- TCP Wrappers
- etc/hosts allow and deny
- inted and xinetd
- PAMs
- SELinux
- Unsecure Linux Utilities
TCP Wrappers
- TCP Wrappers is built into most distros
- Adds IP filtering capability
- Enables access logging for host
- Uses the TCPD daemon
- Allows administrator to allow or deny access to host based upon system or domain
- Hosts can be allowed access to only certain network services while being denied access to all others
- Provides good method of restricting access to systems and of detecting unauthorized acces attempts through logging and notification capability
- Provides the capability to display messages prior to a logon attempt
- Preferred method of displaying system-warning banners
- Uses hosts allow and hosts deny files to control access
hosts.allow and hosts.deny files
- Two text files used to control access to host from other systems:
- /etc/hosts.allow
- /etc/host.deny
- /etc/hosts.allow is always read first, top to bottom
- Lists hosts & networks allowed to access server
- Read until matching entry is found,then takes action(allows connection)
- file gives options for configuring service to be accessed, client list, and options.
inetd and xinetd
- inted program is a daemon that listens for network connection rteuests and services them by spawning another process
- Network accessble sewrvices are defined in inetd.conf text file
- If service is not listed in inetd.conf, inetd will not listen for it and refuse attempled connection
- Use inted.conf to limit services that can be accesssed by taking them out of file
- Syslog logging/tracing can be enabled for inetd can log all incomming connections by IP
- inetd.conf file should be owned by root or bin and assigned permissions of 440
- xinetd is replacement daemon for inetd
- Offers wider range of functionality – far more configurable
- More secure than inetd
- xinetd is replacement daemon for inetd
- Offers wider range of functionality- far more configurable
- More secure than inetd
- Better logging capablities
- Ability to restrict access to services based upon time
- Can limit numbeer of startable services at one time
- Built in defenses against port scanners
- Better logging capabilities
- Ability to restrict access to services based upon time
- Can limit number of startable services at one time
- Built in defenses against port scanners
Pluggable Authentication Modules (PAMs)
- Mechanism allowing multiple authentication methods for Linux
- Separates applications from authentication method
- Enables different methods such as smart cards,passwords, and biometric methods to be used
- Allows more secure levels of encryption
- Enables usage of shadow password mechanisms o the fly
- Can be used to restrict resources available to users(processor time, memory, etc)
- Can restrict users allowable login times/duration
- Can restrict login to originate from certain systems 9.Use to disable system-wide useage of .rhosts file
- Can be used to force stonger methods of authentication on users despite insecure configurations.
- Uses Mandatory Access Control model vice Discretionary Access Control model
- Uses “labels” attached to resources
- Security principals granted access based upon classification “label” of data
SELinux
- Not a distro of Linux per se
- Method of securing Linux developed by National Security Agency
- Uses Linux Security Modules in the Linux kernal
- Uses Mandatory Access Control model vice Discretionary Access Control model
- Uses “labels” atached to resources
- Security princripals granted access based upon classification “label” of data
- Separates information based upon confidentiality and integrity requirements
- Comes as part of newer distro versions such as RedHat Fedora, Gentoo, and SuSE
- Can be very difficult to configure
- Replaces many traditinal Linux securiy mechanisms
Unsecure Linux Utilities
- Many built-in utilities and applications unsecure by default
- ‘r-commands'(rlogin, rshell, etc) are older and unsecure
- Largely deprecated in use but still exist
- Most remote tools have been replaced with ssh
- Includes r commands, telnet, and ftp
- Lack of encryption and vulnerabilities that allow unauthenticated root access into system
- ssh provides for encryption and mutual authentication for remote access
- ‘cron’ and ‘at’ are critical utilities that can leave your system vulnerable if left unsecured
- Used to schedule jobs at given time intervals
- Can be exploited to run jobs under elevated privileges by unauthorized users
- Ensure ‘cron’ and ‘at’ configuration files are secured and only authorized users are alloed to run ‘cron’ or ‘at’
- Lock down configuation files with restrictive permissions(600)
- Ensure that root is the ower of configuration files
Latest posts by Rajesh Kumar (see all)
- What is DevContainer? - December 20, 2024
- Top 10 Website Development Companies in Vadodara - December 20, 2024
- Compare SAST, DAST and RASP & its Tools for DevSecOps - December 19, 2024