www.ischool.drexel.edu info 320 server technology i week 8 security 1info 320 week 8

www.ischool.drexel.edu

INFO 320Server Technology I

Week 8

Security

1INFO 320 week 8


Overview

• A key feature of any networked operating system is its ability to control security– Scope of security– Security principles– Sudo– User and file security– Application security– Threat detection and response

2INFO 320 week 8


Goal

• Our goal is not to make you paranoid, but to give you appropriate information to establish sound security guidelines

• We’re not trying to cover each app or concept in detail, just provide an idea of what they are, and where to find more information

3INFO 320 week 8


Scope of security

4INFO 320 week 8

No sources


Scope of security

• Security has many dimensions, as we’ve already touched upon– Physical vs electronic– Internal vs external– Deliberate (intentional) vs accidental– Natural vs man-made?

5INFO 320 week 8


Physical security

• Physical security is focused on keeping the equipment safe from theft or attack

• Consider different levels of scale for physical security– Location/facility– Room– Rack or device, including portable devices– Access to inside a device

6INFO 320 week 8


Electronic security

• Most of our immediate thoughts are on electronic security for a system– Network access to the system across a

LAN or the Internet• HTTP, SNMP, RMON

– Wireless security• 802.11, Bluetooth, IR

– Direct electronic connection to a device • Console port, USB, Firewire, modem

7INFO 320 week 8


Internal security

• Think of internal/external security as relative to your organization

• To whom does internal security apply?– What determines rules for internal security?– What basis could you have for setting rules?– Can your security needs change over time?

8INFO 320 week 8


External security

• Who is an external security threat?– What is your first association?– What about customers? – Vendors/suppliers?– Team members?– Government agencies?

9INFO 320 week 8


Deliberate security

• Referring to a deliberate attempt to violate your organization’s security

• What kinds of attacks fall into this category?

10INFO 320 week 8


Accidental security

• Or accidental security threats… do they exist?

11INFO 320 week 8


Natural vs man-made

• In discussing the need for backup, some natural events could be significant causes– Power loss, weather, earthquake, etc.

• Are security threats all man-made?

12INFO 320 week 8


Security principles

13INFO 320 week 8

Partly from (Rankin, 2009)


Security principles

• We’ll cover some guidelines to establishing the right level of security for an organization

• Keep it simple– Complexity makes security rules harder

to maintain

14INFO 320 week 8


Security principles

• Use the principle of least privilege– Give apps and people the least level of

system privileges possible– Similarly, restrict the use of root as much

as possible

• Provide layers of protection– More than one firewall, the DMZ concept,

these help

15INFO 320 week 8


Security principles

• Avoid security by obscurity– It’s nice to use nontraditional port numbers,

for example, but that only slows an attacker

• Keep current with security patches– Sounds obvious, but when’s the last time you

updated your spyware filter?

16INFO 320 week 8


Sudo

17INFO 320 week 8



Sudo

• We’ve been using sudo to execute root privilege commands

• Ubuntu has disabled the root account so you can’t log into it directly– Root login is a key brute force login target

• Sudo helps prevent mistakes from overusing root

18INFO 320 week 8


Sudo

• Key features of sudo include– Your user password applies to using sudo, not

the root password• This allows you to execute root commands without

knowing the root password

– Sudo can limit which commands you’re allowed to use, e.g. if you only need to use apachectl

– Sudo allows privileges by group membership

19INFO 320 week 8


Sudo

– Once you use sudo, your login to it will automatically expire, providing protection if you leave the computer alone

– All sudo access is logged, in /var/log/auth.log

• Great for forensics!

– Some scripts (e.g. cron) might need to use sudo without a password, and that can be authorized

20INFO 320 week 8


Sudo configuration

• The sudo configuration file (yes, everything in UNIX has a config file!) is at – /etc/sudoers

• Members of the admin group can use all root privileges – The default account when installing Ubuntu

allows this automatically

21INFO 320 week 8


Sudo configuration

• Somewhat recursively, you need to use sudo to edit its config file– sudo visudo

• The use of visudo checks for errors automatically

• We won’t try to cover changing rules in sudoers, defining aliases for users and hosts, and commands they can use

22INFO 320 week 8


User and file security

23INFO 320 week 8


User and file security

• As we’ve covered, UNIX systems associate users with groups as a key security structure– File and directory permissions are defined by

read, write, and execute privileges (rwx) for the user, group, and others (ugo)

• The commands chgrp, chown and chmod change group and permissions

24INFO 320 week 8


Application security

25INFO 320 week 8

From (Rankin, 2009) and (Petersen, 2009), which have very different perspectives!


