Complete Referance of Linux Security Mechanisms

• TCP Wrappers
• etc/hosts allow and deny
• inted and xinetd
• PAMs
• SELinux
• Unsecure Linux Utilities

TCP Wrappers

• TCP Wrappers is built into most distros
• Adds IP filtering capability
• Enables access logging for host
• Uses the TCPD daemon
• Allows administrator to allow or deny access to host based upon system or domain
• Hosts can be allowed access to only certain network services while being denied access to all others
• Provides good method of restricting access to systems and of detecting unauthorized acces attempts through logging and notification capability
• Provides the capability to display messages prior to a logon attempt
• Preferred method of displaying system-warning banners
• Uses hosts allow and hosts deny files to control access

hosts.allow and hosts.deny files

• Two text files used to control access to host from other systems:
• /etc/hosts.allow
• /etc/host.deny
• /etc/hosts.allow is always read first, top to bottom
• Lists hosts & networks allowed to access server
• Read until matching entry is found,then takes action(allows connection)
• file gives options for configuring service to be accessed, client list, and options.

inetd and xinetd

• inted program is a daemon that listens for network connection rteuests and services them by spawning another process
• Network accessble sewrvices are defined in inetd.conf text file
• If service is not listed in inetd.conf, inetd will not listen for it and refuse attempled connection
• Use inted.conf to limit services that can be accesssed by taking them out of file
• Syslog logging/tracing can be enabled for inetd can log all incomming connections by IP
• inetd.conf file should be owned by root or bin and assigned permissions of 440
• xinetd is replacement daemon for inetd
• Offers wider range of functionality – far more configurable
• More secure than inetd
• xinetd is replacement daemon for inetd
• Offers wider range of functionality- far more configurable
• More secure than inetd
• Better logging capablities
• Ability to restrict access to services based upon time
• Can limit numbeer of startable services at one time
• Built in defenses against port scanners
• Better logging capabilities
• Ability to restrict access to services based upon time
• Can limit number of startable services at one time
• Built in defenses against port scanners

Pluggable Authentication Modules (PAMs)

• Mechanism allowing multiple authentication methods for Linux
• Separates applications from authentication method
• Enables different methods such as smart cards,passwords, and biometric methods to be used
• Allows more secure levels of encryption
• Enables usage of shadow password mechanisms o the fly
• Can be used to restrict resources available to users(processor time, memory, etc)
• Can restrict users allowable login times/duration
• Can restrict login to originate from certain systems 9.Use to disable system-wide useage of .rhosts file
• Can be used to force stonger methods of authentication on users despite insecure configurations.
• Uses Mandatory Access Control model vice Discretionary Access Control model
• Uses “labels” attached to resources
• Security principals granted access based upon classification “label” of data

SELinux

• Not a distro of Linux per se
• Method of securing Linux developed by National Security Agency
• Uses Linux Security Modules in the Linux kernal
• Uses Mandatory Access Control model vice Discretionary Access Control model
• Uses “labels” atached to resources
• Security princripals granted access based upon classification “label” of data
• Separates information based upon confidentiality and integrity requirements
• Comes as part of newer distro versions such as RedHat Fedora, Gentoo, and SuSE
• Can be very difficult to configure
• Replaces many traditinal Linux securiy mechanisms

Unsecure Linux Utilities

• Many built-in utilities and applications unsecure by default
• ‘r-commands'(rlogin, rshell, etc) are older and unsecure
• Largely deprecated in use but still exist
• Most remote tools have been replaced with ssh
• Includes r commands, telnet, and ftp
• Lack of encryption and vulnerabilities that allow unauthenticated root access into system
• ssh provides for encryption and mutual authentication for remote access
• ‘cron’ and ‘at’ are critical utilities that can leave your system vulnerable if left unsecured
• Used to schedule jobs at given time intervals
• Can be exploited to run jobs under elevated privileges by unauthorized users
• Ensure ‘cron’ and ‘at’ configuration files are secured and only authorized users are alloed to run ‘cron’ or ‘at’
• Lock down configuation files with restrictive permissions(600)
• Ensure that root is the ower of configuration files

Rajesh Kumar

I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.

Do you want to learn Quantum Computing?

Please find my social handles as below;

Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND

Rajesh Kumar DailyLogs