View
14
Download
0
Category
Preview:
Citation preview
SUSE® Linux Security EssentialsTUT91122
Craig LamparterLinux Systems/Software Engineer
Hewlett Packard Enterprise / craiger@hpe.com
Thomas BiegeTeam Lead Maintenance Security, CSSLP
SUSE / thomas@suse.de
2Source: http://xkcd.com/936
3
Strategies (Thomas)
and
Tactics (Craig)
Tech Security is the new global battlefield. Successful campaigns are broken into winning:
4
Security Strategies(a real-life example)
5
When you are in the business for more than one and a half decade, you might think “I have seen it all.”
6
.. and then...
7
Denial!Fear!
Panic!
8
You can start to clone yourself, work at
weekends, stop
sleeping, but...
9
… better plan ahead and have a strategy for
the next time.
10
Lessons learned 1/2
We need an emergency plan!• rules/process to identify a “highly visible vulnerability” beforehand• adjusting our update process• “crisis communication manager”• ONE communication channel• coordination team• SLA/SLC
Facts don't count, if customers are in panic they want a patch! Now!
11
Lessons learned 2/2
First we focused on fast updates• involved several teams and departments in R&D• direct 1:1 communication• SLA/SLC
… but we learned quickly that communication (internal/external) is at least equally important
• involved product management, marketing, customer care/support, sales
• created high-level communication plan + team
What about Business Continuity Management?
12
Steering Committee
Management Team
Customer Care, TID
Updates/PTFs Web, SocialMedia, SCC
Product Mgmnt
Secure and reliable Infrastructure
13
How does our Strategy look like?
High-level plan, involves all responsible persons to:• ensure information flow to the affected persons within company• create dedicated web-sites, banners, etc• update customer care/support web-sites (TID, SCC)
Improved update process• reduce delivery time (we are ~9 times faster now!)• keep stakeholders up-to-date
Ensure a stable and secure infrastructure to deliver updates and information fast and reliable.We also formed an emergency task force to deliver updates even faster in the future.
14
Security Tactics
15
Tactical SecurityHow would you attack a system?
portscan ssh/22 # nmap -O <ip-address> (guess OS behind ip-address)
Ports 1024 and below have root behind themideally be a black hole (hard to do if you're a server)Brute force a port (ssh,ftp) that has authentication behind it
SQL injection to get /etc/passwd (or /etc/shadow!)
Use an off-the-shelf root kit to exploit known vulnerabilities
16
Tactical SecurityHow would you attack a system?
root@pc:/home/craiger# nmap -O bpi
Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-19 12:59 PDT
Nmap scan report for bpi (192.168.1.128)Host is up (0.00019s latency).Not shown: 997 closed ports
PORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind
MAC Address: 02:D4:0A:01:9C:BB (Unknown)No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).TCP/IP fingerprint:
OS:SCAN(V=6.40%E=4%D=9/19%OT=22%CT=1%CU=35660%PV=Y%DS=1%DC=D%G=Y%M=02D40A%TOS:M=57E04411%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10E%TI=Z%CI=I%TS=7
What OS is running here?
17
Tactical SecurityYour listening ports
root@bpi:~# netstat -npvat | grep LISTEN
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 481/rpcbind tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 943/dnsmasq tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 646/sshd tcp 0 0 0.0.0.0:53599 0.0.0.0:* LISTEN 569/rpc.statd tcp6 0 0 :::111 :::* LISTEN 481/rpcbind tcp6 0 0 :::80 :::* LISTEN 882/apache2 tcp6 0 0 :::33525 :::* LISTEN 569/rpc.statd tcp6 0 0 :::22 :::* LISTEN 646/sshd
18
Tactical Security
How do you know if you're being attacked?
/var/log/auth.log, messages, syslog
Example brute-force dictionary attack for root ssh access in progress:Nov 21 08:59:48 people sshd[35491]: Failed password for root from 60.173.9.184 port 8832 ssh2Nov 21 08:59:48 people sshd[35491]: Received disconnect from 60.173.9.184: 11: Normal Shutdown, Thank you for playing [preauth]
(these are actual attacks on hpe servers)
19
Tactical Security
How do you prevent attacks?Active countermeasuresSeveral programs tail authentication logs for a variety of protocols
fail2ban - http://www.fail2ban.org - Watches ssh, apache, ftp other logs for brute-force attempts. - x failed attempts over y minutes wins you your own IP tables rule!
iptables -A INPUT -p tcp -m tcp -s <attackerIP> -j DROP
20
Tactical Security
How do you know if you've been hacked already?
Root kits overwrite ls, ps and top commands with binaries that wont show rootkit
Less obvious ways to detect a root kits which hackers might overlook:● rpm -Va .M5....T /bin/ls missing /var/spool/at/.lockfile missing /var/spool/at/spool
● debsums zip /usr/bin/zipsplit OK /usr/bin/zipcloak OK
● Tripwire/AIDE - Advanced Intrusion Detection Environment (same as above, but with offsite database)
● TIGER - scans for known common vulnerabilities, suid root, file perms
21
Tactical Security
Prevention● documented security policy, validate implementation with automated audits● TIGER is good at automating audits● Minimize damage with UEFI Secure Boot ● Keep hackers out of firmware, boot environment and kernel space● selinux, mandatory access controls, ports/files● selinux is an extreme measure of security ● useability and security vary inversely● Active countermeasures● Fail2ban● iptables firewall● single best defense against network attacks● drop/reject packets from specific networks on specific ports
22
Don't forget application security!
23
Don't forget application security!
Source http://xkcd.com/327/
24
# Simple iptables example. Allow "RELATED" traffic in, and ssh/http
## allow everything from local subnetiptables -A INPUT -p tcp -m tcp -s 192.168.1.1/24 -j ACCEPT # all wlaniptables -A INPUT -p udp -m udp -s 192.168.1.1/24 -j ACCEPT # all wlan
## Create chain which blocks new connections, except if coming from usb0 or loiptables -N blockiptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A block -m state --state NEW -i lo -j ACCEPTiptables -A block -j DROP
## Allow port-specific traffic#iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # ssh from everywhereiptables -A INPUT -p tcp -m tcp --dport 22 -s 192.168.1.1/24 -j ACCEPT # ssh from wlaniptables -A INPUT -p tcp -m tcp --dport 22 -s 69.163.129.35 -j ACCEPT # ssh from proty.dreamhost.comiptables -A INPUT -p tcp -m tcp --dport 22 -s 16.0.0.0/8 -j ACCEPT # ssh from CPQiptables -A INPUT -p tcp -m tcp --dport 22 -s 15.0.0.0/8 -j ACCEPT # ssh from HPiptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # web server from anywhere
## Enable ping replies through ppp0 or eth0#iptables -A OUTPUT -p icmp -o eth0 --icmp-type echo-request -j ACCEPTiptables -A INPUT -p icmp -i eth0 --icmp-type echo-reply -j ACCEPT
## Otherwise, jump to the 'block' chain from INPUT and FORWARD chains.iptables -A INPUT -j blockiptables -A FORWARD -j block
Firewall
Questions?
Craig LamparterLinux Systems/Software Engineer
Hewlett Packard Enterprise / craiger@hpe.com
Thomas BiegeTeam Lead Maintenance Security, CSSLP
SUSE / thomas@suse.de
Recommended