Securing Linux, Step by Step

Kurt Seifried, [email protected]


This was a presentation I used to do on securing Linux, takes about a day to go through. The formatting got a bit mangled (lost some indentation, oh well) but it should make sense.

 

Securing Linux, Step By Step

By Kurt Seifried

[email protected]

http://seifried.org/security/

 

Copyright / Trademarks

Overview

Introduction overview

What is Linux?

Swiss Army knife analogy

Basic security overview

Basic security - Physical overview

Potential attacks

Local security

Basic security - Boot time overview

BIOS Security

OpenBoot Security

Master Boot Record

Lilo security

Boot up programs

Basic security - Console issues

Login screens

Basic security - filesystem overview

Filesystem - layout overview

User writeable directories

/tmp and /var/tmp directory

/tmp and /var/tmp directory (cont.)

Filesystem - links overview

Notes on hardlinks

Notes on symbolic links

Finding world writeable files and directories

File permissions

File ownership

Special attributes

Ensuring file integrity

File Integrity software

File integrity software (cont.)

Backups

Backups (cont.)

Basic software security overview

Basic software - using package managers overview

Using Package managers - RPM overview

Querying packages (RPM)

Installing packages (RPM)

Updating packages (RPM)

Removing packages (RPM)

Building packages (RPM)

Software - dpkg overview

Querying, installing and removing packages (dpkg)

Using dselect

Using apt-get

Building packages (dpkg)

alien

Basic software - updating software

Software - vendor tools

Software - updating RPM’s

Software - updating debian packages

Basic network security

Minimize privilege and access

Basic network security - services overview

Find out what is running

Disabling services in inetd

Disabling services in xinetd

Disabling stand alone daemons

Remote and local administration tools

Administration - local tools

Administration - remote tools

Administration - remote shell access

Secure root access

Secure root access - sudo

bob ALL=(ALL) ALL

Host_Alias STATIONS=localhost, station1, station2

User_Alias HALTUSERS=bob, mary, jane

Cmnd_Alias HALT=halt, reboot, sync

Runas_Alias RBTUSER=admin

HALTUSERS STATIONS=(RBTUSER) HALT

Break for questions

Specific protocol security

Protocols - DNS overview

DNS basics

DNS server types

DNS data

DNS names to numbers - public zones

DNS names to numbers - internal zones

DNS numbers to names - public zones

DNS numbers to names - internal zones

DNS - Bind overview

BIND software security

Bind server version

Bind named.conf - intro

Bind named.conf - ACL's

Bind named.conf - ACL's (cont.)

Bind 9 - DNSSEC

Protocols - DHCP overview

DHCP client

DHCP server

Protocols - SMTP overview

SMTP basics

Server design

SMTP - Sendmail overview

Sendmail basics

Sendmail - new security

Sendmail - relaying

Sendmail - access

Sendmail - access (cont.)

SMTP - Postfix overview

Postfix basics

Postfix relaying

Postfix access

Postfix access (cont.)

Protocols - POP/IMAP overview

POP/IMAP basics

POP

IMAP

POP/IMAP - security

POP/IMAP - SSL wrapping

Protocols - SSL overview

SSL - Installing OpenSSL

SSL - Installing stunnel

SSL - Caveats

Protocols - HTTP/HTTPS overview

HTTP/HTTPS basics

Apache

Not Apache

HTTPS considerations

CGI considerations

Protocols - FTP overview

FTP basics

Wu-FTPD

Pro-FTPD

Pro-FTPD (cont.)

Firewalls and VPN’s overview

Firewalling - IPCHAINS

Firewalling - Netfilter

Logging

Interesting options

Firewalling FW-1

VPN - FreeS/WAN IPSec

VPN - SSH + PPP

Hardening scripts overview

Limiting users overview

General notes

PAM

BASH

Tcsh

Pdksh

Zsh

Advanced security overview

Openwall kernel patch (Solar Designer’s patch)

StackGuard

FormatGuard

SubDomain

Chroot techniques / tools

Fuzz

ITS4

NSA Security Enhanced Linux

Summary

Summary (cont.)

Reference URL’s

Recommended books

 

 


Back

Last updated 3/24/2002

Copyright Kurt Seifried 2002