Linux

Complete Referance of Linux Security Mechanisms

September 21, 2021 comments off
  • TCP Wrappers
  • etc/hosts allow and deny
  • inted and xinetd
  • PAMs
  • SELinux
  • Unsecure Linux Utilities

TCP Wrappers

  • TCP Wrappers is built into most distros
  • Adds IP filtering capability
  • Enables access logging for host
  • Uses the TCPD daemon
  • Allows administrator to allow or deny access to host based upon system or domain
  • Hosts can be allowed access to only certain network services while being denied access to all others
  • Provides good method of restricting access to systems and of detecting unauthorized acces attempts through logging and notification capability
  • Provides the capability to display messages prior to a logon attempt
  • Preferred method of displaying system-warning banners
  • Uses hosts allow and hosts deny files to control access

hosts.allow and hosts.deny files

  • Two text files used to control access to host from other systems:
  • /etc/hosts.allow
  • /etc/host.deny
  • /etc/hosts.allow is always read first, top to bottom
  • Lists hosts & networks allowed to access server
  • Read until matching entry is found,then takes action(allows connection)
  • file gives options for configuring service to be accessed, client list, and options.

inetd and xinetd

  • inted program is a daemon that listens for network connection rteuests and services them by spawning another process
  • Network accessble sewrvices are defined in inetd.conf text file
  • If service is not listed in inetd.conf, inetd will not listen for it and refuse attempled connection
  • Use inted.conf to limit services that can be accesssed by taking them out of file
  • Syslog logging/tracing can be enabled for inetd can log all incomming connections by IP
  • inetd.conf file should be owned by root or bin and assigned permissions of 440
  • xinetd is replacement daemon for inetd
  • Offers wider range of functionality – far more configurable
  • More secure than inetd
  • xinetd is replacement daemon for inetd
  • Offers wider range of functionality- far more configurable
  • More secure than inetd
  • Better logging capablities
  • Ability to restrict access to services based upon time
  • Can limit numbeer of startable services at one time
  • Built in defenses against port scanners
  • Better logging capabilities
  • Ability to restrict access to services based upon time
  • Can limit number of startable services at one time
  • Built in defenses against port scanners

Pluggable Authentication Modules (PAMs)

  • Mechanism allowing multiple authentication methods for Linux
  • Separates applications from authentication method
  • Enables different methods such as smart cards,passwords, and biometric methods to be used
  • Allows more secure levels of encryption
  • Enables usage of shadow password mechanisms o the fly
  • Can be used to restrict resources available to users(processor time, memory, etc)
  • Can restrict users allowable login times/duration
  • Can restrict login to originate from certain systems 9.Use to disable system-wide useage of .rhosts file
  • Can be used to force stonger methods of authentication on users despite insecure configurations.
  • Uses Mandatory Access Control model vice Discretionary Access Control model
  • Uses “labels” attached to resources
  • Security principals granted access based upon classification “label” of data

SELinux

  • Not a distro of Linux per se
  • Method of securing Linux developed by National Security Agency
  • Uses Linux Security Modules in the Linux kernal
  • Uses Mandatory Access Control model vice Discretionary Access Control model
  • Uses “labels” atached to resources
  • Security princripals granted access based upon classification “label” of data
  • Separates information based upon confidentiality and integrity requirements
  • Comes as part of newer distro versions such as RedHat Fedora, Gentoo, and SuSE
  • Can be very difficult to configure
  • Replaces many traditinal Linux securiy mechanisms

Unsecure Linux Utilities

  • Many built-in utilities and applications unsecure by default
  • ‘r-commands'(rlogin, rshell, etc) are older and unsecure
  • Largely deprecated in use but still exist
  • Most remote tools have been replaced with ssh
  • Includes r commands, telnet, and ftp
  • Lack of encryption and vulnerabilities that allow unauthenticated root access into system
  • ssh provides for encryption and mutual authentication for remote access
  • ‘cron’ and ‘at’ are critical utilities that can leave your system vulnerable if left unsecured
  • Used to schedule jobs at given time intervals
  • Can be exploited to run jobs under elevated privileges by unauthorized users
  • Ensure ‘cron’ and ‘at’ configuration files are secured and only authorized users are alloed to run ‘cron’ or ‘at’
  • Lock down configuation files with restrictive permissions(600)
  • Ensure that root is the ower of configuration files

Rajesh Kumar
Follow me
Latest posts by Rajesh Kumar (see all)