« Rouler des applications X remote avec Cygwin | Main | Kill -s signal processnum »

Linux Security

Here's how to disable Linux services, according to Dennis: * First, find them: netstat -nlp -inet * Next, disable them: chconfig $SERVICE off * To edit them: inetd.conf OR xinetd.d/* * Finally, double-check with: nmap (from remote machine) You can restrict access in several ways: * Bind services to specific interfaces, via their config files * Use the hosts.allow command * Implement belts and suspenders such as ipchains, iptables, and ipfwadm Bastille, Tripwire, AIDE, and Samhain You should also run Bastille — an interactive lockdown/hardening script — assuming that it supports the distro you're using. Currently, Bastille provides support for Red Hat, SuSE, Debian, Mandrake, and TurboLinux distros of Linux, along with HP-UX and Mac OS X. "Bastille Linux provides feedback to administrators about security during installation. The focus is on proper configuration," concurs Spire Security's Lindstrom. As opposed to configuration issues, most other approaches to vulnerabilities today focus on software bugs, he says. Dennis considers Tripwire — a long-standing security solution — to be rather antiquated, in comparison to the newer AIDE. He recommends the installation of both AIDE and Samhain, an open source security project from Lunapark that includes a network console, stealth option, and LDAP authentication. 'Jail Services' and Other Firewalls Virtually no one would dispute the merits of network firewalls with packet detection. For added layers of protection, though, Dennis advises the use of "jail services" such as chroot, Linux capabilities (Lcap), User Mode Linux (UML), VMware, and dedicated hardware. "You can think of all of these as firewalling processes, too. One caveat, though, is that chroot isn't root safe. Also, UML and other VMs may cost too much in [terms of] performance," he adds. Get Rid of Deprecated Protocols You should also swap out older and less secure "deprecated protocols" with newer alternatives, says Dennis, who suggests the following replacements: Protocol Alternative POP/IMAP POPS/IMAP (SSL) telnet ssh/scp/sftp rdist rsync -e ssh NIS resync /etc/passwd.group) LDAP over SSL NFS Still a question mark No Panacea for Cryptography Available cryptographies include FreeS/WAN, Kerberos, OpenSSH, and several more. As Dennis sees it, each still has pros and cons. For example, FreeS/WAN, a freeware edition of IPSEC VPNs, "potentially secures deprecated protocols." It is also interoperable with other IPSEC implementations. On the other hand, FreeS/WAN is "NAT hostile," he charges. Lindstrom also doesn't detect any type of panacea out there for cryptography. "It is nice to know that there is a freeware version of IPSEC VPNs. But the problem of encryption adoption isn't the dollar cost. It's the management and performance issues," Lindstrom maintains. Security Is Nothing Without Physical Side Without solid physical security, even the most battened down OS can be compromised in an instant. "Physical security really depends on the situation," Lindstrom says. "Laptops should be under lock and key when not in the user's possession. Sensitive data should be locked up in data centers or other appropriately controlled areas. Access to and from these rooms should be controlled and monitored. Environmental controls should be in place to protect against disasters. Locking I/O devices such as keyboards and monitors is a good idea."

Posted by Mario on novembre 4, 2003 09:33 AM |