bcsekar-linux-presen
TRANSCRIPT
Nov 21, 2003 1
Securing your Securing your application and application and server in Linuxserver in Linux
B.C. Sekar
HCL Technologies Limited
NETWORKING PRODUCTS DIVISION ©HCL TechnologiesNov 21, 20031
Nov 21, 2003 ©HCL Technologies
2
NETWORKING PRODUCTS DIVISION
Agenda
Introduction Securing server Securing access to application Question Time...
Nov 21, 2003 ©HCL Technologies
3
NETWORKING PRODUCTS DIVISION
Introduction
The server and application security are critical for the enterprise.
Some of the security attacks are IP spoofing, Eavesdropping, Access attack, Reconnaissance.
There are many tools in Linux to detect and prevent attacks on server and application, which is the topic of this presentation.
Nov 21, 2003 ©HCL Technologies
4
NETWORKING PRODUCTS DIVISION
Commercial solutions.
The commercial solutions for detecting and preventing attacks are:
Firewalls
Intrusion Detection Systems
AAA
IPSEC
Nov 21, 2003 ©HCL Technologies
5
NETWORKING PRODUCTS DIVISION
Securing server
Using IP chains, IP tables to secure the server.
Using SSH/SFTP to access the box. Hardening the OS LIDS Integrity checking
Nov 21, 2003 ©HCL Technologies
6
NETWORKING PRODUCTS DIVISION
Firewalls helps in handling external attacks. Server needs to be protected from unwanted
internal access also. Access control can be enforced by IP Chains
for internal access. Server not to respond to any packets sent
from a range of computers. – Use ipchains –A input –s 199.95.207.0/24
–j DENY
IPChains(1)
Nov 21, 2003 ©HCL Technologies
7
NETWORKING PRODUCTS DIVISION
Server not to connect to particular outside sites.
ipchains -A output -d 199.95.207.0/24 -j REJECT
To prevent IP spoofing.
ipchains -A input -j REJECT -p all -s 192.168.10.0/24 -i eth0
IPChains(2)
Nov 21, 2003 ©HCL Technologies
8
NETWORKING PRODUCTS DIVISION
IPChains(3)
IPChains
Input Chain Forward Chain Output Chain
Packet
ACCEPT
Packet Packet
ACCEPT ACCEPT
Packet
Packet Packet Packet
DENY DENY DENY
Nov 21, 2003 ©HCL Technologies
9
NETWORKING PRODUCTS DIVISION
IPTables(1)
Similar to IPTables but supports more advanced operations.
To disallow TCP connections from a internal host use: ip tables –A INPUT -p TCP -s 192.168.1.1 --syn DROP
Log all packets to /var/log/messages
iptables -A OUTPUT -j LOG
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
Nov 21, 2003 ©HCL Technologies
10
NETWORKING PRODUCTS DIVISION
SSH/SFTP access to server
SSH prevents from packet sniffing SFTP works over an SSH connection. Data and server password are secure.
Nov 21, 2003 ©HCL Technologies
11
NETWORKING PRODUCTS DIVISION
OS Hardening(1)
Set LILO/GRUB password protection. Edit /etc/shutdown.allow to allow only root to
shutdown and shutdown with –a option to be called from /etc/inittab.
Upgrade to current stable kernel and turn off unused kernel options.
Apply Kernel Security patches for kernel vulnerabilities.
http://www.openwall.com/linux
Nov 21, 2003 ©HCL Technologies
12
NETWORKING PRODUCTS DIVISION
OS Hardening(2)
Using nmap to detect unwanted open ports
$ nmap abc.zzzzz.com
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on abc.zzzz.com (10.0.0.1):
(The 1587 ports scanned but not shown below are in state: closed)
1005/tcp open unknown Close unwanted ports and stop services that are not
needed. Disable unused daemons from startup scripts.
Nov 21, 2003 ©HCL Technologies
13
NETWORKING PRODUCTS DIVISION
LIDS
Access Control
File Operations
Process operations
Kernel
LIDS – www.lids.org – kernel patch for securing server
• Protection of files• Protection of process• Access control with ACL• Security alert from kernel• Port scanner detector in kernel
Nov 21, 2003 ©HCL Technologies
14
NETWORKING PRODUCTS DIVISION
Integrity Checker
Integrity checker could be run on the server to determine integrity of important files and binaries.
Integrity checker checks for checksums of all important files and compares with reference values.
Run tripwire using a crontab entry.
