© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Security Strategies in Linux Platforms and Applications

Lesson 6Every Service Is a Potential Risk

Page 2Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Learning ObjectiveDescribe vulnerabilities in Linux services

and the appropriate steps to mitigate the risks.

Page 3Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Key ConceptsCommonly installed Linux services Bastion hostsBastion host hardeningDisabling unneeded services and removing

unneeded packageschroot jails

Page 4Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

DISCOVER: CONCEPTS

Page 5Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Service Scripts in /etc/init.d/

Page 6Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Vulnerabilities in Linux ServicesDenial of Service (DoS)Buffer overflows and misconfigured serversUnpatched servers and rootkitsWeb applicationsDefault settings and weak passwords

Page 7Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Bastion Servers in the DMZ

Page 8Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Bastion HostsWeb Server

Database Server

SMTP Server

Bastion Hosts

Multipurpose Server

H

Black-hat hacker exploits a bug in the Simple Mail Transfer Protocol (SMTP) Server

Now has access to all the server services

Only has access to the one server and service

Page 9Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

DISCOVER: PROCESS

Page 10Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Configuring a Bastion Host

Install an administrative service like SSH

Start with minimal Linux installation

Set up at least basic IPv4 networking

Remove unnecessary services

Remove unnecessary packages

Page 11Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Active Services in Runlevel 3 Start with “S”

Page 12Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Getting Rid of Unneeded Services

• Use yum or apt-get• Watch for dependenciesUninstall

• Stop a service• Kill a PID• Change service defaults

Deactivate

Page 13Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Dependency Processing

Page 14Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Mitigating Other Service Risks

Turn off the X Display Manager Control Protocol (XDMCP).

Keep only those productivity tools that are necessary.

Don't run any network services that are not needed.

Run the logwatch tool to monitor any attempted access to the Linux system.

Page 15Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

DISCOVER: ROLES

Page 16Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Linux System AdministratorTurns off or uninstalls unused services.Ensures services do not run as root.Runs services in chroot jail when appropriate. Restricts access to services only to necessary

users and applications. Uses bastion hosts for server services and

keeps services updated with latest security fixes.

Page 17Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

DISCOVER: CONTEXTS

Page 18Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

chroot JailUse chroot jail:To enable an application access its own set of

libraries and directory structureTo restrict access to users on a systemTo run software such as Berkeley Internet

Name Domain (BIND)

Page 19Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

DISCOVER: RATIONALE

Page 20Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Benefits of Disabling or Uninstalling Unneeded ServicesTo eliminate the possibility of a black-hat

hacker exploiting a vulnerability to a service when the service is not running

To improve system performance by running only the required services

To save hard drive space by uninstallingTo eliminate the need to update or patch a

service when security vulnerabilities are discovered

Page 21Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

SummaryCommonly installed Linux services Bastion hostsBastion host hardeningDisabling unneeded services and removing

unneeded packageschroot jails

Page 22Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

OPTIONAL SLIDES

Page 23Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Aptitude as a Package Browser

Page 24Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Categories of Red Hat Development Tools

Page 25Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

Categories of Ubuntu Development Tools

Page 26Security Strategies in Linux Platforms and Applications© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.comAll rights reserved.

The elinks Web Browser