Scribd
Upload
13 views23 pages

01 - Introduction & Securing Linux Server

Uploaded by

Hudevelop iTest
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views23 pages

01 - Introduction & Securing Linux Server

Uploaded by

Hudevelop iTest
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

Network Systems

Security
01 - INTRODUCTION & SECURING LINUX

Thanh Le Dinh, VNU-UET


[email protected]
Objectives

 Securing OS and network services


 Securing Wi-Fi
 Security in the Cloud
Textbooks & Resources

 Michael Kofler et al., “Hacking & Security - The Comprehensive


Guide to Penetration Testing and Cybersecurity”, Rheinwerk
Publishing Inc. 2023.
 Chapters 8, 12-15, 20
Schedule

 W1-2: Securing Linux Servers


 W3-4: Securing Windows Servers
 W5-6: Securing LDAP/Active Directory
 W7-8: Securing SMB/Samba
 W9-10: Securing Wifi
 W11-12: Security in the Cloud
 W13-15: Reporting and Assessment
Securing Linux Servers
HOW TO SECURELY
CONFIGURE IMPORTANT COMPONENTS OF A LINUX SERVER
Linux Distributions

 Use only distributions with long


maintenance periods!
 Avoid the simultaneous use of different
distributions.
 Multiple servers with the same
distribution are much easier to maintain
than a conglomerate of Ubuntu,
Debian, and RHEL installations.
Disabling IPv6

 IPv6 has few advantages, but is at least


problematic from a security point of view
 As soon as all computers in an organization receive
IPv6 access in addition to IPv4, a direct attack on
every single company computer is possible via IPv6.
 Another disadvantage of IPv6 is an (additional) loss
of privacy. Unique IPv6 addresses allow
unambiguous identification and recognition
 IPv6 makes it easy for attackers to perform DDoS
 IPv6 is active by default on all popular Linux
distributions. For security reasons, however, it may
be advisable to disable IPv6 or at least selectively
block it for individual services
Software Updates

 Manually update
Restart Necessary?
Automating Updates

 For RHEL, you need to install the dnf-automatic add-on package to


enable automatic updates.

 On Ubuntu, the unattended-upgrades package is installed by


default.
The Limits of Linux Update Systems

 With RHEL, the distribution consists of only comparatively few


packages. Packages from other sources are maintained by the
community.
 Ubuntu is relatively confusing. Only the main and restricted
packages are officially maintained by Canonical. The community is
responsible for the universe and multiverse package sources.

ubuntu-security-status
Kernel Updates: Live Patches

 Kernel live patches have been available in RHEL since version 7.2,
but it was only in versions 7.7 and 8.1 that Red Hat decided to
enable this feature by default
 The kpatch list command reveals the current patch status
 Since the end of 2016, the company has also been offering live
patches for critical security issues in Ubuntu LTS versions
Securing SSH

 Blocking the Root Login


 The first security measure should be to generally block the direct root
login via SSH. Prior to that, you need to set up at least one other user
who can get unrestricted privileges after logging in via sudo.
Authentication with Keys

 Ref: https://itest.com.vn/lects/netos/bai07-Remote-Administration.htm
Blocking IPv6

 If you’re sure that you always do your administration work from


within IPv4 networks, you can block IPv6 access.
2FA

 2FA with Google Authenticator

 2FA with YubiKey


Fail2ban

 Fail2ban is a program that monitors logging files where programs log


failed login attempts. If failed logins accumulate that can be
assigned to one IP address, this IP address gets blocked for a while
by a firewall rule.
 The supplied configuration files provide settings for many common
protocols or programs, including SSH, FTP, SMTP, POP, and IMAP.
 Fail2ban can also be adapted to your own web applications with a
little effort. To do this, the application must log incorrect login
attempts in a text file. The Fail2ban configuration must be
supplemented so that the program evaluates this file.
Firewall

 Netfilter to ntftables
SELinux & AppArmor

 The kernel can monitor the execution of programs and ensure


compliance with rules. If a rule is violated, SELinux or AppArmor
prevents the operation or logs a warning.
Kernel Hardening

 Many options can be changed at runtime using the sysctl


command. The /etc/sysctl.conf file contains settings that should be
activated when the computer starts.
 Some options must already be passed as options when the kernel is
started. In this case, the configuration is done through the
/etc/default/grub file.
Rootkit Detection

 Here’s a warning right away: the programs presented here perform


basic security tests and detect quite a number of rootkits that were
popular in the past. But none of the programs is perfect. False
positives are not uncommon, while brand-new rootkits or other
malware remain undetected (false negatives).
 chkrootkit
 Rkhunter
 Lynis (It does not look for rootkits, but rather for configuration issues and
security vulnerabilities in the system)
Verifying Files from Packages
Scanning for Suspicious Ports and
Processes

You might also like