Securing your Investmentwith

OpenSource or not …

Simon Boardman

Topics Covered

• Security of my PC

• Security of my server

• Security of my data

PC Security

• Anti-Virus – Avast– A good Free One is called AVAST which is free for Home Users:– http://anti-virus-solution.com/avast4/index.asp

• Firewalls– Use the Free One provided by Windows Service Pack 2/3 etc

• SpyBot– Protect yourself against SpyWare with Free SpyBot– There are plenty of web sites that 'pretend' to be SpyBot so you

end up installing SpyWare on your computer. This is the official site and it's free:

– http://www.safer-networking.org/en/home/index.html

PC Software• Disk Defragger

– Disk fragmentation leads to system slowdowns, PC crashes, slow startups and shutdowns. Auslogics Disk Defrag is designed for fast optimization of modern hard disks. Disk Defrag is absolutely FREE.

– http://www.auslogics.com/disk-defrag/index.php• Registry Defragger

– Keeping the registry as compact as possible means better computer performance. Auslogics Registry Defrag is fast becoming a useful and essential tool in keeping your registry defragmented. As a result, the Registry becomes compact and small, greatly improving your computer performance

– http://www.auslogics.com/en/software/registry-defrag• TCP/IP Optimiser

– The TCP Optimizer is a free, easy Windows program that provides an intuitive interface for tuning and optimizing your Internet connection. There is no installation required, just download and run.

– http://www.speedguide.net/downloads.php

Sever Security – What to Stop!» Typical Multi-User Mode start-up: (Unix / Linux or

Windows)

rc2rc2

S87nfsS87nfsS86rpcS86rpcS85tcpS85tcp S99smbdS99smbdS99cupsS99cupsP90apacheP90apache

snmpdsnmpd sshdsshd namednamedinetdinetd pppdpppd

P86sendmailP86sendmail S90nisS90nis S95docviewS95docview S99nmbdS99nmbd

prngdprngd

lpdlpd ntpdntpdaasdaasd

Unix/Linux Network Security – inetd.conf

• Services controlled by inetd(ADMN)– inetd is knows as a Super Server– inetd is started by /etc/rc2.d/S85tcp (/etc/tcp) – inetd configures the services listed in

• /etc/inetd.conf

– inetd reads /etc/services (and /etc/protocol) to get the name, aliases, port and protocol to use for each service

Unix/Linux Network Security – inetd.conf

• Services controlled by inetd(ADMN)– On a traditional install inetd configures services including:

• ftp stream tcp nowait root /etc/ftpd ftpd -a• telnet stream tcp nowait NOLUID /etc/telnetd telnetd• shell stream tcp nowait NOLUID /etc/rshd rshd• login stream tcp nowait NOLUID /etc/rlogind rlogind• exec stream tcp nowait NOLUID /etc/rexecd rexecd• pop3 stream tcp nowait root /etc/popper popper• imap stream tcp nowait root /etc/imapd imapd• swat stream tcp nowait root /usr/sbin/swat swat

– Can disable a service by commenting it out• # telnet stream tcp nowait NOLUID /etc/telnetd telnetd

– And then restarting inetd with a SIGHUP• kill -1 `cat /etc/inetd.pid`

Unix/Linux What about OpenSource?

• Well OpenSource products have been included for some time …– Tcp wrappers– Ipfilter– Openssh– ipsec

Unix/Linux inetd.conf - TCPWrappers

• Tcpwrappers:– Can be used to log and control access to inetd services– To enable tcpwrappers on telnetd:

• Edit /etc/inetd.conf• Comment out the entry:

– telnet stream tcp nowait NOLUID /etc/telnetd telnetd• Uncomment the entry:

– # telnet stream tcp nowait NOLUID /etc/tcpd telnetd• Save the file• Restart inetd using:

– kill -1 `cat /etc/inetd.pid`– Telnet to the server and check syslog:

Jul 11 17:26:14 jrbt5 telnetd[2102]: connect from jrbhp1

Unix/Linux inetd.conf - TCPWrappers

• Controlling Access using tcpd(ADM)– hosts_access(SFF) control implemented using:

/etc/hosts.allow and

/etc/hosts.deny – These files contain no rules by default– Access is controlled as follows:

• Grant access if you match an entry in the /etc/hosts.allow file • Deny access if you match an entry in the /etc/hosts.deny file

– OpenSource:• WEBMIN

Unix/Linux inetd.conf - TCPWrappers

• Some hosts_access(SFF) examples:– To deny everything, in /etc/hosts.deny add:

ALL: ALL – To allow everything leave /etc/hosts.allow empty– To allow exceptions in /etc/hosts.allow add:

ftpd: .friendly.domain

telnetd: ALL@192.168.124.1

rlogind: 192.168.1.0/255.255.255.0– To report on blocked access

ALL :ALL : spawn (echo Attempt from %h %a to %d at `date` | tee -a /var/log/tcp.deny.log |mail me@sco.com )

Unix/Linux Firewalls / Secure Shell / VPN’s

• IP Filter Firewall Package for OS’s– http://www.linuxsecurity.com/content/view/

124101/161/

• Openssh– http://www.openssl.org/

• Ipsec– http://support.real-time.com/open-source/

ipsec/index.html

Questions – Boardman’s Pass it On

• What’s the Super Server controlling networking?

• And what’s the services configuration file?

• What’s the most secure ; rcp, ftp or sftp?

• To deny telnet all access in which TCP Wrapper would I put ALL: ALL?

• What the ‘IP filter’ package called?

• What tool would I use to set up a VPN?