Application security

• We won’t try to cover every possible security threat (!), but we’ll hint at some of the categories of threats for common server applications

26INFO 320 week 8


Mail server security

• A major mail server app is Postfix, derived from the earlier sendmail application

• Postfix is started and stopped like many other services– sudo postfix start– sudo postfix stop

27INFO 320 week 8



• A major threat for mail servers is spam

• A key configuration option is the mynetworks setting– It defines for which networks this mail server

will relay mail– If defined too broadly, spammers can use your

mail server!

28INFO 320 week 8



• Another configuration option of interest is relayhost– This sets a different mail server to act as the

relay point for your network– Multiple internal mail servers could share a

central outgoing mail server– This gives a central point for monitoring

outgoing email

29INFO 320 week 8



• Another mail server concept is greylisting, also focused on reducing spam– Spammers are often lazy – they won’t repeat

sending spam

• Greylisting responds to new mail servers with a delay message, specifically– SMTP response 450, “Requested mail action

not taken: mailbox unavailable”

30INFO 320 week 8



– Legit servers will respond, but spammers often won’t and are added to a greylist

– Known good mail servers can be added to a whitelist

• Look for the application postgrey to apply greylisting– sudo apt-get install postgrey

31INFO 320 week 8


SE-Linux

• Some apps need root privileges to run

• If those apps have security weaknesses, attackers can get root through them

• One option for applying access controls is SE-Linux (Security-Enhanced Linux)– SE-Linux labels every object and allows

access controls to be defined for them

32INFO 320 week 8


AppArmor

• AppArmor is used in Ubuntu to add access control to specific services– It’s designed to be simpler and easier to use

than SE-Linux– Focuses on web apps (Apache, etc.)– Profiles are defined for each service, in

/etc/apparmor.d/ under filenames for each service, e.g. /usr.sbin.nscd/ (name server caching daemon)

33INFO 320 week 8


AppArmor

• AppArmor works on two modes – enforce and complain modes– Enforce mode it will block any attempts to

violate a program’s profile– Complain mode will log the attempt but still

allow it to happen (!)

34INFO 320 week 8


ufw

• The ufw command is a key tool for managing firewall settings in Ubuntu– It helps manage the obsolete ipchains and

complex iptables commands– A ‘chain’ refers to a checklist of rules to decide

how to handle packets with certain header contents

– Netfilter is a separate tool for managing iptables

35INFO 320 week 8


ufw

• Like any good firewall, ufw will deny anything going into or out of a network– To override that default you could use sudo ufw default allow

• To enable the ufw application– sudo ufw enable

36INFO 320 week 8


ufw

• To find the status of ufw– sudo ufw status

• To log anything blocked by ufw– sudo ufw logging on

• More often will use allow and deny commands to establish settings

37INFO 320 week 8


ufw

• The allow and deny commands take port numbers or services as arguments– sudo ufw allow 53 (DNS)– sudo ufw deny 21 (FTP)

• Why is this command redundant?

– sudo ufw allow smtp

• There are a lot more possible rules for configuring ufw, but these are the basics

38INFO 320 week 8


Threat detection and response

39INFO 320 week 8



Tripwire

• Once security measures are in place, how do you detect an attack?

• One way is to monitor key configuration files, and look for changes to them

• That’s the idea behind Tripwire– It isn’t a trivial program to configure; its

policies are in /etc/tripwire/twpol.txt which lists what files it monitors

40INFO 320 week 8


Incident response

• Good security planning includes planning what to do in the event of an attack

• Do you prosecute an attacker?

• When an attack is detected, often best to power down affected servers– If running a virtual machine, capture an

image first– Prevents loss of critical forensic data

41INFO 320 week 8


Incident response

• Then image the server’s current state, e.g. from running a rescue disk

• Make copies of the image for later analysis

• Then determine when it’s best to redeploy the affected servers– Some systems can be rebuilt easily (e.g.

clusters) but database or file servers might need to revert to a previous backup

42INFO 320 week 8


Incident response

• Later could hand off the system image for forensic analysis– How did they get in?– What did they install or modify?

• Ubuntu even includes the forensic app autopsy front end for sleuthkit

• Another tool is chkrootkit, which looks for root kits (programs for hacking root)

43INFO 320 week 8


Summary

• We’ve given an overview of– The types of security threats– General guidelines for security– How we use sudo to protect the root user– Reviewed permissions for files and directories– Examined security concepts and tools for a

UNIX environment

44INFO 320 week 8

www.ischool.drexel.edu info 320 server technology i week 8 security 1info 320 week 8

Documents