Upload
sheila-pearson
View
217
Download
0
Embed Size (px)
Citation preview
www.ischool.drexel.edu
Overview
• A key feature of any networked operating system is its ability to control security– Scope of security– Security principles– Sudo– User and file security– Application security– Threat detection and response
2INFO 320 week 8
www.ischool.drexel.edu
Goal
• Our goal is not to make you paranoid, but to give you appropriate information to establish sound security guidelines
• We’re not trying to cover each app or concept in detail, just provide an idea of what they are, and where to find more information
3INFO 320 week 8
www.ischool.drexel.edu
Scope of security
• Security has many dimensions, as we’ve already touched upon– Physical vs electronic– Internal vs external– Deliberate (intentional) vs accidental– Natural vs man-made?
5INFO 320 week 8
www.ischool.drexel.edu
Physical security
• Physical security is focused on keeping the equipment safe from theft or attack
• Consider different levels of scale for physical security– Location/facility– Room– Rack or device, including portable devices– Access to inside a device
6INFO 320 week 8
www.ischool.drexel.edu
Electronic security
• Most of our immediate thoughts are on electronic security for a system– Network access to the system across a
LAN or the Internet• HTTP, SNMP, RMON
– Wireless security• 802.11, Bluetooth, IR
– Direct electronic connection to a device • Console port, USB, Firewire, modem
7INFO 320 week 8
www.ischool.drexel.edu
Internal security
• Think of internal/external security as relative to your organization
• To whom does internal security apply?– What determines rules for internal security?– What basis could you have for setting rules?– Can your security needs change over time?
8INFO 320 week 8
www.ischool.drexel.edu
External security
• Who is an external security threat?– What is your first association?– What about customers? – Vendors/suppliers?– Team members?– Government agencies?
9INFO 320 week 8
www.ischool.drexel.edu
Deliberate security
• Referring to a deliberate attempt to violate your organization’s security
• What kinds of attacks fall into this category?
10INFO 320 week 8
www.ischool.drexel.edu
Accidental security
• Or accidental security threats… do they exist?
11INFO 320 week 8
www.ischool.drexel.edu
Natural vs man-made
• In discussing the need for backup, some natural events could be significant causes– Power loss, weather, earthquake, etc.
• Are security threats all man-made?
12INFO 320 week 8
www.ischool.drexel.edu
Security principles
• We’ll cover some guidelines to establishing the right level of security for an organization
• Keep it simple– Complexity makes security rules harder
to maintain
14INFO 320 week 8
www.ischool.drexel.edu
Security principles
• Use the principle of least privilege– Give apps and people the least level of
system privileges possible– Similarly, restrict the use of root as much
as possible
• Provide layers of protection– More than one firewall, the DMZ concept,
these help
15INFO 320 week 8
www.ischool.drexel.edu
Security principles
• Avoid security by obscurity– It’s nice to use nontraditional port numbers,
for example, but that only slows an attacker
• Keep current with security patches– Sounds obvious, but when’s the last time you
updated your spyware filter?
16INFO 320 week 8
www.ischool.drexel.edu
Sudo
• We’ve been using sudo to execute root privilege commands
• Ubuntu has disabled the root account so you can’t log into it directly– Root login is a key brute force login target
• Sudo helps prevent mistakes from overusing root
18INFO 320 week 8
www.ischool.drexel.edu
Sudo
• Key features of sudo include– Your user password applies to using sudo, not
the root password• This allows you to execute root commands without
knowing the root password
– Sudo can limit which commands you’re allowed to use, e.g. if you only need to use apachectl
– Sudo allows privileges by group membership
19INFO 320 week 8
www.ischool.drexel.edu
Sudo
– Once you use sudo, your login to it will automatically expire, providing protection if you leave the computer alone
– All sudo access is logged, in /var/log/auth.log
• Great for forensics!
– Some scripts (e.g. cron) might need to use sudo without a password, and that can be authorized
20INFO 320 week 8
www.ischool.drexel.edu
Sudo configuration
• The sudo configuration file (yes, everything in UNIX has a config file!) is at – /etc/sudoers
• Members of the admin group can use all root privileges – The default account when installing Ubuntu
allows this automatically
21INFO 320 week 8
www.ischool.drexel.edu
Sudo configuration
• Somewhat recursively, you need to use sudo to edit its config file– sudo visudo
• The use of visudo checks for errors automatically
• We won’t try to cover changing rules in sudoers, defining aliases for users and hosts, and commands they can use
22INFO 320 week 8
www.ischool.drexel.edu
User and file security
• As we’ve covered, UNIX systems associate users with groups as a key security structure– File and directory permissions are defined by
read, write, and execute privileges (rwx) for the user, group, and others (ugo)
• The commands chgrp, chown and chmod change group and permissions
24INFO 320 week 8
www.ischool.drexel.edu
Application security
25INFO 320 week 8
From (Rankin, 2009) and (Petersen, 2009), which have very different perspectives!
www.ischool.drexel.edu
Application security
• We won’t try to cover every possible security threat (!), but we’ll hint at some of the categories of threats for common server applications
26INFO 320 week 8
www.ischool.drexel.edu
Mail server security
• A major mail server app is Postfix, derived from the earlier sendmail application
• Postfix is started and stopped like many other services– sudo postfix start– sudo postfix stop
27INFO 320 week 8
www.ischool.drexel.edu
Mail server security
• A major threat for mail servers is spam
• A key configuration option is the mynetworks setting– It defines for which networks this mail server
will relay mail– If defined too broadly, spammers can use your
mail server!