Unix/Linux Securing my data …

• The unfortunate basics …

• The backup …

• The remote backup …

• The failover …

Stop being negative – what disaster?

• FACT: Hardware Fails.

• CHOICES: What can we do about that?

• Accept the fact that one element of the infrastructure will go down at some point, usually sooner than we’d like.

• The Sales Guy said these things last forever …

Ok, I accept that hardware fails – so what?

• Do you have an effective Disaster Recovery Plan?

1. Yes, we do – it’s all documented, it’s simple and it’s regularly tested as part of the yearly IT budget.

2. Yes, we do – The IT Dept produced a document and so it ‘should’ work ‘should’ a disaster occurs.

3. Yes, we do – we backup nightly.

4. Not my problem – it’s the customer’s responsibility to do this.

Whether you have one or not here’s the free stuff you can do …

To think about …

• Pre-Installation Work with the hardware:• Know to ‘know’ your hardware.• You need to ‘know’ your software too.• Build ‘Redundancy’ into your build with Power Supplies,

CPU’s, Network cards and, of course, disks.• RAID your operating system AND your data.• If I’m not using that piece of hardware should I leave it in,

turn it off in the BIOS or remove it?• I’ve just bought the hardware, why does it need a

Firmware upgrade?• Do I need to really look in the BIOS?

What does the OS give me?

• About the Installation …• The installation doesn’t know how your

filesystems are going to be laid out does it make assumptions.

• The installation doesn’t know what packages you may need, so does it install them all?

• Once installed, the OS will need Maintenance applied.

Unix/Linux Preventing Disaster?

• Tricky to do but here are some useful things to do:

1. Add to /.profile the line:

PS1="`uname -n` # " export PS1

2. Keep a record of the disk structure or so you know how they were laid out.

3. Take copies of critical Operating System files.

4. Traditionally; create Emergency Server Floppies and a CD image or Tape to restore from.

5. Take a full ‘cpio’ backup.

Unix/Linux Common Post Installation Faults …

• The Server’s Slow …• - Have you checked, enabled, ‘sar’?• - Have you checked /etc/hosts ; DNS?• - Where’s the comparison? Can you thrash the server

with performance benchmark tools?– http://sourceforge.net/projects/aimbench

• Have you enabled NTP?• Have you pointed SendMail to your Exchange Server or

OpenSource email solution?• A disk has failed – what do I do?• - Test disk failures prior to production.

Can I configure redundant network cards?

• Can I use Load Balancing on my Network Cards

• Can I use Failover Network Cards?

• Can I simply plug a spare card into the server?

What tools are there to make backups?

• How do I backup to tape?• - ‘cpio’ or ‘tar’ or ‘OpenSource’ gnu tools• More importantly, how do I restore files?• More likely, how do I get another server up and going

quickly because the production server’s down?• Can I backup to a standby server?

Unix/Linux Introducing ‘cpio’:

• - Remote ‘cpio’ copies

– Host Equivalence ie. ‘trust’ – /.rhosts

– Can I copy over all the printers in /etc/lp to another server?

– Can I copy over all the users in /etc/passwd to another server?

– Can I copy over all the data on my server to another server?

Unix/Linux Introducing ‘rdist’:

• http://www.magnicomp.com/rdist/• Create a "distfile" in the form:

HOSTS = ( root@serverb )

FILES = ( /data )

${FILES} -> ${HOSTS}

install -R ; • Here, we are going to sync the files in /data from this

server to "serverb" and run the command "rdist" in the form:

# rdist -iR -f distfile

Unix/Linux Introducing ‘rsync’:

• http://samba.anu.edu.au/rsync/• Now, let's start with some basic examples:• Run: # rsync -bazv /local/rsync <other

server>:/tmp • This will recursively copy the directory

/local/rsync from you Unixware system to the <other server>.

• You will notice that by default 'ssl' transport is used and you will be prompted for a password.

Windows

• Windows also has ‘rcp’ built in for free … try in from your Windows XP command prompt

• There are also plenty of OpenSource and commerical ‘sync’ software products available to achieve the same thing.

Third Party Tools

• Free or Paid For? = Supported or Not• Free:

– http://www.roseindia.net/opensource/open-source-backup-software.shtml

• Paid for Examples:– ArcServe– LoneTar– MicroLite– NetVault– etc

Manual Failover Solutions

• Here’s the common scenario:• Two Servers – One is in Production and

One is the ‘Standby’• How do I sync the servers?• I need to ensure the users and printers are

sycn’ed• I need to ensure the application and data

are sycn’ed• Ipalias (arp)

Shared Storage …

• If sycn’ing the data’s not the ideal solution here then Shared Storage might be.

• Put a Storage Cabinet between the servers and place the data there.

• Can both servers mount the filesystems on the storage cabinet at the same time?

• If the cabinet goes down then we need either more redundancy in the cabinet or a SaN …

• I can do a similar solution with Virtualisation …, such as OpenSource Zen, VMware and Microsoft’s HyperV

Automated or Manual?

• How much control do you want?• You can automate everything with, say, Veritas Cluster or

Sire Technologies – SavWare for mirroring disks … or OpenSource:

– http://www.linux.com/feature/57073• You ‘still’ need to be aware of:a) Where’s my application actually running?b) Sync’ing the users and printersc) What went wrong that caused a switch over?d) Can I switch back?• You can take manual control with your own script.• It may be simple but gives you great flexibility.

Questions – Boardman’s Pass it On

• Easy One – What do you need to ‘know’?

• Can you name a performance monitoring tool?

• What common tools can be used to copy files remotely?

• Lastly, what’s the command to set a virtual IP alias?