Practical linux security cookbook second edition

Practical Linux Security Cookbook — Second Edition

Explore a preview version of Practical Linux Security Cookbook — Second Edition right now.

O’Reilly members get unlimited access to live online training experiences, plus books, videos, and digital content from 200+ publishers.

Book description

Enhance file system security and learn about network attack, security tools and different versions of Linux build.

Key Features

• Hands-on recipes to create and administer a secure Linux system
• Enhance file system security and local and remote user authentication
• Use various security tools and different versions of Linux for different tasks

Book Description

Over the last few years, system security has gained a lot of momentum and software professionals are focusing heavily on it. Linux is often treated as a highly secure operating system. However, the reality is that Linux has its share of security ?aws, and these security ?aws allow attackers to get into your system and modify or even destroy your important data. But there’s no need to panic, since there are various mechanisms by which these ?aws can be removed, and this book will help you learn about different types of Linux security to create a more secure Linux system.

With a step-by-step recipe approach, the book starts by introducing you to various threats to Linux systems. Then, this book will walk you through customizing the Linux kernel and securing local files. Next, you will move on to managing user authentication both locally and remotely and mitigating network attacks. Later, you will learn about application security and kernel vulnerabilities. You will also learn about patching Bash vulnerability, packet filtering, handling incidents, and monitoring system logs. Finally, you will learn about auditing using system services and performing vulnerability scanning on Linux.

By the end of this book, you will be able to secure your Linux systems and create a robust environment.

What you will learn

• Learn about vulnerabilities and exploits in relation to Linux systems
• Configure and build a secure kernel and test it
• Learn about file permissions and how to securely modify files
• Authenticate users remotely and securely copy files on remote systems
• Review different network security methods and tools
• Perform vulnerability scanning on Linux machines using tools
• Learn about malware scanning and read through logs

Who this book is for

This book is intended for all those Linux users who already have knowledge of Linux file systems and administration. You should be familiar with basic Linux commands. Understanding information security and its risks to a Linux system is also helpful in understanding the recipes more easily.

Источник

Practical linux security cookbook second edition

Let’s discuss the various security policies:

1. The administration of all the internal servers in an organization is the responsibility of a dedicated team that should also keep watch for any kind of compliance issues. If a compliance issues occurs, the team should immediately review and implement an updated security policy.
2. When configuring internal servers, they must be registered in such a way that the identification of the servers can be done on the basis of the following information:

• Location of the server
• Operating system version and hardware configuration
• Services and applications running on the server

Configuration policy

Let’s discuss the various security policies:

1. The operating system on the server should be configured in accordance with the guidelines approved for InfoSec.
2. Any service or application not being used should be disabled, wherever possible.
3. Every access to the services and applications on the server should be monitored and logged. It should also be protected through access-control methods. An example of this will be covered in Chapter 3, Local FileSystem Security.
4. The system should be kept updated and any recent security patches, if available, should be installed as soon as possible
5. Avoid using the root account as much as possible. It is better to use security principles that require least access to perform a function.
6. Any kind of privileged access must be performed over a secure channel connection (SSH), wherever possible.
7. Access to the server should be in a controlled environment.

Monitoring policy

Let’s discuss the various security policies:

1. All security-related actions on server systems must be logged and audit reports should be saved as follows:

• For a period of one month, all the security-related logs should be kept online
• For a period of one month, the daily backups, as well as the weekly backups, should be retained
• For a minimum of two years, the monthly full backups should be retained

• Port-scanning-related attacks
• Access to privileged accounts without authorization
• Unusual occurrences due to a particular application on the host

How it works…

Following the policies as given here helps the base configuration of the internal server that is owned or operated by the organization. Implementing the policy effectively will minimize unauthorized access to any sensitive and proprietary information.

Defining security controls

Securing a Linux server starts with the process of hardening the system, and to do this it’s important to define a list of security controls. A security controls list (or security checklist) confirms that proper security controls have been implemented.

How to do it.

Let’s have a look at various security control checklists.

Installation

Now we will look into each security control checklist:

• Installation media such as CD-ROM/DVD/ISO should be checked by using checksum
• A minimal base installation should be done when creating the server
• It is good practice to create separate filesystems for /home , and /tmp
• It is good practice to install minimum software on the server to minimize the chances of vulnerability
• Always keep the Linux kernel and software up to date

Boot and disk

Now we will look into each security control checklist:

• Encrypt partitions using disk encryption methods such as LUKS.
• Limit access to BIOS by configuring a BIOS password.
• Limit bootable devices and allow only devices such as disk to be booted.
• Configure a password to access the single user mode boot loader.

Network and services

Now we will look into each security control checklist:

• Determine the services running by checking the open network ports.
• Use a firewall such as iptables/nftables to limit access to the services as per need.
• Encrypt all data transmitted over the network.
• Avoid using services such as FTP, Telnet, and Rlogin/Rsh.
• Any unwanted services should be disabled.
• A centralized authentication service should be used.

