Linux Security Presentation
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Linux Security Presentation as PDF for free.
More details
- Words: 616
- Pages: 11
The Seven Most Deadly Unix/Linux Sins by Bob Toxen, author of Real World Linux Security: Intrusion Prevention, Detection, and Recovery 2nd Ed. Published by Prentice-Hall PTR, Copyright 2003, 848pp
CTO, Horizon Network Security Your expert in Network & Unix/Linux security, including Adaptive Firewalls, VPNs, Virus and spam filters, local and remote backup software, 24x7 monitoring, audits, and consulting www.verysecurelinux.com [email protected] 770-662-8321 Presentation Copyright 2002, 2003, 2004, 2005 Horizon Network Security All statements & comments are the opinions of Horizon Network Security
Chattanooga Java Users Group 06/16/2005
Who are you? System Administrator? Security specialist? Management? Exclusively Windows? Mostly Windows with some Linux/UNIX? Mostly/exclusively Linux/UNIX? How secure is your network?.
The Seven Most Deadly Unix/Linux Sins #1: Weak and default passwords #2: Open network ports #3: Old software versions #4: Insecure and badly configured programs #5: Insufficient resources/misplaced priorities #6: Stale and unnecessary accounts #7: PROCRASTINATION!!!
#1: Weak and default passwords Verify that no default or empty passwords in use Educate users on selecting good passwords (Thompson test) No word or pair of words Should be at least 10 chars (15-20 better) Not based on personal info: SO, chil’n, car tag, hobby/interests Do not use terms for computing or Science Fiction Do not rely on capitalization Do not rely on substitutions (zero for "oh", one for "el")
Use cracklib, etc. to ensure good passwords selected Use crack, etc. to try to crack passwords (with written management approval) Avoid unencrypted passwords on disk and over network
#2: Open network ports Turn off NFS,portmap,mountd,telnet,FTP,lpd/cups,auth,etc. Turn off named (DNS) unless serving to other systems If you send mail out but not in, remove "-bd" If sendmail must receive local mail, listen on only IP 127.0.0.1: "O DaemonPortOptions=Name=MTA, Address=127.0.0.1" Check for daemons and turn unneeded ones off netstat -anp | more ports | more ps -axlww | more
#3: Old software versions Patch quickly (but carefully, with testing) Upgrade before a vendor stops support of current version Dump vendors that do not issue timely patches (24 hours is typical of good vendors.) Dump vendors and programs with a poor security history
#4: Insecure and badly configured programs If you run named (DNS) or auth (ident), do not run as root Don’t run Apache as root but have its files owned by root mode 644 (-rw-r--r--); use suEXEC for CGIs Don’t use PHP (too many recent security bugs) Audit CGIs by one who understands secure programming Good programming practices in CGIs Rings of Security (suEXEC)
#5: Insufficient resources/misplaced priorities Not a technical problem but "selling" management is critical Show management "asides" in RWLS; that’s what they’re for Give management Schneier’s "Secrets and Lies: Digital Security in a Networked World" Do demonstrations of secure products, e.g., Linux Firewalls or Servers and problems with existing systems (Don’t attack systems without written permission) Never give up (but don’t risk your career)
#6: Stale and unnecessary accounts Document everywhere each class of user has passwords or access cards, including SysAdmins, vendors, consultants Suggest to HR policy that SysAdmins be told of termination, disable access when person is "getting the word" Give each new user a different initial good password; most never will change it; I use current events (Do not give the same password to different users) Use a different password for each hi-security account
#7: PROCRASTINATION!!! Most SysAdmins who suffered break-ins knew they had patches or reconfigurations to do but delayed doing it
Questions? The Seven Most Deadly Unix/Linux Sins by Bob Toxen, author of Real World Linux Security 2nd Ed. Published by Prentice-Hall PTR, Copyright 2003, 848pp
CTO, Horizon Network Security Your expert in Network & Unix/Linux security
www.verysecurelinux.com [email protected] 770-662-8321 Chattanooga Java Users Group 06/16/2005 Presented by Magic Point, the Unix/Linux Open Source tool
CTO, Horizon Network Security Your expert in Network & Unix/Linux security, including Adaptive Firewalls, VPNs, Virus and spam filters, local and remote backup software, 24x7 monitoring, audits, and consulting www.verysecurelinux.com [email protected] 770-662-8321 Presentation Copyright 2002, 2003, 2004, 2005 Horizon Network Security All statements & comments are the opinions of Horizon Network Security
Chattanooga Java Users Group 06/16/2005
Who are you? System Administrator? Security specialist? Management? Exclusively Windows? Mostly Windows with some Linux/UNIX? Mostly/exclusively Linux/UNIX? How secure is your network?.
