Tuesday, August 2, 2011

Some basic Linux Hardening Tips

Some basic Linux Hardening Tips
Few basic things to keep in mind to secure network communications :

1. Remove unneeded network services.: R-services such as rlogin, rdist, rexecd, rsh, and rcp are especially vulnerable to hacker attacks.
2. Filter access to unknown services in tcpwrappers.
3. Filter access using network firewalling rules.
4, Do periodic checks to monitor reachability of network services.
5. Controlling File Permissions & Attributes:In Linux, special file types allow programs to run with the file owner’s rights. SetUID (for user IDs) and SetGID (for group IDs).Regularly audit your systems for any unauthorized and unnecessary use of the setuid or setgid permissions.
6. Manual testing for Rouge programs:
A.Programs that are configured for SetUID:
find / -perm -4000 –print
B.Programs that are configured for SetGID:
find / -perm -2000 –print
C.Files that are readable by anyone in the world:
find / -perm -2 -type f –print
D.Hidden files:
find / -name “.*”
E.World writable files:
root# find / -perm -2 ! -type l –ls
F.Files that do not have an owner or belong to no group.
root# find / -nouser -o –nogroup

7. Look for Unusual Accounts:
Look in /etc/passwd for new accounts in sorted list by UID:
# sort –nk3 –t: /etc/passwd | less
Normal accounts will be there, but look for new, unexpected accounts, especially with UID < 500.
Also, look for unexpected UID 0 accounts:
# egrep ':0+:' /etc/passwd
On systems that use multiple authentication methods:
# getent passwd | egrep ':0+:'
Look for orphaned files, which could be a sign of an attacker's temporary account that has been deleted: # find / -nouser –print

8. Look for Unusual Scheduled Tasks
Look for cron jobs scheduled by root and any other UID 0 accounts:
# crontab –u root –l
Look for unusual system-wide cron jobs:
# cat /etc/crontab
# ls /etc/cron.*

====================================================
Automatic hardening tools to the rescue:

1.Bastille (http://www.bastille-linux.org): an interactive
hardening tool. Helps implement a security policy
guiding the administrator through different questions.
Portable and robust.

2.Titan (http://www.fish.com/titan): an automated hardening
tool. Implements common security measures.
====================================================

Security audit tools:

1.Remote assessment tools: Nessus, nmap
2. Local assessment tools:
Some hardening tools can be used: Bastille, Titan
Some (H)IDS tools can be used too: Tiger
Some other specific tools: LSAT, OVAL

====================================================

Intrusion detection:
Intrusion Detection can be done at different locations:
1.Host-based:
Kernel audit
Integrity analysis of the (file)system
Suspicious activities that take place in the host
2.Network-based:
Inspection of packets through the network (to any
host)
Inspection of packets that arrive to the host

====================================================

HIDS tools In user space:

1.Rutinary checks: checksecurity (in different
Linux/BSD distributions)
2.Analysis of logfiles : logcheck,
log-analysis,logsnorter
3.Filesystem integrity checks (hashes, permissions...):
tripwire, aide, integrit samhain, bsign. Can also be
done using the package management databases
(rpm and dpkg)
4.Configuration and security issues: Nabou
5.Other: chkrootkit, checkps, adeos, dtk
=======================================================

No comments: