Scribd Logo
Importer

Bienvenue sur Scribd !

  • Linux Security Presentation

    Transféré par

    Chattanooga Java Users Group
    284 vues11 pages
    Presenter(s): Bob Toxen Date: Jun 16, 2005 Location: Chattanooga Java Users Group Site: www.cjug.net LinkedIn: www.linkedin.com/groups?gid=1167347 Presentation ------------ Mr. Toxen will discuss the seven most deadly sins of Linux security and how to avoid them. Key points include: Understanding the seven most deadly sins How to protect against new unforeseen vulnerabilities The trade-offs between security and convenience Password issues Open network ports Insecure and badly configured programs Participants will learn how to decide what software to install while installing Linux and how to harden a Linux system after the installation to greatly reduce the likelihood of a break-in. This presentation is unique in that a few key techniques will be explained that allow any SysAdmin -- newbie or with decades of experience -- to harden a desktop, laptop, or server in an hour or two so that it will be orders of magnitude more difficult to compromise. Mr Toxen has Presented and Taught: IBM's Linux Competency Center in New York City Enterprise Linux Forum in Silicon Valley Atlanta SecureWorld Expo in Atlanta Southeast Cybercrime Summit in Atlanta FBI's Atlanta Headquarters Biography --------- Mr Toxen has 30 years of UNIX and 10 years of Linux experience. One of the 162 recognized developers of Berkeley UNIX, as a student at UC Berkeley he cracked several of the original UNIX systems there. He with three others did the original port of UNIX to the Silicon Graphics workstation. He created the client/server networking system for NASA's Kennedy Space Center to manage the TB of data for Space Shuttle payloads from 3000 PCs. He wrote the highly regarded 828 page "Real World Linux Security: Intrusion Prevention, Detection, and Recovery, Second Edition" book, published by Prentice Hall Ptr at the end of 2002. It is available in English, Chinese, Japanese, Czech, and Polish. He is President of Horizon Network Solutions, specializing in inexpensive Linux solutions to provide mixed-OS network security, firewalls, Virus filters, Spam filters, 24/7 network monitoring, VPNs, backup solutions, security and network consulting, recovery, and administration for clients worldwide. He has advised President George W Bush about improving U.S. intelligence.

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formats disponibles

    PDF ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    Presenter(s): Bob Toxen Date: Jun 16, 2005 Location: Chattanooga Java Users Group Site: www.cjug.net LinkedIn: www.linkedin.com/groups?gid=1167347 Presentation ------------ Mr. Toxen will discuss the seven most deadly sins of Linux security and how to avoid them. Key points include: Understanding the seven most deadly sins How to protect against new unforeseen vulnerabilities The trade-offs between security and convenience Password issues Open network ports Insecure and badly configured programs Participants will learn how to decide what software to install while installing Linux and how to harden a Linux system after the installation to greatly reduce the likelihood of a break-in. This presentation is unique in that a few key techniques will be explained that allow any SysAdmin -- newbie or with decades of experience -- to harden a desktop, laptop, or server in an hour or two so that it will be orders of magnitude more difficult to compromise. Mr Toxen has Presented and Taught: IBM's Linux Competency Center in New York City Enterprise Linux Forum in Silicon Valley Atlanta SecureWorld Expo in Atlanta Southeast Cybercrime Summit in Atlanta FBI's Atlanta Headquarters Biography --------- Mr Toxen has 30 years of UNIX and 10 years of Linux experience. One of the 162 recognized developers of Berkeley UNIX, as a student at UC Berkeley he cracked several of the original UNIX systems there. He with three others did the original port of UNIX to the Silicon Graphics workstation. He created the client/server networking system for NASA's Kennedy Space Center to manage the TB of data for Space Shuttle payloads from 3000 PCs. He wrote the highly regarded 828 page "Real World Linux Security: Intrusion Prevention, Detection, and Recovery, Second Edition" book, published by Prentice Hall Ptr at the end of 2002. It is available in English, Chinese, Japanese, Czech, and Polish. He is President of Horizon Network Solutions, specializing in inexpensive Linux solutions to provide mixed-OS network security, firewalls, Virus filters, Spam filters, 24/7 network monitoring, VPNs, backup solutions, security and network consulting, recovery, and administration for clients worldwide. He has advised President George W Bush about improving U.S. intelligence.

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme PDF ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    284 vues11 pages

    Linux Security Presentation

    Transféré par

    Chattanooga Java Users Group
    Presenter(s): Bob Toxen Date: Jun 16, 2005 Location: Chattanooga Java Users Group Site: www.cjug.net LinkedIn: www.linkedin.com/groups?gid=1167347 Presentation ------------ Mr. Toxen will discuss the seven most deadly sins of Linux security and how to avoid them. Key points include: Understanding the seven most deadly sins How to protect against new unforeseen vulnerabilities The trade-offs between security and convenience Password issues Open network ports Insecure and badly configured programs Participants will learn how to decide what software to install while installing Linux and how to harden a Linux system after the installation to greatly reduce the likelihood of a break-in. This presentation is unique in that a few key techniques will be explained that allow any SysAdmin -- newbie or with decades of experience -- to harden a desktop, laptop, or server in an hour or two so that it will be orders of magnitude more difficult to compromise. Mr Toxen has Presented and Taught: IBM's Linux Competency Center in New York City Enterprise Linux Forum in Silicon Valley Atlanta SecureWorld Expo in Atlanta Southeast Cybercrime Summit in Atlanta FBI's Atlanta Headquarters Biography --------- Mr Toxen has 30 years of UNIX and 10 years of Linux experience. One of the 162 recognized developers of Berkeley UNIX, as a student at UC Berkeley he cracked several of the original UNIX systems there. He with three others did the original port of UNIX to the Silicon Graphics workstation. He created the client/server networking system for NASA's Kennedy Space Center to manage the TB of data for Space Shuttle payloads from 3000 PCs. He wrote the highly regarded 828 page "Real World Linux Security: Intrusion Prevention, Detection, and Recovery, Second Edition" book, published by Prentice Hall Ptr at the end of 2002. It is available in English, Chinese, Japanese, Czech, and Polish. He is President of Horizon Network Solutions, specializing in inexpensive Linux solutions to provide mixed-OS network security, firewalls, Virus filters, Spam filters, 24/7 network monitoring, VPNs, backup solutions, security and network consulting, recovery, and administration for clients worldwide. He has advised President George W Bush about improving U.S. intelligence.

