CS 480 - 2022 Fall

CS 480-M01 Linux System Administration - CRN 60315 - Fall 2022
[Home] [Syllabus] [Notes] [Grades]

CS 480 Lec 20 Fall 2022

CS 480 M01 Lecture Notes 20 - Nov 14, 2022

Last Time: Ch 27. Security Basics Intro

Security flaws have become increasingly dire and consequences more severe
Threats from
- Valid Users (malicious / intentional and accidental)
- Computers attached to a local network
- Outside
History : Internet Worm in 1988 (R. Morris)
More recent events:
- ...
- Stuxnet worm - 2010 - damaging Iran's centrifuges
- Snowden - 2013 - NSA surveillance, spying on US citizens (also)
- Ransomware ~ 2013 = new type of attack
- 2015 - US Office of Personnel Management breached - all sorts of private details on 21 million US citizens including those with security clearances, polygraph results, ...
- 2016 elections...
- 2017 - NSA exploit based ransomware
- ...
- "...think it will get worse before it gets better..."

27. Security Basics Continued

Intro Continued

Security problems are not purely technical - cannot solve by buying a product or service. To achieve acceptable security - requires patience, vigilance, knowledge, and persistence - no panacea exists, all sec. tools are just part of a solution
Sysadmins should personally take responsibility and educate users.
Security should be always considered!
Security vs. Usability : the more secure the system is the less it is usable (users are more constrained)
Linux Secure?
- NO
- similar as any other OS
- for a total security a machine would have to be not on a network, locked inside of a Faraday cage (electromagnetic radiation shielding cage)
- fundamental flaws
  - Linux optimized for convenience
  - binary security : superuser X regular user
  - developed by a large community of programmers, some not too experienced or knowledgeable -> errors leading to security holes
    BUT - code scrutinized by thousands of people => hole found and patched fast

Elements of Security

CIA triad:

C : Confidentiality - prevents unauthorized reading - components: authentication, access control (authorization), encryption
I : Integrity - prevents unauthorized writing
A : Availability

How security is compromised

Social engineering - humans are often the weakest link (users giving the secrets as a response to "system test", "verification" phone calls or e-mails - phishing; admin post sensitive info online when asking for help; seemingly legitimate person in your comm closet ...)
Software vulnerabilities / bugs ( fixed by patches which often create more problems...)
Distributed Denial of Service attacks (DDoS)
Insider Abuse
Open Doors - default software configuration is often too weak
and more ... (exploiting design or protocol flaws, ...)

Basic Security Measures

Most systems do not come secure out of the box - Admins should harden new systems
Rules of thumb

Apply principle of least privilege always - allocate least privilege to entity/person/role ... anywhere where access control is used
Layer security measures - defense in depth
Minimize attack surface (the fewer interfaces, systems, services, ... the lower chance for a security weakness)
Automate!

Measures

Software Updates / Patches - install asap (local repositories + regular schedule)
rsync -rlptH rsync.opensuse.org::opensuse-updates . --delete-after --delete-excluded -hi --stats;
plus watch /sign for vendor specific security mailing lists and general security forums: US CERT ( bulletins , ...)
Schneier on Security

Unnecessary services turned off
To find them ...
old:

teacher:~ # netstat -an | grep LISTEN
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:20048           0.0.0.0:*               LISTEN      
tcp        0      0 192.168.8.2:53          0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:38876           0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:44895           0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:2049            0.0.0.0:*               LISTEN      
...
teacher:~ # fuser 20048/tcp
20048/tcp:            1908
teacher:~ # lsof -i:20048
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
rpc.mount 1908 root    7u  IPv4  18913      0t0  UDP *:mountd 
rpc.mount 1908 root    8u  IPv4  17012      0t0  TCP *:mountd (LISTEN)
rpc.mount 1908 root    9u  IPv6  17014      0t0  UDP *:mountd 
rpc.mount 1908 root   10u  IPv6  17016      0t0  TCP *:mountd (LISTEN)

new:

teacher2:~ # ss -ln | grep "^tcp"
tcp     LISTEN   0    10    192.168.8.8:53       0.0.0.0:*
tcp     LISTEN   0    10      127.0.0.1:53       0.0.0.0:*
tcp     LISTEN   0    128       0.0.0.0:22       0.0.0.0:*
tcp     LISTEN   0    100     127.0.0.1:25       0.0.0.0:*
tcp     LISTEN   0    128     127.0.0.1:953      0.0.0.0:*
tcp     LISTEN   0    64        0.0.0.0:37627    0.0.0.0:*
tcp     LISTEN   0    64        0.0.0.0:2049     0.0.0.0:*
tcp     LISTEN   0    128       0.0.0.0:52197    0.0.0.0:*
tcp     LISTEN   0    128       0.0.0.0:111      0.0.0.0:*
tcp     LISTEN   0    128       0.0.0.0:20048    0.0.0.0:*
teacher2:~ # grep " 25/" /etc/services
smtp               25/tcp       # Simple Mail Transfer  [Jon_Postel]
smtp               25/udp       # Simple Mail Transfer  [Jon_Postel]
teacher2:~ # fuser 25/tcp
25/tcp:               20707
teacher2:~ # lsof -i:25
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
master  20707 root   13u  IPv4 353437      0t0  TCP localhost:smtp (LISTEN)

Remote event logging - syslog messages sent to a secure host as a central logging machine
easier to write monitoring scripts, harder for a hacker to cover up
Backups (“availability” bucket of the CIA triad) - uncontaminated checkpoint from which to restore BUT Can be a security risk too!
Viruses and Worms - UNIX/Linux mostly immune (market share, access-controlled environment / don't use root for day to day activities)
Trojans (watch security advisories, mailing lists, be careful where you get your sw from)
Rootkits - programs and patches that hide important system information such as process, disk, or network activity
replace applications (ls, ps, find, netstat, ...), libraries, kernel modules, ...
hard to detect (OSSEC, tripwire, ...) and clean up
Packet Filtering - use firewall, iptables with SuSEfirewall2 or since 15.0 newer firewalld / firewall-cmd,.. - at your network perimeter and at the individual systems
should pass only specifically allowed traffic
Passwords - selection + not allow clear text to get on network (ssh,..) and MFA: Multifactor Authentication (knows / has / is )
Vigilance - monitor system, network, processes, changes, ... frequently
Application penetration testing ("Security is only as strong as the weakest link in the chain.")
Encryption
General philosophy - common sense:
- interesting files (secrets, users data, payroll info, ..)
- security policy
- hacker's nests
- traps to detect intrusions - OSSEC, Bro, Snort, xinetd, Samhain, John the Ripper, tcpd, tripwire, crack,...
  monitor their reports
- persistent education and security improvements
- look for suspicious and unusual activity - more activity, strange hours, new type,..

CS 480-M01 Linux System Administration - CRN 60315 - Fall 2022 [Home] [Syllabus] [Notes] [Grades]