Linux Hardening By Michael Rebultan

Linux Hardening

</Michael “art” Rebultan> 27-January-2016

NULL Singapore @SMU

Lockdown

</AGENDA>

• Linux System Hardening and Audit

Lockdown

</OBJECTIVE>

• Know and understand the different ways to lockdown Linux Server and how to audit them in chillax mode.

Lockdown

</SCOPE>

• Getting to Know – 15min

• Intro to Information Security (Theory) 15min

• System Inventory (Hand-On) 15min

• Linux System Security (Hands-On) 30min

• Linux Network Security (Hands-On) 30min

• Auditing and Compliance (Hands-On) 30min

• Open Discussion (Theory/Demo) 15min

Lockdown

</OUT-of-SCOPE>

• HARDENING

SELinux, AuditD, Web, FTP, VPN, SAMBA, MAIL, Clustering, Docker, Dbase, Content Mgt, Proxy, VoIP, Virtualization, Subversion, etc…

Lockdown

</House Rules>

• Cell Phone on Silent Mode

• Food/Drink is to be share

• Raise your hand for any question

• Toilet is 24 x 7

• Respect begets respect

Lockdown

</GETTING TO KNOW>

• 15min

Lockdown

</UID>

• Your name or alias

• Your day-to-day job

• How the workshop can help

Lockdown

</WHOAMI>

• 13 Years in Linux (RedHat)

• SecSysOps Engineer by day

• Paranormal Investigator by night

• Exorcist Priest by divine call

Lockdown

</INTRO to SECURITY>

• 15min

Lockdown

</WHATIS>

• IT Security? - is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide.

Lockdown

</WHICH>

• What are you trying to protect?

Risk vs Threat vs Vulnerability

Risk = Asset x Threat x Weakness

Lockdown

</KICKSTART> • System Requirement Specification - Mount Points - Storage Space - RAM - CPU - SW Dependencies - IP Address / Segment - Hostname - Ports / Services - Users / Group

Lockdown

</PRE-INSTALLATION>

Lockdown

</POST-INSTALLATION>

• Disconnect from Public Network

• Patching

• Disable Unnecessary Services

• Close Unneeded Ports

• Stress Test

Lockdown

</LIFECYCLE>

Lockdown

</SYSTEM INVENTORY>

• 15min

Lockdown

</BASELINE>

• rpm -qa > /tmp/rpm.txt • service --status-all > /tmp/service.txt • chkconfig --list | grep on • cat /etc/passwd > /tmp/user.txt • netstat -tulpn > /tmp/connections.txt • route -n > /tmp/route.txt • ifconfig -a > /tmp/ifconfig.txt

Lockdown

</INVENTORY DEMO>

• Custom Script (BASH)

• ./linux-local-enum.sh

Lockdown

</SYSTEM SECURITY>

• 30min

Lockdown

</ACESS NOTIFICATION>

Config File- /etc/pam.d/system-auth

Add the following line after this: session required pam_limits.so

session required pam_lastlog.so showfailed

Lockdown

</BRUTEFORCE>

• Configure passwords against a dictionary attack

/etc/pam.d/system-auth

password required /lib/security/pam_cracklib.so retry=2 minlen=10 difok=6

Lockdown

</ACCOUNT AUTHENTICATION> • CONFIG FILES

/etc/pam.d/system-auth /etc/pam.d/password-auth

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900

auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900

Lockdown

</PASSWD AGE>

• chage [-m mindays] [-M maxdays] [-d lastday] [-I inactive] [-E expiredate] [-W warndays] user

• chage –l user

• Exercise:

Create 3 UID with different Password aging

Lockdown

</SSH CONFIG>

• Protocol 2 • PermitEmptyPasswords no • MaxAuthTries 3 • PermitRootLogin no • AllowGroups • AllowUsers • DenyUsers Exercise – Block the 3 users created and test

Lockdown

</LYNIS DEMO>

• cd /opt/lynis-1.3.8

• ./lynis --check-all

Lockdown

</NETWORK SECURITY>

• 30min

Lockdown

</IPTABLES>

• XMAS TREE ATTACK

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

“sends a large number of Christmas tree packets to an end device”

