Professional Documents
Culture Documents
This doesn't mean that you are helpless. You can take measures to avoid hacks, but you cannot avoid them completely. This is like a house. When the windows and doors are open then the probability of a thief coming in is high, but if the doors and windows are closed and locked the probability of being robbed is less, but still not nil.
3 Security Framework
The following illustrates the framework needed to implement a functioning security implementation:
[ Risk Analysis ] | [ Security Policy ] | [ Security Service, Mechanisms, and Objects ] | [ Security Management, Monitoring, Detection and Response ] [ Business Requirements ]
This framework shows the basic steps in the life cycle of securing a system. "Risk Analysis" deals with the risk associated with the data in the server to be secured. "Business Requirements" is the study which deals with the actual requirements for conducting business. These two components cover the business aspects of the security implementation. The "Security Policy" covers 8 specific areas of the security implementation, and is discussed in more detail in section 4 below. "Security Service, Mechanisms and Objects" is actually the implementation part of security. "Security Management, Monitoring, Detection and Response" is the operational face of security, where we cover the specifics of how we find a security breach, and how we react if a breach is found.
4 Security Policy
The Security Policy is a document which addresses the following areas:
Authentication: This section deals with what methods are used to determine if a user is real or not, which users can or cannot access the system, the minimum length of password allowed, how long can a user be idle before he is logged out, etc.
Authorization: This area deals with classifying user levels and what each level is allowed to do on the system, which users can become root, etc.
Data Protection: Data protection deals with the details like what data should be protected and who can access which levels of data on the system.
Internet Access: This area deals with the details of the users having access to the internet and what they can do there.
Internet Services: This section deals with what services on the server are accessible from the internet and which are not.
Security Audit: This area addresses how audit and review of security related areas and processes will be done.
Incident Handling: This area addresses the steps and measures to be taken if there is a breach of security. This also covers the steps to find out the actual culprit and the methods to prevent future incidents.
Responsibilities: This part covers who will be contacted at any given stage of an incident and the responsibilities of the administrator(s) during and after the incident. This is a very important area, since the operation of the incident handling mechanism is dependent on it.
Detection: Alert someone if a breach (or attempted breach) of security occurs, and quantify and qualify what sort of damage occurred or would have occurred.
Recovery: Re-secure the system or data after the breach or damage and where possible, undo whatever damage occurred
Network security is one of the most important aspects of overall security. As I mentioned earlier, no machine connected to the internet is completely secure, so security administrators and server owners need to be alert, and make sure that they are informed of all new bugs and exploits that are discovered. Failure to keep up with these may leave you at the mercy of some script kiddy.
A security audit is a part of security implementation where we try to find out the vulnerabilities of the system and suggest actions to improve the security. In a normal audit, the points below should be checked, and a report with the results of that audit should be created.
Check for known bugs in the software installed on the server - the kernel, openssl, openssh, etc.
Scan all network ports and find out which ports are open. Report the ports that should not be open and what program is listening on them.
Check for bad disk blocks in all partitions. (This is just to make sure that the system is reasonably healthy.)
Check the size of the log files. It's better that the log size remains in megabytes.
10.1 Check your box to see if your performance has degraded or if your machine is being over used.
For that, use the commands vmstat Displays information about memory, cpu and disk. Ex: bash# vmstat 1 4 (where 1 is delay and 4 is count) mpstat Displays statistics about cpu utilization. This will help us to see if your cpu is over worked or not. Ex: bash# mpstat 1 4 (where 1 is delay and 4 is count) iostat This command displays statistics about the disk system. Useful options: -d - Gives the device utilization report. -k - Display statistics in kilobytes per second. Ex: bash# iostat -dk 1 4 (where 1 is delay and 4 is count) sar Displays overall system performance.
10.2 Check to see if your server has any hidden processes running.
ps Displays the status of all known processes. lsof List all open files. In Linux everything is considered a file, so you will be able to see almost all of the activity on your system with this command.
rkHunter ( http://www.rootkit.nl/ )
chkrootkit ( http://www.chkrootkit.org/ )
10.5 Determine what your unknown processes are and what they are doing.
10.5.0.1 Use commands like the following to take apart unknown programs
readelf This command will display what the executable's program is performing. ldd This command will show the details of libraries used by a executable. string This command will display the strings in the binary. strace This command will display the system calls a program makes as it runs.
11 Hardening Methodology
Read all security related sites and keep up to date. This is one of the main things a security administrator or server owner should do. Server owners should be made aware of security and its importance. Security training is an important part of an overall security package.
Create a good security policy. Conduct security audits on the basis of this policy.
Install a custom kernel with all unwanted services removed and patched with either grsecurity or openwall.
Disable all unwanted services and harden the services you leave running; Change file and directory permissions so that security is tightened.
Install an intrusion detection system, log monitor, all of the Apache security modules, bfd, faf and tmp monitor. Make your partitions secure.
Run a good backup system to recover data in case of an intrusion, crash, or other destructive incident.
Install a log analyzer and check your logs for any suspicious entries.
Install scripts to send out mail or enable notifications when a security breach occurs.
After a security breach try to find out how, when and through what the breach occurred. When you find a fix for it, document the details for future reference.
12 Summary
Now lets conclude by covering the main steps by which a hosting server can be secured. 12.1 Determine the business requirements and risk factors which are applicable to this system 12.2 Devise a security policy with the above data in mind. Get management's approval and signoff on this security policy. 12.3 On approval of the policy, do a security audit on any existing systems to determine the current vulnerabilities and submit a report regarding this to the management. The report should also cover the methods needed to improve existing security. A quick checklist:
Software Vulnerabilities.
Run chkrootkit.
Check ports.
Check logs.
Querylog in DNS.
Check the file systems and set correct permissions and ownerships on all directories and files
chmod -R 700 /etc/rc.d/init.d/* Use rpm -Va to find out if an rpm is modified
Apply security patches to vulnerable software (ie. patch -p1 < patch file)
Remove all unneeded ttys and console logins by removing the entry from /etc/securetty
Set a password on the boot loader (lilo and grub both support this)
Use custom security scripts which will send out notification when sshing as root or while creating a user with uid of 0, etc.
Disable unwanted services using tcpwrapper (unwanted services can also be disabled through xinet.d or xinetd.Conf).
Set up an idle timeout, so that idle users will be logged out after a certain amount of time.
Specify the order in which domain names should be resolved (eg: order bind hosts).
Restrict direct root login (comment out the PermitRootLogin login option in sshd_config).
Restrict su, so that only wheel group members are able to su. (can use pam or disable the permission of other for the su binary).
Limit users resources (using pam, specify the limits for each user in /etc/security/limit.conf).
Disable unwanted suid and sgid files (eg: find -type -perm -04000 -o perm 02000.)
Using iptables, allow only pings from a specific locations (for monitoring systems to work).
Install a firewall (eg: apf and iptables) and only allow ports to operate which the box needs for its normal functions; block all other ports to prevent mischief.
Link: http://linux.cudeso.be/linuxdoc/sxid.php
Restrict ssh to specific IP addresses and specific users (I suggest key authentication using passphrase).
Install and setup portsentry and configure it to use iptables to block IPs.
Submit a status report to management detailing all discovered vulnerabilities and fixes.