Yeah I know this is to give you a structure for securing Linux systems to get whether it’s a boon to Fedora Red Hat suzay you name it this is basically based on precedents or risk in terms of the order in which you’ll see here in a moment as always so this is one of the top security mantras is trust but verify don’t trust anything I say but verify it.
Go and check your own security check let’s check with your Linux system ins go through your own.
Due diligence and test a couple of others I’ll be demoing if I have time for demo so I’ll be demoing using loon to other Linux flavors are similar your mileage again may vary if you see the courier new font that means it’s a linux command and you should be able to type it into a command prompt I’ll be running some of.
These as route or using the sudo command try not to use.
Su sometimes it’s just you sure if I do warning you’re running very dangerously if you run as root try to run with.
Minimal privileges also old-school I’ve been running UNIX for well over 25 years anyway I like the terminal command line rather than a GUI I still to use VI you can use them get it or nano if you want and then I do have references throughout and at the.
End alright let’s jump into my checklist here this are the top things you should consider doing when securing a Linux system I put it is – at the top hi pop 10 high-level steps I’ll be walking through each of these steps through this presentation I just wanted to provide you with this high-level overview of what we’ll be covering over the next few minutes so let’s dive right in start with number 1 inventory.
Is step number 1 for NIST cybersecurity framework and for the Center for internet security controls know what you have for hard.
Word know what you have for software know.
Where your data is be able to answer who who has access to your systems what are your systems used for where are they where are they physically and where are they on your network why are they even around what use are they you got to know what you got to know how to secure it might have to map out your network I recommend using a CMDB configuration management database sometimes you can automate it sometimes just a simple spreadsheet with the machine name function.
IP addresses MAC addresses who’s responsible often a question I will receive though is how do i generate a secure IT infrastructure inventory this screen shows some tools over on the left-hand side.
These are ones that I found through my exploration and your mileage may vary some of them are free some are pay for but.
Just to give you an idea of inventory.
Systems you also see on your screen just end mat and map is one of those tools that should be in every IT and security persons tool bag should be on your thumb drive should be one you always keep up to date and have readily available I use it to map out my home network.
Making sure my kids Evon attached anything they shouldn’t use it to make sure my neighbors.
Aren’t attaching to my Wi-Fi etc know what I have on even my home network you can leverage this on a work network as well just to create a software inventory and hardware inventory of the different systems along with operating systems available a lot of commands available.
Through nmap if you’re a GUI person you can use.
Nmap as well so that’s inventory step – command.
Line get comfortable with the Linux command line and the editors most commands for securing the system are run from a Linux command prompt rather than a GUI much more efficient plus it’s easier to script out I’ll talk about automation at the end of this talk if you’re learning Linux find a good Linux command sheet sheet actually have link through the slides where you can find some cheat sheets of Linux common commands one of my favorite commands that.
I use on Linux and UNIX is the.
Man command the man command is your friend no it’s not sexist it’s short for manual gives you the manual for the commands on Linux choose you exact syntax of other commands so on your screen and I just did a man of man to kind.
Of give you the idea yeah running his route I’ve already talked about to be very careful when doing it you’ll see I often provide the.
Actual command prompt for each of these steps next step.
Now we’re getting into actual security secure the BIOS with your system so when you’re initially installing a Linux system you should take the following steps to protect the.
Underlying hardware and system drives first protect the BIOS.
This is when the system your operating system is initially booting it’s the basic input/output system so you want to lock that down in the host with a bootloader password I’ll be discussing this a little bit later on as this reduces the risk to the underlying infrastructure from accidental or malicious.
Changes now some of you might say well my Linux servers they’re all physically secured this provides that belt-and-suspenders if for some reason physical security is compromised.
Get at your physical server you.
Want to make sure they can’t just boot up indirect root access on the console to the system that bootloader password protects the underlying infrastructure you also hope should consider encrypting the hard drive using logical volume manager again if for some reason the hard drive is compromised you know it.
Is encrypted also when you’re removing the system from inventory if it’s pre encrypted once you get rid of the keys theoretically that’s a good way to clean up the backend hard drive you might also want to scrub it other ways in I like belts and suspenders with my Linux systems next step under step 3 is partition the system disks create system separate system file directories for your route.
Drive boot your user opt for home temp this is for both performance as well as security then there’s USB drives if they’re not going to be used disable the port don’t even allow it to be to someone even accidentally plug in a USB Drive and it’s physical security followed by logical security if anyone tries to plug in a USB into a port on your.
Linux system won’t work now you might just come back and say well what if I need it you can always reenable it in my back-end notes that actually have some of the commands on how to do this that I’d be happy to share later but in the interest of time I’m just gonna keep moving forward step 4 system updates again it’s a basic step for security but you’d be surprised so do me a favor take out your.
Smartphone most likely your smartphone is running some type of back-end flavor of Linux particularly if it’s Android anyways your smartphone 100% up to.
