CIS 290 LINUX Security Application and Network Security

SSH • /etc/sshd_config Allow. Tcp. Forwarding no Allow. Agent. Forwarding No Deny. Users, Allow.

Original Sentry Tools (Psionic) • Logcheck (still an RPM) • Portsentry http: //sourceforge. net/projects/sentrytools/

Network Security • TCP Wrappers – hosts. allow, hosts. deny • /etc/security/access. conf •

Network Security /etc/sysctl. conf • # No source routed packets here net. ipv 4.

Network Security /etc/sysctl. conf • # Turn on execshild kernel. exec-shield = 1 kernel.

Network Security • # Increase system IP port limits net. ipv 4. ip_local_port_range =

Firewall - Iptables • /etc/sysconfig/iptables • Commands: iptables, iptables-save, iptables-restore • There are total

iptables • Packet Matching Rules Each packet starts at the first rule in the

Slides: 9

Download presentation

CIS 290 LINUX Security Application and Network Security Part 1

SSH • /etc/sshd_config Allow. Tcp. Forwarding no Allow. Agent. Forwarding No Deny. Users, Allow. Users, Deny. Groups, Allow. Groups Allow. Tcp. Forwarding No Banner No Chroot. Directory No Client. Alive. Interval 600 Client. Alive. Count. Max 0 Force. Command Hostbased. Authentication no Ignore. Rhosts yes Listen. Address Login. Grace. Time Max. Auth. Tries Max. Sessions Max. Startups Permit. Empty. Passwords no Permit. Root. Login No Permit. Tunnel No Port Protocol 2, 1 Sub. System (see SFTP chroot jail) Use. DNS Use. PAM – if yes, disable Password. Authentication or Challenge. REsponse Authentication X 11 Forwarding no

Original Sentry Tools (Psionic) • Logcheck (still an RPM) • Portsentry http: //sourceforge. net/projects/sentrytools/ • Tcplogd • See also netstat –an or ss -a

Network Security • TCP Wrappers – hosts. allow, hosts. deny • /etc/security/access. conf • Iptables 2. 4 - formerly ipfwadm <2. 0, ipchains, 2. 1) • • /etc/sysctl. conf: # Avoid a smurf attack net. ipv 4. icmp_echo_ignore_broadcasts = 1 # Turn on protection for bad icmp error messages net. ipv 4. icmp_ignore_bogus_error_responses = 1 # Turn on syncookies for SYN flood attack protection net. ipv 4. tcp_syncookies = 1 # Turn on and log spoofed, source routed, and redirect packets net. ipv 4. conf. all. log_martians = 1 net. ipv 4. conf. default. log_martians = 1 • • •

Network Security /etc/sysctl. conf • # No source routed packets here net. ipv 4. conf. all. accept_source_route = 0 net. ipv 4. conf. default. accept_source_route = 0 • # Turn on reverse path filtering net. ipv 4. conf. all. rp_filter = 1 net. ipv 4. conf. default. rp_filter = 1 • # Make sure no one can alter the routing tables net. ipv 4. conf. all. accept_redirects = 0 net. ipv 4. conf. default. accept_redirects = 0 net. ipv 4. conf. all. secure_redirects = 0 net. ipv 4. conf. default. secure_redirects = 0 • # Don't act as a router net. ipv 4. ip_forward = 0 net. ipv 4. conf. all. send_redirects = 0

Network Security /etc/sysctl. conf • # Turn on execshild kernel. exec-shield = 1 kernel. randomize_va_space = 1 • # Tune IPv 6 (or turn it off) net. ipv 6. conf. default. router_solicitations = 0 net. ipv 6. conf. default. accept_ra_rtr_pref = 0 net. ipv 6. conf. default. accept_ra_pinfo = 0 net. ipv 6. conf. default. accept_ra_defrtr = 0 net. ipv 6. conf. default. autoconf = 0 net. ipv 6. conf. default. dad_transmits = 0 net. ipv 6. conf. default. max_addresses = 1 • # Optimization for port usefor LBs # Increase system file descriptor limit fs. file-max = 65535 • # Allow for more PIDs (to reduce rollover problems); may break some programs 327

Network Security • # Increase system IP port limits net. ipv 4. ip_local_port_range = 2000 65000 • # Increase TCP max buffer size setable using setsockopt() net. ipv 4. tcp_rmem = 4096 87380 8388608 net. ipv 4. tcp_wmem = 4096 87380 8388608 • # Increase Linux auto tuning TCP buffer limits # min, default, and max number of bytes to use # set max to at least 4 MB, or higher if you use very high BDP paths # Tcp Windows etc net. core. rmem_max = 8388608 net. core. wmem_max = 8388608 net. core. netdev_max_backlog = 5000 net. ipv 4. tcp_window_scaling = 1

Firewall - Iptables • /etc/sysconfig/iptables • Commands: iptables, iptables-save, iptables-restore • There are total 4 chains: INPUT - The default chain is used for packets addressed to the system. Use this to open or close incoming ports (such as 80, 25, and 110 etc) and ip addresses / subnet (such as 202. 54. 1. 20/29). OUTPUT - The default chain is used when packets are generating from the system. Use this open or close outgoing ports and ip addresses / subnets. FORWARD - The default chains is used when packets send through another interface. Usually used when you setup Linux as router. For example, eth 0 connected to ADSL/Cable modem and eth 1 is connected to local LAN. Use FORWARD chain to send and receive traffic from LAN to the Internet. RH-Firewall-1 -INPUT - This is a user-defined custom chain. It is used by the INPUT, OUTPUT and FORWARD chains.

iptables • Packet Matching Rules Each packet starts at the first rule in the chain. A packet proceeds until it matches a rule. If a match found, then control will jump to the specified target (such as REJECT, ACCEPT, DROP). • Target Meanings The target ACCEPT means allow packet. The target REJECT means to drop the packet and send an error message to remote host. The target DROP means drop the packet and do not send an error message to remote host or sending host.