{"id":23698,"date":"2021-09-21T11:31:34","date_gmt":"2021-09-21T11:31:34","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=23698"},"modified":"2022-04-13T15:56:35","modified_gmt":"2022-04-13T15:56:35","slug":"complete-referance-of-linux-security-mechanisms","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/complete-referance-of-linux-security-mechanisms\/","title":{"rendered":"Complete Referance of Linux Security Mechanisms"},"content":{"rendered":"\n<ul class=\"wp-block-list\"><li><strong>TCP Wrappers<\/strong><\/li><li><strong>etc\/hosts allow and deny<\/strong><\/li><li><strong>inted and xinetd<\/strong><\/li><li><strong>PAMs<\/strong><\/li><li><strong>SELinux<\/strong><\/li><li><strong>Unsecure Linux Utilities<\/strong><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">TCP Wrappers<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>TCP Wrappers is built into most distros<\/li><li>Adds IP filtering capability<\/li><li>Enables access logging for host<\/li><li>Uses the TCPD daemon<\/li><li>Allows administrator to allow or deny access to host based upon system or domain<\/li><li>Hosts can be allowed access to only certain network services while being denied access to all others<\/li><li>Provides good method of restricting access to systems and of detecting unauthorized acces attempts through logging and notification capability<\/li><li>Provides the capability to display messages prior to a logon attempt<\/li><li>Preferred method of displaying system-warning banners<\/li><li>Uses hosts allow and hosts deny files to control access<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">hosts.allow and hosts.deny files<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Two text files used to control access to host from other systems:<\/li><li>\/etc\/hosts.allow<\/li><li>\/etc\/host.deny<\/li><li>\/etc\/hosts.allow is always read first, top to bottom<\/li><li>Lists hosts &amp; networks allowed to access server<\/li><li>Read until matching entry is found,then takes action(allows connection)<\/li><li>file gives options for configuring service to be accessed, client list, and options.<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">inetd and xinetd<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>inted program is a daemon that listens for network connection rteuests and services them by spawning another process<\/li><li>Network accessble sewrvices are defined in inetd.conf text file<\/li><li>If service is not listed in inetd.conf, inetd will not listen for it and refuse attempled connection<\/li><li>Use inted.conf to limit services that can be accesssed by taking them out of file<\/li><li>Syslog logging\/tracing can be enabled for inetd can log all incomming connections by IP<\/li><li>inetd.conf file should be owned by root or bin and assigned permissions of 440<\/li><li>xinetd is replacement daemon for inetd<\/li><li>Offers wider range of functionality &#8211; far more configurable<\/li><li>More secure than inetd<\/li><li>xinetd is replacement daemon for inetd<\/li><li>Offers wider range of functionality- far more configurable<\/li><li>More secure than inetd<\/li><li>Better logging capablities<\/li><li>Ability to restrict access to services based upon time<\/li><li>Can limit numbeer of startable services at one time<\/li><li>Built in defenses against port scanners<\/li><li>Better logging capabilities<\/li><li>Ability to restrict access to services based upon time<\/li><li>Can limit number of startable services at one time<\/li><li>Built in defenses against port scanners<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Pluggable Authentication Modules (PAMs)<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Mechanism allowing multiple authentication methods for Linux<\/li><li>Separates applications from authentication method<\/li><li>Enables different methods such as smart cards,passwords, and biometric methods to be used<\/li><li>Allows more secure levels of encryption<\/li><li>Enables usage of shadow password mechanisms o the fly<\/li><li>Can be used to restrict resources available to users(processor time, memory, etc)<\/li><li>Can restrict users allowable login times\/duration<\/li><li>Can restrict login to originate from certain systems 9.Use to disable system-wide useage of .rhosts file<\/li><li>Can be used to force stonger methods of authentication on users despite insecure configurations.<\/li><li>Uses Mandatory Access Control model vice Discretionary Access Control model<\/li><li>Uses &#8220;labels&#8221; attached to resources<\/li><li>Security principals granted access based upon classification &#8220;label&#8221; of data<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">SELinux<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Not a distro of Linux per se<\/li><li>Method of securing Linux developed by National Security Agency<\/li><li>Uses Linux Security Modules in the Linux kernal<\/li><li>Uses Mandatory Access Control model vice Discretionary Access Control model<\/li><li>Uses &#8220;labels&#8221; atached to resources<\/li><li>Security princripals granted access based upon classification &#8220;label&#8221; of data<\/li><li>Separates information based upon confidentiality and integrity requirements<\/li><li>Comes as part of newer distro versions such as RedHat Fedora, Gentoo, and SuSE<\/li><li>Can be very difficult to configure<\/li><li>Replaces many traditinal Linux securiy mechanisms<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Unsecure Linux Utilities<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Many built-in utilities and applications unsecure by default<\/li><li>&#8216;r-commands'(rlogin, rshell, etc) are older and unsecure<\/li><li>Largely deprecated in use but still exist<\/li><li>Most remote tools have been replaced with ssh<\/li><li>Includes r commands, telnet, and ftp<\/li><li>Lack of encryption and vulnerabilities that allow unauthenticated root access into system<\/li><li>ssh provides for encryption and mutual authentication for remote access<\/li><li>&#8216;cron&#8217; and &#8216;at&#8217; are critical utilities that can leave your system vulnerable if left unsecured<\/li><li>Used to schedule jobs at given time intervals<\/li><li>Can be exploited to run jobs under elevated privileges by unauthorized users<\/li><li>Ensure &#8216;cron&#8217; and &#8216;at&#8217; configuration files are secured and only authorized users are alloed to run &#8216;cron&#8217; or &#8216;at&#8217;<\/li><li>Lock down configuation files with restrictive permissions(600)<\/li><li>Ensure that root is the ower of configuration files<\/li><\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>TCP Wrappers etc\/hosts allow and deny inted and xinetd PAMs SELinux Unsecure Linux Utilities TCP Wrappers TCP Wrappers is built into most distros Adds IP filtering capability Enables access logging&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[4957],"tags":[460,7055],"class_list":["post-23698","post","type-post","status-publish","format-standard","hentry","category-linux","tag-linux","tag-linux-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/23698","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=23698"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/23698\/revisions"}],"predecessor-version":[{"id":23699,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/23698\/revisions\/23699"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=23698"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=23698"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=23698"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}