Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours on Instagram and YouTube and waste money on coffee and fast food, but won’t spend 30 minutes a day learning skills to boost our careers.
Master in DevOps, SRE, DevSecOps & MLOps!

Learn from Guru Rajesh Kumar and double your salary in just one year.


Get Started Now!

Linux

Complete Referance of Linux Security Mechanisms

September 21, 2021 comments off
  • TCP Wrappers
  • etc/hosts allow and deny
  • inted and xinetd
  • PAMs
  • SELinux
  • Unsecure Linux Utilities

TCP Wrappers

  • TCP Wrappers is built into most distros
  • Adds IP filtering capability
  • Enables access logging for host
  • Uses the TCPD daemon
  • Allows administrator to allow or deny access to host based upon system or domain
  • Hosts can be allowed access to only certain network services while being denied access to all others
  • Provides good method of restricting access to systems and of detecting unauthorized acces attempts through logging and notification capability
  • Provides the capability to display messages prior to a logon attempt
  • Preferred method of displaying system-warning banners
  • Uses hosts allow and hosts deny files to control access

hosts.allow and hosts.deny files

  • Two text files used to control access to host from other systems:
  • /etc/hosts.allow
  • /etc/host.deny
  • /etc/hosts.allow is always read first, top to bottom
  • Lists hosts & networks allowed to access server
  • Read until matching entry is found,then takes action(allows connection)
  • file gives options for configuring service to be accessed, client list, and options.

inetd and xinetd

  • inted program is a daemon that listens for network connection rteuests and services them by spawning another process
  • Network accessble sewrvices are defined in inetd.conf text file
  • If service is not listed in inetd.conf, inetd will not listen for it and refuse attempled connection
  • Use inted.conf to limit services that can be accesssed by taking them out of file
  • Syslog logging/tracing can be enabled for inetd can log all incomming connections by IP
  • inetd.conf file should be owned by root or bin and assigned permissions of 440
  • xinetd is replacement daemon for inetd
  • Offers wider range of functionality – far more configurable
  • More secure than inetd
  • xinetd is replacement daemon for inetd
  • Offers wider range of functionality- far more configurable
  • More secure than inetd
  • Better logging capablities
  • Ability to restrict access to services based upon time
  • Can limit numbeer of startable services at one time
  • Built in defenses against port scanners
  • Better logging capabilities
  • Ability to restrict access to services based upon time
  • Can limit number of startable services at one time
  • Built in defenses against port scanners

Pluggable Authentication Modules (PAMs)

  • Mechanism allowing multiple authentication methods for Linux
  • Separates applications from authentication method
  • Enables different methods such as smart cards,passwords, and biometric methods to be used
  • Allows more secure levels of encryption
  • Enables usage of shadow password mechanisms o the fly
  • Can be used to restrict resources available to users(processor time, memory, etc)
  • Can restrict users allowable login times/duration
  • Can restrict login to originate from certain systems 9.Use to disable system-wide useage of .rhosts file
  • Can be used to force stonger methods of authentication on users despite insecure configurations.
  • Uses Mandatory Access Control model vice Discretionary Access Control model
  • Uses “labels” attached to resources
  • Security principals granted access based upon classification “label” of data

SELinux

  • Not a distro of Linux per se
  • Method of securing Linux developed by National Security Agency
  • Uses Linux Security Modules in the Linux kernal
  • Uses Mandatory Access Control model vice Discretionary Access Control model
  • Uses “labels” atached to resources
  • Security princripals granted access based upon classification “label” of data
  • Separates information based upon confidentiality and integrity requirements
  • Comes as part of newer distro versions such as RedHat Fedora, Gentoo, and SuSE
  • Can be very difficult to configure
  • Replaces many traditinal Linux securiy mechanisms

Unsecure Linux Utilities

  • Many built-in utilities and applications unsecure by default
  • ‘r-commands'(rlogin, rshell, etc) are older and unsecure
  • Largely deprecated in use but still exist
  • Most remote tools have been replaced with ssh
  • Includes r commands, telnet, and ftp
  • Lack of encryption and vulnerabilities that allow unauthenticated root access into system
  • ssh provides for encryption and mutual authentication for remote access
  • ‘cron’ and ‘at’ are critical utilities that can leave your system vulnerable if left unsecured
  • Used to schedule jobs at given time intervals
  • Can be exploited to run jobs under elevated privileges by unauthorized users
  • Ensure ‘cron’ and ‘at’ configuration files are secured and only authorized users are alloed to run ‘cron’ or ‘at’
  • Lock down configuation files with restrictive permissions(600)
  • Ensure that root is the ower of configuration files

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs:

DevOps Certification, SRE Certification, and DevSecOps Certification by DevOpsSchool

Explore our DevOps Certification, SRE Certification, and DevSecOps Certification programs at DevOpsSchool. Gain the expertise needed to excel in your career with hands-on training and globally recognized certifications.