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme PDF ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 11

    The Seven Most Deadly Unix/Linux Sins

    by Bob Toxen, author of


    Real World Linux Security: Intrusion
    Prevention, Detection, and Recovery 2nd Ed.
    Published by Prentice-Hall PTR, Copyright 2003, 848pp

    CTO, Horizon Network Security


    Your expert in Network & Unix/Linux security,
    including Adaptive Firewalls, VPNs, Virus
    and spam filters, local and remote backup software,
    24x7 monitoring, audits, and consulting
    www.verysecurelinux.com
    bob@verysecurelinux.com 770-662-8321
    Presentation Copyright 2002, 2003, 2004, 2005 Horizon Network Security
    All statements & comments are the opinions of Horizon Network Security
    Chattanooga Java Users Group 06/16/2005
    Who are you?

    System Administrator?

    Security specialist?

    Management?

    Exclusively Windows?

    Mostly Windows with some Linux/UNIX?

    Mostly/exclusively Linux/UNIX?

    How secure is your network?.


    The Seven Most Deadly Unix/Linux Sins
    #1: Weak and default passwords

    #2: Open network ports

    #3: Old software versions

    #4: Insecure and badly configured programs

    #5: Insufficient resources/misplaced priorities

    #6: Stale and unnecessary accounts

    #7: PROCRASTINATION!!!
    #1: Weak and default passwords
    Verify that no default or empty passwords in use
    Educate users on selecting good passwords (Thompson test)
    No word or pair of words
    Should be at least 10 chars (15-20 better)
    Not based on personal info: SO, chil’n, car tag, hobby/interests
    Do not use terms for computing or Science Fiction
    Do not rely on capitalization
    Do not rely on substitutions (zero for "oh", one for "el")
    Use cracklib, etc. to ensure good passwords selected
    Use crack, etc. to try to crack passwords
    (with written management approval)
    Avoid unencrypted passwords on disk and over network
    #2: Open network ports
    Turn off NFS,portmap,mountd,telnet,FTP,lpd/cups,auth,etc.

    Turn off named (DNS) unless serving to other systems

    If you send mail out but not in, remove "-bd"

    If sendmail must receive local mail, listen on only IP 127.0.0.1:


    "O DaemonPortOptions=Name=MTA, Address=127.0.0.1"

    Check for daemons and turn unneeded ones off


    netstat -anp | more
    ports | more
    ps -axlww | more
    #3: Old software versions
    Patch quickly (but carefully, with testing)

    Upgrade before a vendor stops support of current version

    Dump vendors that do not issue timely patches


    (24 hours is typical of good vendors.)

    Dump vendors and programs with a poor security history


    #4: Insecure and badly configured programs
    If you run named (DNS) or auth (ident), do not run as root

    Don’t run Apache as root but have its files owned by


    root mode 644 (-rw-r--r--); use suEXEC for CGIs

    Don’t use PHP (too many recent security bugs)

    Audit CGIs by one who understands secure programming

    Good programming practices in CGIs

    Rings of Security (suEXEC)


    #5: Insufficient resources/misplaced priorities
    Not a technical problem but "selling" management is critical

    Show management "asides" in RWLS; that’s what they’re for

    Give management Schneier’s "Secrets and Lies: Digital


    Security in a Networked World"

    Do demonstrations of secure products, e.g., Linux Firewalls


    or Servers and problems with existing systems
    (Don’t attack systems without written permission)

    Never give up (but don’t risk your career)


    #6: Stale and unnecessary accounts
    Document everywhere each class of user has passwords
    or access cards, including SysAdmins, vendors, consultants

    Suggest to HR policy that SysAdmins be told of termination,


    disable access when person is "getting the word"

    Give each new user a different initial good password;


    most never will change it; I use current events
    (Do not give the same password to different users)

    Use a different password for each hi-security account


    #7: PROCRASTINATION!!!
    Most SysAdmins who suffered break-ins knew they had
    patches or reconfigurations to do but delayed doing it
    Questions?
    The Seven Most Deadly Unix/Linux Sins
    by Bob Toxen, author of
    Real World Linux Security 2nd Ed.
    Published by Prentice-Hall PTR, Copyright 2003, 848pp

    CTO, Horizon Network Security


    Your expert in Network & Unix/Linux security
    www.verysecurelinux.com
    bob@verysecurelinux.com 770-662-8321
    Chattanooga Java Users Group
    06/16/2005
    Presented by Magic Point, the Unix/Linux Open Source tool

    Vous aimerez peut-être aussi