15 05 * * * root usr/local/adm/tcheck/tripwire
Nov 21, 2003 ©HCL Technologies
15
NETWORKING PRODUCTS DIVISION
Securing Application
Using HTTPS for web based applications. Using GPG for encrypting Password files Using RPM signing for updating patches and
installables.
Nov 21, 2003 ©HCL Technologies
16
NETWORKING PRODUCTS DIVISION
HTTPS(1)
Ability to connect to server via HTTP secure. Consists of :
– Generating key– Generating certificate signing request– Generating self signed certificate– CA signed certificate– Configuring web server.
Nov 21, 2003 ©HCL Technologies
17
NETWORKING PRODUCTS DIVISION
HTTPS(2)
OpenSSL http://www.openssl.com/ Generate key: Openssl genrsa –rand rt.txt 1024 >
$APACHE_CONF_DIR/ssl/https.key Generate CSR – openssl req –new –key $APACHE_CONF_DIR/ssl/http.key >
$APACHE_CONF_DIR/ssl/https.csr Generate Certificate – Openssl req –x509 -days 30 –key
$APACHE_CONF_DIR/ssl/https.key –in $APACHE_CONF_DIR/ssl/https.csr > $APACHE_CONF_DIR/ssl/https.crt
Validate certificate – Openssl x509 –noout –text –in
$APACHE_CONF_DIR/ssl/https.crt
Nov 21, 2003 ©HCL Technologies
18
NETWORKING PRODUCTS DIVISION
Apache configuration for HTTPS.
SSLCertificateFile $APACHE_CONF_DIR/ssl.crt/https.crt
SSLCertificateKeyFile $APACHE_CONF_DIR/ssl.key/https.key
The above lines need to be configured in apache’s httpd.conf.
Nov 21, 2003 ©HCL Technologies
19
NETWORKING PRODUCTS DIVISION
GPG
Encryption of application specific password file can be accomplished using
gpg –c file.txt Retrieval is done using gpg file.txt.gpg Same pass phrase needs to be use for both
encrypting and decrypting.
Nov 21, 2003 ©HCL Technologies
20
NETWORKING PRODUCTS DIVISION
Signed images and patches(1)
RPM could be used to create image and patches.
RPM signing could be used to sign the image and patches for determining if the patch is from the application vendor.
Create public, private key pairs.
# gpg -kg
Nov 21, 2003 ©HCL Technologies
21
NETWORKING PRODUCTS DIVISION
Signed images and patches(2)
Edit file /etc/rpm/macros
%_signature gpg
%_gpg_name xxx <[email protected]>"
%_gpg_path /root/.gpg
%_gpgbin /usr/bin/gpg Sign rpms.
rpm -bb -vv --sign <rpm_spec.name>
Nov 21, 2003 ©HCL Technologies
22
NETWORKING PRODUCTS DIVISION
Signed images and patches(3)
For verification, <login_dir>/.gpg, drop the public key.
gpg -ka <public_key> rpm --checksign <rpm_name>
test-1.0-0.i386.rpm.orig: gpg md5 OK
Nov 21, 2003 ©HCL Technologies
23
NETWORKING PRODUCTS DIVISION
Cost Benefit Analysis
The commercial solutions cost at least $10,000 to implement. Eg., One firewall, one IDS, AAA solution etc.,
The open source solution does not have any cost.
The support on commercial solution may be better.
But with wider usage of open source solutions in Linux, getting security updates is much faster.
Nov 21, 2003 ©HCL Technologies
24
NETWORKING PRODUCTS DIVISION
Conclusion
Security needs of Server and application needs to be met with a comprehensive set of tools.
The level in which security tools are deployed is related to the business dependency on the server and application.
These mechanisms and tools in addition to protecting internal attacks helps in small organizations to protect from external attacks also.
Nov 21, 2003 ©HCL Technologies
25
NETWORKING PRODUCTS DIVISION
References
Tripwire Integrity Checker – http://www.tripwire.comNMAP www.insecure.org/nmap/Open SSL http://www.openssl.orgApache Web server http://www.apache.orgLinux HOWTOs http://www.tldp.orgLIDS – www.lids.orgOpenwall http://www.openwall.com/linux
Nov 21, 2003 ©HCL Technologies
26
NETWORKING PRODUCTS DIVISION
Questions
B.C. Sekar
HCL Technologies Limited,
158, NSK Salai, Vadapalani,
Chennai - 600026.
Phone - +91-44-3750171
http://www.hcltechnologies.com