Date is the operating system how about all of your applications yeah that’s my point sometimes we’re not as up-to-date as we think we may be so this may seem.
Captain Obvious moment so updating the operating system is a fundamental security step it’s often the quickest easiest way to reduce vulnerabilities and the system’s threat surface for package installation used.
One of the commands based on your Linux distribution so like I have to get.
We’re at is used within Debian Ubuntu Linux Mint you might be using rpm if you’re on Red Hat or Yom DNF dandified yum is on fedora our clinic has pac-man or zipper on open SUSE so find the package manager that fits your distribution learn.
How to use it the second part so once you’ve updated it so update and I’ll show some commands on how to update on my next slide the second part of the step is to remove anything that you don’t need remove any unnecessary software packages.
That aren’t being used Linux servers are traditionally single purpose systems having additional software weighs them down and presents a potential security liability it keeps your threat footprint as small as possible so get rid of stuff if you don’t need if you don’t need it now try to.
The commands on how to do this a little bit later on how do you update on Linux on a boon – here are some of the commands just as the example using apt-get the different other flavors of Linux that you say rpm or.
Yum it’s very similar so I have to get update to update the system or upgrade list all available packages at cash is one of those commands you can use to see what’s been cashed within this operating system you can use it to search so searching for particular applications so if you want to remove Ani on any unnecessary ones you can view them first using app cache then searching checking your package information app cache show and then that particular package in this case that’s.
The package netcat provides all of the.
Details associated with netcat moving forward on to step five and a little bit later on I’ll try to run show some of these through a demo but in the interest of time and I’m just going to keep trucking along another simple step to securing underlying operating system is to.
Install the mandatory access control on the kernel this protects the host system from being compromised you can use one of two tools either selinux or app rner armor talk about both here in a moment but they.
Isolate applications from interacting or interfacing with each other each also allows more control over access if you’re studying for.
Security certification like cissp or security plus you need to know the difference between Mac and DAC mandatory access control meaning.
It’s enforced versus discretionary access control or DAC meaning it’s up to the systems administrator it’s up to the end-user this enforces Mac within the Linux operating system I found a partner a barber it’s a little bit easier to install and configure so that’s the one I tend to use note you cannot have both running at the same time let me explain a little bit about selinux and again I’ve provided some links.
On the screens and on your slides where you can go to learn more because that’s part of my intent through this presentation is to give you nuggets and to encourage you to learn more about the Linux operating system previously mentioned su Linux is a mandatory access control or Mac system it was actually.
Developed by NSA it replaces DAC discretionary access common on most Linux systems SELinux and Mac’s resolve the issues of mandatory access control it resolves the issue by confining.
Privileged processes and automating security policy creation SC Linux defaults to.
Denying anything that is not explicitly allowed so note that if you were running SELinux you could accidentally caused your own.
Denial of service because it denies.
Anything that you don’t allow so you’ll need to specifically allow things through selinux SE Linux uses to global modes permissive and.
Enforcing permissive mode allows the system to function like discretionary access control system while logging every violation to SELinux so it’ll allow but just provides logging so that’s more like an intrusion detection system rather than intrusion protection the enforcing mode enforces a strict denial of access to anything that isn’t explicitly allowed to explicitly allow certain behavior on a.
Machine you as this assignment have to write policies that allow it I could spend a lot more time just on selinux and locking it down this is one of those tools and applications as a security or sysadmin on Linux systems you should be familiar with c-line notes getting started with selinux guide to learn more about su Linux the other tool for mandatory access.
Control that I briefly mentioned earlier is app armour app armour is included by default with and Mbutu it’s similar to SEO Linux while they work differently both provide that Mac security it in effect allows developers to restrict accidents.
Processes can take so you can’t have a process that runs outta control or is used to perform some feature or function that it wasn’t meant to be used for it does run silently in.
The background so you might I don’t even be aware of what it’s doing exactly some of the best security is the quiet security at Barber locks down vulnerable processes restricting the damaged.
Security vulnerabilities and these processes can cause you can also use it to lock down applications like Firefox for increased security so I’ll run.
App armor to kind of put a sandbox around Firefox so even if I go out to a malicious website on accident using Firefox on the Linux system really limits the damage through app armor to view app armor status you can use sudo a parmer underscore.
Status or a a dash status is the command go to the in Bluetooth site to learn more about.
A farmer as well as how to geek I provide their resource as well by the way I love how to geek I’m always on that website learning about many different aspects of being a geek moving forward with step 6 briefly mentioned earlier.
About locking the boot directory see the Linux boot directory contains critical files related to the kernel so.
You need to make sure that this directory is blocked out set to.
Read only permissions this prevents accidental or.
Malicious changes to do this you can edit the what’s known as Etsy EFS tab and I.
Show the specific command on how to do that on your screen you also want to look at password protecting the grub bootloader.
This restricts damage of physical or bootloader access works in line with the previous steps step 3 you may especially need to.