28INFO 320 week 8
www.ischool.drexel.edu
Mail server security
• Another configuration option of interest is relayhost– This sets a different mail server to act as the
relay point for your network– Multiple internal mail servers could share a
central outgoing mail server– This gives a central point for monitoring
outgoing email
29INFO 320 week 8
www.ischool.drexel.edu
Mail server security
• Another mail server concept is greylisting, also focused on reducing spam– Spammers are often lazy – they won’t repeat
sending spam
• Greylisting responds to new mail servers with a delay message, specifically– SMTP response 450, “Requested mail action
not taken: mailbox unavailable”
30INFO 320 week 8
www.ischool.drexel.edu
Mail server security
– Legit servers will respond, but spammers often won’t and are added to a greylist
– Known good mail servers can be added to a whitelist
• Look for the application postgrey to apply greylisting– sudo apt-get install postgrey
31INFO 320 week 8
www.ischool.drexel.edu
SE-Linux
• Some apps need root privileges to run
• If those apps have security weaknesses, attackers can get root through them
• One option for applying access controls is SE-Linux (Security-Enhanced Linux)– SE-Linux labels every object and allows
access controls to be defined for them
32INFO 320 week 8
www.ischool.drexel.edu
AppArmor
• AppArmor is used in Ubuntu to add access control to specific services– It’s designed to be simpler and easier to use
than SE-Linux– Focuses on web apps (Apache, etc.)– Profiles are defined for each service, in
/etc/apparmor.d/ under filenames for each service, e.g. /usr.sbin.nscd/ (name server caching daemon)
33INFO 320 week 8
www.ischool.drexel.edu
AppArmor
• AppArmor works on two modes – enforce and complain modes– Enforce mode it will block any attempts to
violate a program’s profile– Complain mode will log the attempt but still
allow it to happen (!)
34INFO 320 week 8
www.ischool.drexel.edu
ufw
• The ufw command is a key tool for managing firewall settings in Ubuntu– It helps manage the obsolete ipchains and
complex iptables commands– A ‘chain’ refers to a checklist of rules to decide
how to handle packets with certain header contents
– Netfilter is a separate tool for managing iptables
35INFO 320 week 8
www.ischool.drexel.edu
ufw
• Like any good firewall, ufw will deny anything going into or out of a network– To override that default you could use sudo ufw default allow
• To enable the ufw application– sudo ufw enable
36INFO 320 week 8
www.ischool.drexel.edu
ufw
• To find the status of ufw– sudo ufw status
• To log anything blocked by ufw– sudo ufw logging on
• More often will use allow and deny commands to establish settings
37INFO 320 week 8
www.ischool.drexel.edu
ufw
• The allow and deny commands take port numbers or services as arguments– sudo ufw allow 53 (DNS)– sudo ufw deny 21 (FTP)
• Why is this command redundant?
– sudo ufw allow smtp
• There are a lot more possible rules for configuring ufw, but these are the basics
38INFO 320 week 8
www.ischool.drexel.edu
Tripwire
• Once security measures are in place, how do you detect an attack?
• One way is to monitor key configuration files, and look for changes to them
• That’s the idea behind Tripwire– It isn’t a trivial program to configure; its
policies are in /etc/tripwire/twpol.txt which lists what files it monitors
40INFO 320 week 8
www.ischool.drexel.edu
Incident response
• Good security planning includes planning what to do in the event of an attack
• Do you prosecute an attacker?
• When an attack is detected, often best to power down affected servers– If running a virtual machine, capture an
image first– Prevents loss of critical forensic data
41INFO 320 week 8
www.ischool.drexel.edu
Incident response
• Then image the server’s current state, e.g. from running a rescue disk
• Make copies of the image for later analysis
• Then determine when it’s best to redeploy the affected servers– Some systems can be rebuilt easily (e.g.
clusters) but database or file servers might need to revert to a previous backup
42INFO 320 week 8
www.ischool.drexel.edu
Incident response
• Later could hand off the system image for forensic analysis– How did they get in?– What did they install or modify?
• Ubuntu even includes the forensic app autopsy front end for sleuthkit
• Another tool is chkrootkit, which looks for root kits (programs for hacking root)
43INFO 320 week 8