{"id":23700,"date":"2021-09-21T11:41:02","date_gmt":"2021-09-21T11:41:02","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=23700"},"modified":"2022-04-13T15:56:35","modified_gmt":"2022-04-13T15:56:35","slug":"complete-referance-of-secure-networking-in-linux","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/complete-referance-of-secure-networking-in-linux\/","title":{"rendered":"Complete Referance of Secure Networking in Linux"},"content":{"rendered":"\n<ul class=\"wp-block-list\"><li><strong>OpenSSH<\/strong><\/li><li><strong>Samba<\/strong><\/li><li><strong>NIS<\/strong><\/li><li><strong>NFS<\/strong><\/li><li><strong>Securing FTP and HTTP servers<\/strong><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">OpenSSH<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Open source version of SSH that normally comes with OpenBSD<\/li><li>Comes with several distros or downloadable<\/li><li>Linux ports have &#8216;p&#8217; in version number<\/li><li>Replaces telnet, ftp, rlogin, etc.<\/li><li>Offers secure remote connectivity due to encryption, authentication, and tunnelling<\/li><li>Supports all versions of the SSH protocol<\/li><li>Comes with several secure utilities to replace traditioally insecure ones<\/li><li>scp(secure copy) replaces rcp<\/li><li>sftp(secure ftp) replaces ftp<\/li><li>Allows secure login of root remotely even when system plicy disallows<\/li><li>Uses 3DES,RC4,AES and Blowfish encryption algorithms<\/li><li>Create private\/public key pair when install or use ssh-keygen command<\/li><li>Sign with private key using ssh-keysign command<\/li><li>ssh 192.168.10.10<\/li><li>Will get authentication error first time<\/li><li>OpenSSH demostration<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Samba<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Open source version of CIFS(Common Internet File System) standard invented by Microsoft<\/li><li>Uses latest version of server Massage Block(SMB), which is nativr Windows file sharing protocol<\/li><li>Samba&#8217;s configuration is stored in the smb.conf file, in \/etc\/samba\/smb.conf<\/li><li>Configure manually or use SWAT<\/li><li>Samba uses 3 daemons(services)<\/li><li>nmdb &#8211; handles name resolution and registration<\/li><li>smbd &#8211; manages authentication and all connection requests<\/li><li>winbindd &#8211; required if connecting to an NT4 or AD domain<\/li><li>SWAT is a web-based interface that comes with Samba<\/li><li>May come as a separate package to download and install<\/li><li>Point browser to http:\/\/12.0.0.1:901 to run SWAT<\/li><li>SWAT can be used to configure remote samba clients, but sends auhentication in clear &#8211; use ssh!<\/li><li>SWAT\/Samba Demostration<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">NIS<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Network Information Services(NIS) provides simple network lookup services<\/li><li>Similar to some Active Directory functions<\/li><li>Enables lookup of directory objects<\/li><li>Provides single sign-on(SSO) capablity<\/li><li>Original NIS also called Sun Yellow Pages<\/li><li>Name changed due to copyright issues<\/li><li>Little security with NIS<\/li><li>NIS+ is updated,more secure version<\/li><li>NIS+ allows for hierarchical domains<\/li><li>NIS+ provides for centralized updates of configuration information<\/li><li>User ID&#8217;s and passwords can be used throughout NIS domain<\/li><li>NIS requires at least 1 master server and optional &#8216;slave&#8217; servers<\/li><li>NIS+ allows secure authentication and encryption<\/li><li>Allows for updates via secure RPC<\/li><li>Similar to Samba, except hosts are unix-based rather than Windows-based<\/li><li>Primary file used is \/etc\/exports<\/li><li>Controls which dirctories are shared and whom(hosts)<\/li><li>Default after setup is insecure!<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Securing FTP and HTTP Servers<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Linux has built-in capability of being FTP or HTTP(web)server<\/li><li>FTP protocol insecure by default<\/li><li>No encryption &#8211; user id&#8217;s, passwords, and data passed in plaintext<\/li><li>Several ways to secure FTP<\/li><li>Use SSH to secure transmission<\/li><li>Use alternate FTP client\/servers<\/li><li>Discourage use of user\/passwords and use anonymous FTP instead<\/li><li>Only use FTP for publicly available data<\/li><li>Don&#8217;t allow write access to FTP server only download<\/li><li>Secure infrastructure around FTP(firewalls, directory ACLs, etc)<\/li><li>HTTP is usually served on Linux through Apache<\/li><li>Vulnerabilities can result from not hardening system or daemons<\/li><li>Vulnerabilities can affect authentication and authorization to resources<\/li><li>Configure strong authorization on web server<\/li><li>Ensure proper permissions applied to files and directories<\/li><li>Don&#8217;t allow directory traversal<\/li><li>Pay attention to script write and execute permissions on web servers<\/li><li>Secure httpd throgh tcp wrappers and xinetd<\/li><li>Restrict administrative access to http and ftp services<\/li><li>Ensure all access is logged<\/li><li>Enable warning banners on FTP and web sites<\/li><li>Lock down the htpasswd file(640)<\/li><li>Lock down access control files,such as .htaccess and .nsconfig to 400<\/li><li>Restrict write access to web directories<\/li><li>Use https and ssl certificates when possible for data encryption and mutual authentication<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>OpenSSH Samba NIS NFS Securing FTP and HTTP servers OpenSSH Open source version of SSH that normally comes with OpenBSD Comes with several distros or downloadable Linux ports have &#8216;p&#8217;&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[4957],"tags":[460,7055],"class_list":["post-23700","post","type-post","status-publish","format-standard","hentry","category-linux","tag-linux","tag-linux-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/23700","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=23700"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/23700\/revisions"}],"predecessor-version":[{"id":23701,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/23700\/revisions\/23701"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=23700"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=23700"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=23700"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}