Do this with some older Linux OSS another part of this step is disabling sorry applications from starting so in step four I talked about removing those packages you don’t need but let’s say you still want to keep a package you just want to make sure that it’s not running.
By default you have to explicitly allow it to start yeah the concept here is to go you can use service status all to see what is running what.
Are all the different services running within your Linux system and then.
Remove it from starting within the I net D by the way I net D links.
To or RC run level that the links to i net d this is the directory within linux were shows everything that’ll auto star you can also disable items from automatically starting use the system control command so its systemctl not system control but its.
Systemctl disable and then the name of the service is the command so.
You don’t want your users to be using email from your Linux system it should only be sending out email no one should be using a Linux.
System to read email for example so I would use the system controls just cuddle to disable email anyone from being able to read email on.
My Linux system step seven I told you we’re gonna be rocketing through each of these steps securing the network layer so we were.
Securing the base operating system now we need to understand what is connecting to our Linux system.
To view the hardware associated with the.
Linux system that’s the LS HW bash class network command displays the network configuration at the hardware level then you can use the basic if config to see your IP addresses a firewall won’t.
Necessarily stop everything so you want to secure your network from the inside out not so leery look why on a firewall other steps you can take is to create a default gateway the way there’s no other gateways that can be used for outgoing or incoming communication network communication to your Linux system you do that.
By editing Etsy network interface file um you’ll if you’re not familiar with Linux by the way the Etsy or etc’ directory is where most of the configuration files reside a good idea to get very familiar with what is contained within the Etsy directory another consideration for securing a network.
Are DNS resolutions traditionally the resolve complic configuration file that rarely needed to be changed or automatically changed by DHCP client hooks so keep in mind if you’re looking at setting up your IP address maybe you want to use a static IP address rather than dynamic do you really trust your DHCP server that’s part.
Of the network configurations you should be considering as part of your Linux lockdown for locking down and.
Securing DNS I recommend setting some specific DNS.
Servers within your infrastructure that way your Linux servers cannot you’re reducing that possibility of DNS poisoning if you’re always pointing to your trusted DNS servers the system D resolved the command handles that name server configuration and it should.
Be interacted with through the system D resolve command the netplan configures the system D resolve D to generate a list of name servers and domains that are automatically put into the resolve comp file I also look to secure my network through disabling IP forwarding this ensures that a server with multiple interfaces for example a hard proxy so there’s multiple NICs on the system it can never we’ll never be.
Able to forward packets unless I explicitly allow it and therefore never can serve as an inadvertent router I also looked at DC disable ICMP redirect acceptance that way my server Linux server.
Cannot be used to maliciously craft ICMP redirect messages and cause a denial of service attack on my internal network if ICMP redirects are not used on the network for route updates and if the server is not acting as a router or gateway then ICMP redirect send and accept should be disabled on your Linux system last is.
To ignore ICMP or broadcast redirects that’s by adding some specific lines in the ED CSIS cuddle comm.
So that’s /e t c / sy s CT l dot c onf is the file there’s specific commands you.
Want to add into your sis cuddle comm to ignore ICMP requests and ignore broadcast requests also edited to disable send packet redirects as well and you can’t rely on.
This firewall to do everything there’s certain ways to lock down your Linux servers network but speaking about a firewall let’s talk about firewalls briefly first is the uncomplicated firewall that comes with Linux you can.
Make sure it started so UF w is the Linux system firewall provides that extra network protection ufw is an interface for IP tables offers an easier way to regulate incoming and outgoing traffic you enable it with the UFW enable command depending on what you want to allow through you can then change it as well you see other.
Your screen ligh node again has another.
Good article this one on how to configure a firewall with ufw if you’re not familiar with it that out review how to leverage ufw as one of the tools that are already in your toolkit you can use to secure your Linux system iptables is the backend for you FW you can also use it to secure your Linux networking configuration to view what is currently loud it’s the IP tables – capital l command IP table connections has specific responses so you can.
Choose one of these three responses for IP tables first is to accept allow the connection second is to drop the connection like it never happened this is best if you don’t want the source to realize your system even exists you can use an Mac to trick firewalls to show that.
Systems you know whether they are accepting or rejecting packets if packets are just dropped then your back-end system won’t even be seen through the firewall so that’s when you might want to use drop the third option is reject don’t allow the connection but send back an error this is best if you don’t want a particular source to connect to your system but you want them to know that your firewall blocked them.
More information about IP tables is available from the how-to geek article beginner’s guide to IP tables step 8 access and authentication this step reduces the threat vectors associated with user level or admin level access on the Linux system first part review all the users established by default and disable or remove.
Any that are not needed for the functionality of the systems make sure any users you do need have a password what you can then you do is use some type of a password vault for those passwords for any accounts that are required for systems administration that’s.
This admin level accounts second step is to configure authentication set if you install selinux or app armor this is included with those packages if not you’ll need to modify the pluggable authentication modules or Pam configuration files found in etsy pam d.
You can also use pam with a centralized LDAP service the.