Limited Time Offer!

For Less Than the Cost of a Starbucks Coffee, Access All DevOpsSchool Videos on YouTube Unlimitedly.
Master DevOps, SRE, DevSecOps Skills!

Enroll Now
Linux

Complete Referance of Secure Networking in Linux

September 21, 2021 comments off
  • OpenSSH
  • Samba
  • NIS
  • NFS
  • Securing FTP and HTTP servers

OpenSSH

  • Open source version of SSH that normally comes with OpenBSD
  • Comes with several distros or downloadable
  • Linux ports have ‘p’ in version number
  • Replaces telnet, ftp, rlogin, etc.
  • Offers secure remote connectivity due to encryption, authentication, and tunnelling
  • Supports all versions of the SSH protocol
  • Comes with several secure utilities to replace traditioally insecure ones
  • scp(secure copy) replaces rcp
  • sftp(secure ftp) replaces ftp
  • Allows secure login of root remotely even when system plicy disallows
  • Uses 3DES,RC4,AES and Blowfish encryption algorithms
  • Create private/public key pair when install or use ssh-keygen command
  • Sign with private key using ssh-keysign command
  • ssh 192.168.10.10
  • Will get authentication error first time
  • OpenSSH demostration

Samba

  • Open source version of CIFS(Common Internet File System) standard invented by Microsoft
  • Uses latest version of server Massage Block(SMB), which is nativr Windows file sharing protocol
  • Samba’s configuration is stored in the smb.conf file, in /etc/samba/smb.conf
  • Configure manually or use SWAT
  • Samba uses 3 daemons(services)
  • nmdb – handles name resolution and registration
  • smbd – manages authentication and all connection requests
  • winbindd – required if connecting to an NT4 or AD domain
  • SWAT is a web-based interface that comes with Samba
  • May come as a separate package to download and install
  • Point browser to http://12.0.0.1:901 to run SWAT
  • SWAT can be used to configure remote samba clients, but sends auhentication in clear – use ssh!
  • SWAT/Samba Demostration

NIS

  • Network Information Services(NIS) provides simple network lookup services
  • Similar to some Active Directory functions
  • Enables lookup of directory objects
  • Provides single sign-on(SSO) capablity
  • Original NIS also called Sun Yellow Pages
  • Name changed due to copyright issues
  • Little security with NIS
  • NIS+ is updated,more secure version
  • NIS+ allows for hierarchical domains
  • NIS+ provides for centralized updates of configuration information
  • User ID’s and passwords can be used throughout NIS domain
  • NIS requires at least 1 master server and optional ‘slave’ servers
  • NIS+ allows secure authentication and encryption
  • Allows for updates via secure RPC
  • Similar to Samba, except hosts are unix-based rather than Windows-based
  • Primary file used is /etc/exports
  • Controls which dirctories are shared and whom(hosts)
  • Default after setup is insecure!

Securing FTP and HTTP Servers

  • Linux has built-in capability of being FTP or HTTP(web)server
  • FTP protocol insecure by default
  • No encryption – user id’s, passwords, and data passed in plaintext
  • Several ways to secure FTP
  • Use SSH to secure transmission
  • Use alternate FTP client/servers
  • Discourage use of user/passwords and use anonymous FTP instead
  • Only use FTP for publicly available data
  • Don’t allow write access to FTP server only download
  • Secure infrastructure around FTP(firewalls, directory ACLs, etc)
  • HTTP is usually served on Linux through Apache
  • Vulnerabilities can result from not hardening system or daemons
  • Vulnerabilities can affect authentication and authorization to resources
  • Configure strong authorization on web server
  • Ensure proper permissions applied to files and directories
  • Don’t allow directory traversal
  • Pay attention to script write and execute permissions on web servers
  • Secure httpd throgh tcp wrappers and xinetd
  • Restrict administrative access to http and ftp services
  • Ensure all access is logged
  • Enable warning banners on FTP and web sites
  • Lock down the htpasswd file(640)
  • Lock down access control files,such as .htaccess and .nsconfig to 400
  • Restrict write access to web directories
  • Use https and ssl certificates when possible for data encryption and mutual authentication
Rajesh Kumar
Follow me
Latest posts by Rajesh Kumar (see all)