SUSE® Linux Security EssentialsTUT91122

Craig LamparterLinux Systems/Software Engineer

Hewlett Packard Enterprise / craiger@hpe.com

Thomas BiegeTeam Lead Maintenance Security, CSSLP

SUSE / thomas@suse.de

2Source: http://xkcd.com/936

3

Strategies (Thomas)

and

Tactics (Craig)

Tech Security is the new global battlefield. Successful campaigns are broken into winning:

4

Security Strategies(a real-life example)

5

When you are in the business for more than one and a half decade, you might think “I have seen it all.”

6

.. and then...

7

Denial!Fear!

Panic!

8

You can start to clone yourself, work at

weekends, stop

sleeping, but...

9

… better plan ahead and have a strategy for

the next time.

10

Lessons learned 1/2

We need an emergency plan!• rules/process to identify a “highly visible vulnerability” beforehand• adjusting our update process• “crisis communication manager”• ONE communication channel• coordination team• SLA/SLC

Facts don't count, if customers are in panic they want a patch! Now!

11

Lessons learned 2/2

First we focused on fast updates• involved several teams and departments in R&D• direct 1:1 communication• SLA/SLC

… but we learned quickly that communication (internal/external) is at least equally important

• involved product management, marketing, customer care/support, sales

• created high-level communication plan + team

What about Business Continuity Management?

12

Steering Committee

Management Team

Customer Care, TID

Updates/PTFs Web, SocialMedia, SCC

Product Mgmnt

Secure and reliable Infrastructure

13

How does our Strategy look like?

High-level plan, involves all responsible persons to:• ensure information flow to the affected persons within company• create dedicated web-sites, banners, etc• update customer care/support web-sites (TID, SCC)

Improved update process• reduce delivery time (we are ~9 times faster now!)• keep stakeholders up-to-date

Ensure a stable and secure infrastructure to deliver updates and information fast and reliable.We also formed an emergency task force to deliver updates even faster in the future.

14

Security Tactics

15

Tactical SecurityHow would you attack a system?

portscan ssh/22 # nmap -O <ip-address> (guess OS behind ip-address)

Ports 1024 and below have root behind themideally be a black hole (hard to do if you're a server)Brute force a port (ssh,ftp) that has authentication behind it

SQL injection to get /etc/passwd (or /etc/shadow!)

Use an off-the-shelf root kit to exploit known vulnerabilities

16

Tactical SecurityHow would you attack a system?

root@pc:/home/craiger# nmap -O bpi

Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-19 12:59 PDT

Nmap scan report for bpi (192.168.1.128)Host is up (0.00019s latency).Not shown: 997 closed ports

PORT STATE SERVICE22/tcp open ssh80/tcp open http111/tcp open rpcbind

MAC Address: 02:D4:0A:01:9C:BB (Unknown)No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).TCP/IP fingerprint:

OS:SCAN(V=6.40%E=4%D=9/19%OT=22%CT=1%CU=35660%PV=Y%DS=1%DC=D%G=Y%M=02D40A%TOS:M=57E04411%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10E%TI=Z%CI=I%TS=7

What OS is running here?

17

Tactical SecurityYour listening ports

root@bpi:~# netstat -npvat | grep LISTEN

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 481/rpcbind tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 943/dnsmasq tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 646/sshd tcp 0 0 0.0.0.0:53599 0.0.0.0:* LISTEN 569/rpc.statd tcp6 0 0 :::111 :::* LISTEN 481/rpcbind tcp6 0 0 :::80 :::* LISTEN 882/apache2 tcp6 0 0 :::33525 :::* LISTEN 569/rpc.statd tcp6 0 0 :::22 :::* LISTEN 646/sshd

18

Tactical Security

How do you know if you're being attacked?

/var/log/auth.log, messages, syslog

Example brute-force dictionary attack for root ssh access in progress:Nov 21 08:59:48 people sshd[35491]: Failed password for root from 60.173.9.184 port 8832 ssh2Nov 21 08:59:48 people sshd[35491]: Received disconnect from 60.173.9.184: 11: Normal Shutdown, Thank you for playing [preauth]

(these are actual attacks on hpe servers)

19

Tactical Security

How do you prevent attacks?Active countermeasuresSeveral programs tail authentication logs for a variety of protocols

fail2ban - http://www.fail2ban.org - Watches ssh, apache, ftp other logs for brute-force attempts. - x failed attempts over y minutes wins you your own IP tables rule!

iptables -A INPUT -p tcp -m tcp -s <attackerIP> -j DROP

20

Tactical Security

How do you know if you've been hacked already?

Root kits overwrite ls, ps and top commands with binaries that wont show rootkit

Less obvious ways to detect a root kits which hackers might overlook:● rpm -Va .M5....T /bin/ls missing /var/spool/at/.lockfile missing /var/spool/at/spool

● debsums zip /usr/bin/zipsplit OK /usr/bin/zipcloak OK

● Tripwire/AIDE - Advanced Intrusion Detection Environment (same as above, but with offsite database)

● TIGER - scans for known common vulnerabilities, suid root, file perms

21

Tactical Security

Prevention● documented security policy, validate implementation with automated audits● TIGER is good at automating audits● Minimize damage with UEFI Secure Boot ● Keep hackers out of firmware, boot environment and kernel space● selinux, mandatory access controls, ports/files● selinux is an extreme measure of security ● useability and security vary inversely● Active countermeasures● Fail2ban● iptables firewall● single best defense against network attacks● drop/reject packets from specific networks on specific ports

22

Don't forget application security!

23

Don't forget application security!

Source http://xkcd.com/327/

24

# Simple iptables example. Allow "RELATED" traffic in, and ssh/http

## allow everything from local subnetiptables -A INPUT -p tcp -m tcp -s 192.168.1.1/24 -j ACCEPT # all wlaniptables -A INPUT -p udp -m udp -s 192.168.1.1/24 -j ACCEPT # all wlan

## Create chain which blocks new connections, except if coming from usb0 or loiptables -N blockiptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A block -m state --state NEW -i lo -j ACCEPTiptables -A block -j DROP

## Allow port-specific traffic#iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # ssh from everywhereiptables -A INPUT -p tcp -m tcp --dport 22 -s 192.168.1.1/24 -j ACCEPT # ssh from wlaniptables -A INPUT -p tcp -m tcp --dport 22 -s 69.163.129.35 -j ACCEPT # ssh from proty.dreamhost.comiptables -A INPUT -p tcp -m tcp --dport 22 -s 16.0.0.0/8 -j ACCEPT # ssh from CPQiptables -A INPUT -p tcp -m tcp --dport 22 -s 15.0.0.0/8 -j ACCEPT # ssh from HPiptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # web server from anywhere

## Enable ping replies through ppp0 or eth0#iptables -A OUTPUT -p icmp -o eth0 --icmp-type echo-request -j ACCEPTiptables -A INPUT -p icmp -i eth0 --icmp-type echo-reply -j ACCEPT

## Otherwise, jump to the 'block' chain from INPUT and FORWARD chains.iptables -A INPUT -j blockiptables -A FORWARD -j block

Firewall

Questions?

Craig LamparterLinux Systems/Software Engineer

Hewlett Packard Enterprise / craiger@hpe.com

Thomas BiegeTeam Lead Maintenance Security, CSSLP

SUSE / thomas@suse.de