The Seven Most Deadly Unix/Linux Sins #1: Weak and default passwords #2: Open network ports #3: Old software versions #4: Insecure and badly configured programs #5: Insufficient resources/misplaced priorities #6: Stale and unnecessary accounts #7: PROCRASTINATION!!!
#1: Weak and default passwords Verify that no default or empty passwords in use Educate users on selecting good passwords (Thompson test) No word or pair of words Should be at least 10 chars (15-20 better) Not based on personal info: SO, chil’n, car tag, hobby/interests Do not use terms for computing or Science Fiction Do not rely on capitalization Do not rely on substitutions (zero for "oh", one for "el")
Use cracklib, etc. to ensure good passwords selected Use crack, etc. to try to crack passwords (with written management approval) Avoid unencrypted passwords on disk and over network
#2: Open network ports Turn off NFS,portmap,mountd,telnet,FTP,lpd/cups,auth,etc. Turn off named (DNS) unless serving to other systems If you send mail out but not in, remove "-bd" If sendmail must receive local mail, listen on only IP 127.0.0.1: "O DaemonPortOptions=Name=MTA, Address=127.0.0.1" Check for daemons and turn unneeded ones off netstat -anp | more ports | more ps -axlww | more
#3: Old software versions Patch quickly (but carefully, with testing) Upgrade before a vendor stops support of current version Dump vendors that do not issue timely patches (24 hours is typical of good vendors.) Dump vendors and programs with a poor security history
#4: Insecure and badly configured programs If you run named (DNS) or auth (ident), do not run as root Don’t run Apache as root but have its files owned by root mode 644 (-rw-r--r--); use suEXEC for CGIs Don’t use PHP (too many recent security bugs) Audit CGIs by one who understands secure programming Good programming practices in CGIs Rings of Security (suEXEC)
#5: Insufficient resources/misplaced priorities Not a technical problem but "selling" management is critical Show management "asides" in RWLS; that’s what they’re for Give management Schneier’s "Secrets and Lies: Digital Security in a Networked World" Do demonstrations of secure products, e.g., Linux Firewalls or Servers and problems with existing systems (Don’t attack systems without written permission) Never give up (but don’t risk your career)
#6: Stale and unnecessary accounts Document everywhere each class of user has passwords or access cards, including SysAdmins, vendors, consultants Suggest to HR policy that SysAdmins be told of termination, disable access when person is "getting the word" Give each new user a different initial good password; most never will change it; I use current events (Do not give the same password to different users) Use a different password for each hi-security account
#7: PROCRASTINATION!!! Most SysAdmins who suffered break-ins knew they had patches or reconfigurations to do but delayed doing it
Questions? The Seven Most Deadly Unix/Linux Sins by Bob Toxen, author of Real World Linux Security 2nd Ed. Published by Prentice-Hall PTR, Copyright 2003, 848pp
CTO, Horizon Network Security Your expert in Network & Unix/Linux security
www.verysecurelinux.com [email protected] 770-662-8321 Chattanooga Java Users Group 06/16/2005 Presented by Magic Point, the Unix/Linux Open Source tool
Related Documents
Linux Security Presentation
December 2019 10
Linux Security
October 2019 15
Linux Security
May 2020 12
Linux Security Guide
October 2019 19
Security Of Linux
May 2020 7
Redhat Linux Security & Optimization
December 2019 108More Documents from "Karthik Tantri"
Linux Security Presentation
December 2019 10
Struts 1 - Ready For Prime Time
December 2019 15
Back To Basics And Jdk 1.4
December 2019 19
Introduction To Remote Method Invocation (rmi)
December 2019 22
Introduction To Sunone
December 2019 15