Merikanto

一簫一劍平生意,負盡狂名十五年

LPIC - 110 Linux Security

Veröffentlicht am in
Symbole im Artikel gezählt: 2.3k Wörter Lesezeit ≈ 3 min

Objective


Local Security

Methods

  • Password security
  • Limit root access
  • Set user limits - ulimit
  • Track SUID / SGID files
  • Use secure remote login protocols (Disable Telnet / FTP) 📌
    • Also disable protocols using cleartext passwords

Password Management

  • John the Ripper - spot poor passwords
  • /etc/shadow
  • /etc/passwd - world readable

1 - Limit root Access

Switch User

  • su - change user identity

Network Security

Restrict access to servers

  • Check existing network connections & Open ports
  • Super server restriction - Limit access
  • Disable unused servers

1 - Super Server

  • inetd - TCP Wrappers
  • xinetd - Built-in

How it works

  • Listen for network connections on behalf of another program
  • After connection initiated, hands off control to the intended server

Benefits

  • Reduce memory load
  • Security - Use security check in super server

Apply redundant access control whenever possible, to protect against bugs / misconfiguration.


inetd

Config file

  • /etc/inetd.conf
  • /etc/inetd.d/

Options

1
ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.ftpd -l
  • Service name
  • Socket type
    • stream - Reliable 2-way connection
    • dgram - Less reliable connection, with less overhead
    • raw - Low-level connection to the network
  • Protocol - TCP / UDP
  • wait / nowait
    • nowait - server connects to client & fress the socket (For all socket types)
    • wait - server process all packets & timeout (For dgram socket types)
  • User - always run with a low-privileged user

1
2
3
# reload config file
kill -HUP [server pid]
killall -HUP [server name]

The SysV script use above technique to implement reload option.


TCP Wrappers

  • inetd calls tcpd

    • Checks whether client is authorized to access the server
    • If the client is authorized,tcpd calls the server program

  • Two config files

    • /etc/hosts.allow (takes precedence, if listed in both)
    • /etc/hosts.deny

  • Format

    1
    2
    3
    # in hosts.deny
    # blocks all in 192.168.7.0/24 subnet, except for 192.168.7.10
    192.168.7. EXCEPT 192.168.7.10

xinetd

Notes

  • Extended super server - inetd + security options
  • Config file - /etc/xinetd.conf

Access control via xinetd

  • Network interfaces - bind (Listen only one interface)
  • Allowed & Disallowed IPs
  • Access times - set times during which users may access the server

Firewall

  • Packet filters - access control based on low-level info about data packets
    • e.g. source / destination IP and ports
    • Linux kernel includes packet-filter firewall - iptables 📌
  • Proxy filters - partially process transaction, access control based on high-level features
    • e.g. web page retrieval, file / image name in a web page

2 - Scanning Servers

  • netstat
  • lsof - list open files
  • nmap

netstat

  • Listening - Omit client connections / server instances that are already connected to clients
1
2
3
4
5
# check active ports
netstat -pa

# check servers listening for connections
netstat -pl

lsof

  • File includes network connections
  • Also used for identifying who’s accessing files (before unmount a NFS, make sure it’s not busy) 📌 
1
2
3
4
5
6
7
8
# system-wide, basic use
sudo lsof -i
 
# search for connection with SSH port
lsof -i :ssh

# find active servers
lsof -i | grep LISTEN

nmap

  • Scan for open ports
1
2
3
4
5
# check open TCP ports
nmap -sT xx.com

# check open UDP ports, need root
sudo nmap -sU xx.com

Check Server Config Files

  • Startup script config
    • SysV - /etc/inittab
    • systemd
  • Super server config
    • inetd
    • xinetd


xx

1 - xx


2 - xx