- OpenSSH
- Samba
- NIS
- NFS
- Securing FTP and HTTP servers
OpenSSH
- Open source version of SSH that normally comes with OpenBSD
- Comes with several distros or downloadable
- Linux ports have ‘p’ in version number
- Replaces telnet, ftp, rlogin, etc.
- Offers secure remote connectivity due to encryption, authentication, and tunnelling
- Supports all versions of the SSH protocol
- Comes with several secure utilities to replace traditioally insecure ones
- scp(secure copy) replaces rcp
- sftp(secure ftp) replaces ftp
- Allows secure login of root remotely even when system plicy disallows
- Uses 3DES,RC4,AES and Blowfish encryption algorithms
- Create private/public key pair when install or use ssh-keygen command
- Sign with private key using ssh-keysign command
- ssh 192.168.10.10
- Will get authentication error first time
- OpenSSH demostration
Samba
- Open source version of CIFS(Common Internet File System) standard invented by Microsoft
- Uses latest version of server Massage Block(SMB), which is nativr Windows file sharing protocol
- Samba’s configuration is stored in the smb.conf file, in /etc/samba/smb.conf
- Configure manually or use SWAT
- Samba uses 3 daemons(services)
- nmdb – handles name resolution and registration
- smbd – manages authentication and all connection requests
- winbindd – required if connecting to an NT4 or AD domain
- SWAT is a web-based interface that comes with Samba
- May come as a separate package to download and install
- Point browser to http://12.0.0.1:901 to run SWAT
- SWAT can be used to configure remote samba clients, but sends auhentication in clear – use ssh!
- SWAT/Samba Demostration
NIS
- Network Information Services(NIS) provides simple network lookup services
- Similar to some Active Directory functions
- Enables lookup of directory objects
- Provides single sign-on(SSO) capablity
- Original NIS also called Sun Yellow Pages
- Name changed due to copyright issues
- Little security with NIS
- NIS+ is updated,more secure version
- NIS+ allows for hierarchical domains
- NIS+ provides for centralized updates of configuration information
- User ID’s and passwords can be used throughout NIS domain
- NIS requires at least 1 master server and optional ‘slave’ servers
- NIS+ allows secure authentication and encryption
- Allows for updates via secure RPC
- Similar to Samba, except hosts are unix-based rather than Windows-based
- Primary file used is /etc/exports
- Controls which dirctories are shared and whom(hosts)
- Default after setup is insecure!
Securing FTP and HTTP Servers
- Linux has built-in capability of being FTP or HTTP(web)server
- FTP protocol insecure by default
- No encryption – user id’s, passwords, and data passed in plaintext
- Several ways to secure FTP
- Use SSH to secure transmission
- Use alternate FTP client/servers
- Discourage use of user/passwords and use anonymous FTP instead
- Only use FTP for publicly available data
- Don’t allow write access to FTP server only download
- Secure infrastructure around FTP(firewalls, directory ACLs, etc)
- HTTP is usually served on Linux through Apache
- Vulnerabilities can result from not hardening system or daemons
- Vulnerabilities can affect authentication and authorization to resources
- Configure strong authorization on web server
- Ensure proper permissions applied to files and directories
- Don’t allow directory traversal
- Pay attention to script write and execute permissions on web servers
- Secure httpd throgh tcp wrappers and xinetd
- Restrict administrative access to http and ftp services
- Ensure all access is logged
- Enable warning banners on FTP and web sites
- Lock down the htpasswd file(640)
- Lock down access control files,such as .htaccess and .nsconfig to 400
- Restrict write access to web directories
- Use https and ssl certificates when possible for data encryption and mutual authentication
Latest posts by Rajesh Kumar (see all)
- Discover the Heart of India with Mera Apna Bihar - December 20, 2024
- Experience the Pulse of Bangalore with Bangalore Orbit - December 20, 2024
- Discover the City of Lakes with Bhopal Orbit - December 20, 2024