Lockdown

</IPTABLES>

• Smurf Attack - sends a large number of ICMP echo broadcast packet, with source IP address spoofed to that of target's IP address.

iptables -A INPUT -p icmp -m limit --limit 2/second --

limit-burst 2 -j ACCEPT

Or block all the ICMP packets

iptables -A INPUT -p icmp -j DROP

Lockdown

</IPTABLES>

• SYN Flood

iptables -A INPUT -p tcp -m state --state NEW -m limit --limit 2/second --limit-burst 2 -j ACCEPT

The attacker creates a large number of forged SYN requests that have their source IP addresses spoofed, and sends it to the target.

Lockdown

</TCP WRAPPERS>

• echo "ALL:ALL" >> /etc/hosts.deny

• echo "sshd:ALL" >> /etc/hosts.allow

Lockdown

</UNCOMMON PROTOCOLS>

• Datagram Congestion Control Protocol (DCCP)

• Stream Control Transmission Protocol (SCTP)

• Reliable Datagram Sockets (RDS)

• Transparent Inter-Process Communication (TIPC)

echo "install dccp /bin/false" > /etc/modprobe.d/dccp.conf

echo "install sctp /bin/false" > /etc/modprobe.d/sctp.conf

echo "install rds /bin/false" > /etc/modprobe.d/rds.conf

echo "install tipc /bin/false" > /etc/modprobe.d/tipc.conf

Lockdown

</IPTABLES DEMO>

• Custom Script (BASH)

• ./iptables.sh

Lockdown

</KERNEL>

• Securing Systems and Network on Kernel

• Config File

/etc/sysconfig/sysctl.conf

/etc/rc.d/init.d/network restart

/sbin/sysctl -p

Lockdown

</KERNEL>

• DIFFERENT WAYS TO LOCKDOWN • Prevent your system responding to Ping • Refuse responding to broadcasts request • Routing Protocols • Enable TCP SYN Cookie Protection • Disable ICMP Redirect Acceptance • Enable always-defragging Protection • Enable bad error message Protection • Enable IP spoofing protection • Log Spoofed, Source Routed and Redirect Packets

Lockdown

</KERNEL>

• Disable IP source routing - It's information in an IP header that allows the source host to dictate the path the packet uses to get to the destination rather than leaving the path to be determined by intermediate gateways. This could allow a source to go around security devices that are typically in the path between source and destination.

Lockdown

</KERNEL>

• Disable IP source routing net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.lo.accept_source_route = 0

net.ipv4.conf.eth0.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

/etc/rc.d/init.d/network restart

Lockdown

</KERNEL>

• Enable IP spoofing protection, turn on source route verification

- The spoofing protection prevents your network from being the source of spoofed

i.e.

forged communications that are often used in DoS attacks.

Lockdown

</KERNEL>

• Enable IP spoofing protection, turn on source route verification

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.lo.rp_filter = 1

net.ipv4.conf.eth0.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

/etc/rc.d/init.d/network restart

Lockdown

</KERNEL>

• Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets

This protection will log all Spoofed Packets, Source Routed Packets, and Redirect Packets to your log files.

net.ipv4.conf.all.log_martians = 1

/etc/rc.d/init.d/network restart

Lockdown

</KERNEL>

• Disables the magic-sysrq key

kernel.sysrq = 0

Lockdown

</KERNEL>

• Decrease the time default value for tcp_keepalive_time connection

net.ipv4.tcp_keepalive_time = 1800

Lockdown

</KERNEL>

• Prevent SYN Flood Attack

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_max_syn_backlog = 4096

Lockdown

</KERNEL>

• Ignoring Ping

net.ipv4.icmp_echo_ignore_all = 1

Lockdown

</KERNEL>

• Turn on execshield

- Against Remote Attack Tool (RAT)

kernel.exec-shield=1

kernel.randomize_va_space=1

Lockdown

</AUDIT>

• 30min

Lockdown

</AUDITING>

• TOOLS

- Tripwire

- Auditd

- AIDE

Lockdown

</COMPLIANCE SCORING>

• OpenScap Demo

Lockdown

</END>

• Thank you!

http://mrebultan.simplesite.com/

Lockdown