Upload
art-rebultan
View
271
Download
6
Embed Size (px)
Citation preview
</LINUX> Michael Art Rebultan, SecSysOps Engineer (L3/L4)
Equinix Asia Pacific Pte Ltd
</About Michael> • Experience
• Organization
</Linux Life> • What others think of Linux SysAdmin?
</What is Linux> • TUX the Mascot, not the Logo
• Torvald UniX
• Tuxedo
• Open Source OS by Linus Torvald from Minix
• Linus + Unix = Linux
• Unix (by Dennis Ritchie) vs Linux
</Why Linux> • Free as a Beer!
• The Power is given back to the User!
• What is Life without Linux?
</Distro> Workstation
• ?
Server
• ?
PenTesting
• ?
</Installation> Planning and Design
• Is it a server?
• If so, what does it serve?
• HW Inventory | Storage, CPU, RAM, NIC
• Basic Math
- /root = ?mb
- Swap = ?gb
- /opt = ?gb
- /var = ?gb
- /usr = ?gb
</NetConfig> • Vi or Vim Text Editor
• /etc/hosts Your_IP localhost_name localhost_name.com
• /etc/resolv.conf search linux.org
nameserver 192.168.0.2
• /etc/sysconfig/network NETWORKING=yes
HOSTNAME=localhost_name
• /etc/sysconfig/network-scripts/ifcfg-<interface-name> NAME=eth0
GATEWAY=192.168.0.1
DOMAIN= linux.org
DEVICE=eth0
ONBOOT=yes
USERCTL=no
BOOTPROTO=static
NETMASK=255.255.255.0
IPADDR=192.168.0.21
PEERDNS=no
check_link_down() {
return 1;
}
</Sys/NetConfig> • DEBIAN BASED (Ubuntu)
• /etc/hosts
Your_IP localhost_name localhost_name.com
• /etc/resolv.conf
search linux_meetup.sg
nameserver 192.168.0.2
• /etc/network/interfaces
auto eth0
iface eth0 inet static
address 192.168.0.21
netmask 255.255.255.0
network 192.168.0.1
broadcast 192.168.1.255
gateway 192.168.0.1
• /etc/init.d/networking restart
</SECURITY> • IPTABLES
TOOL main command CHAIN common option/switches tcp option "-j" ACTION
iptables "-A" Input "--dport" tcp 22 "j" ACCEPT
CHAIN Keywords
Input Incoming connection
Output Outgoing connectionn
Forward Gateways
MAIN COMMAND
* -A --append : Add the rule a the end of the specified chain
* -R --replace : Allow to replace the specified chain
* -I --insert : Allow to add a chain in a specific area of the global chain
* -L --list : Display the rules
* -F --flush : Delete all the rules of a chain
* -N --new-chain : Allow to create a new chain
* -X --delete-chain : Allow to delete a chain
* -P --policy : Allow to specify to the kernel the default policy of a chain ACCEPT,
REJECT, DROP ...
ACTION
DROP
ACCEPT
COMMON OPTION AND SWITCHES
-A -- adds a rule at the end of the chain
-I -- inserts the rule at the given rule number. If no rule number is given the rule is inserted at the head of the chain.
-p -- protocol of the rule
--dport the destination port to check on the rule
-i -- interface on which the packet was received.
-j -- what to do if the rule matches
-s -- source IP address of packet
-d -- destination IP address of packet
</SECURITY> • SELinux [root@hostname mike]# setenforce
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
</SECURITY> • IPTABLES
• SELinux
• SSH Login – Root
• No Empty Password
• Complex Password
• Password Expiration
• Malware / Rootkit Detection
</Beware> • :(){ :|: & };: also known as Fork Bomb is a denial-of-service attack against a Linux System. :(){ :|: & };: is a bash function. Once executed, it repeats itself multiple times until the system freezes.
To get ride of this you need to restart or reboot your server. So be careful when executing this command on your Linux shell.
• rm –rf
• dd
• Tar Bomb • It is an archive file which explodes into thousands or millions of files
with names similar to the existing files into the current directory rather than into a new directory when untarred.
• mkfs
• fsck
</Best Practices> • LVM to be or not to be
• Dual Boot Installation with Windows
• Server Lockdown (CIS Template)
• Disable Unwanted Services / Ports
• Performance Tuning
• Performance Monitoring
• NIC Bonding
</IoT Devices>
Criteria of IoT devices must be: • Scalable, to accommodate a wide range of different
classes of devices
• Modular, so you can choose only the components you need to meet tight RAM requirements
• Connected, so you can move data in and out of the device via Wi-Fi, Ethernet, USB, or Bluetooth.
• Reliable, so your device can be certified for safety-critical applications
• Conclusion – You need RTOS (Real-Time OS) for this.
</Linux Power> • Linux-Powered Rifle - Bullseye from 1,000 yards
- $17,000
</Linux Power> • Raspberry Pi The Raspberry Pi is a low cost, credit-card sized computer that plugs into a computer monitor or
TV, and uses a standard keyboard and mouse. It is a capable little device that enables people of all
ages to explore computing, and to learn how to program in languages like Scratch and Python. It’s
capable of doing everything you’d expect a desktop computer to do, from browsing the internet
and playing high-definition video, to making spreadsheets, word-processing, and playing games.
</Linux Power> • Linux/Android Watches – smart watch
</Linux Power> • Linksys WRT54G - wireless router
</Linux Users> • Government Users of Linux
- Federal Aviation Administration (FAA)
- U.S. Department of Defense (DoD)
- U.S. Navy Submarine Fleet
- The City of Munich, Germany - migrate its 14,000 desktops to a free Linux distribution
- State-Owned Industrial and Commercial Bank of China
• Educational Users of Linux
- Russian Schools
- German Universities
- The Philippines
- The Indian State of Tamil Nadu
• Business Users of Linux
- Novell
- IBM
- Amazon
- New York Stock Exchange
Ref: http://www.comparebusinessproducts.com/fyi/50-places-linux-running-you-might-not-expect
</Job> • REF: http://www.jobstreet.com.sg/en/job-search/job-vacancy.php?key=linux&specialization=&area=&salary=&src=12
• REF: http://www.cheatsheet.com/money-career/10-of-the-most-in-demand-jobs-in-2016.html/?a=viewall