Intrusion detection and Denial of Service (DoS)

Now we will look into each security control checklist:

• File integrity tools such as AIDE, Samhain, and AFICK should be installed and configured for monitoring important files.
• Use a malware scanner such as CalmAV to protect against malicious scripts.
• Configure system logging to a remote machine for the purpose of detection, forensics, and archiving.
• Deter brute-force attacks by using anti brute-force tools for authentication attempts.

Auditing and availability

Now we will look into each security control checklist:

• Read through logs to monitor for suspicious activity.
• Configure auditd configuration to perform system accounting.
• Ensure backup is working, and also check restores.

How it works.

Implementing these security controls minimizes the security risk to your Linux server. This helps protect your data from the hands of hackers.

Checking the integrity of installation medium by using checksum

Whenever you download an image file of any Linux distribution, it should always be checked for correctness and safety. This can be done by generating an MD5 hash after downloading the image file and then comparing the generated hash with the hash generated by the organization supplying the image file.

This helps in checking the integrity of the downloaded file. If the original file was tampered with it can be detected using the MD5 hash comparison. The larger the file size, the higher the possibility of changes in the file. It is always recommended you do an MD5 hash comparison for files such as the operating system installation CD.

Getting ready

md5sum is normally installed in most Linux distributions, so installation is not required.

How to do it…

Perform the following steps:

1. Open the Linux Terminal and then change the directory to the folder containing the downloaded ISO file.

Because Linux is case sensitive, type the correct spelling for the folder name. Downloads are not the same as downloads in Linux.

1. After changing to the download directory, type the following command:

md5sum will then print the calculated hash in a single line as shown here:

Now we can compare the hash calculated by this command with the hash on the UbuntuHashes page (https://help.ubuntu.com/community/UbuntuHashes). After opening the UbuntuHashes page, we just need to copy this previously calculated hash, in the Find box of the browser (by pressing Ctrl + F ).

How it works…

If the calculated hash and the hash on the UbuntuHashes page match, then the downloaded file is not damaged. In case the hashes don’t match, then there is a possibility that the file might be tampered or is damaged. Try downloading the file again. If the issue still persists, it is recommended you report the issue to the administrator of the server.

See also

Here’s something extra in case you want to go the extra mile: the GUI checksum calculator available for Ubuntu.

Sometimes, it’s really inconvenient to use the Terminal for doing checksums. You need to know the right folder of the downloaded file and also the exact filename. This makes it difficult to remember the exact commands.

As a solution, there is the very small and simple software – GtkHash .

Or you can install it by using the following command:

Using LUKS disk encryption

In enterprises, small business, and government offices, the users may have to secure their systems in order to protect their private data, which includes customers details, important files, contact details, and so on. To help with this, Linux provides a good number of cryptographic techniques that can be used to protect data on physical devices such as hard disk or removable media. One such cryptographic technique is using Linux Unified Key Setup ( LUKS )-on-disk-format. This technique allows the encryption of Linux partitions.

This is what LUKS does :

• The entire block device can be encrypted using LUKS; it’s well suited for protecting the data on removable storage media or the laptop disk drives
• LUKS uses the existing device mapper kernel subsystem
• It also provides passphrase strengthening, which helps protect against dictionary attacks

Getting ready

For the following process to work, it is necessary that a separate partition is also created while installing Linux, which will be encrypted using LUKS.

Configuring LUKS using the steps given will remove all data on the partition being encrypted. So, before starting the process of using LUKS, make sure you take a backup of the data to some external source.

How to do it.

To begin with manually encrypting directories, perform the following steps:

1. Install cryptsetup as shown here, which is a utility used for setting up encrypted filesystems:

The preceding command generates the following output:

1. Encrypt your /dev/sdb1 partition, which is a removable device. To encrypt the partition, type the following command:

The preceding command generates the following output:

This command initializes the partition and also sets a passphrase. Make sure you note the passphrase for further use.

1. Now open the newly created encrypted device by creating a mapping:

The preceding command generates the following output:

1. Check the status of the mapping using the following command:

As the dd command may take hours to complete, we use the pv command to monitor the progress.

The preceding command generates the following output:

1. Then mount the new filesystem and confirm the filesystem is visible:

Congratulations! You have successfully created an encrypted partition. Now, you can keep all your data safe, even when the computer is off.

There’s more.

Perform the following commands to unmount and secure the data on the partition:

To remount the encrypted partition, perform the following steps:

Make use of sudoers – configuring sudo access

Sudoer is the functionality of the Linux system that can be used by an administrator to provide administrative access to a trusted regular user, without actually sharing the root user’s password. The administrator simply needs to add the regular user in the sudoers list.

Once a user has been added to the sudoers list, they can execute any administrative command by preceding it with sudo. Then the user would be asked to enter their own password. After this, the administrative command would be executed the same way as by the root user.

Getting ready

As the file for the configuration is pre-defined and the commands used are inbuilt, nothing extra is needed to be configured before starting the steps.

How to do it…

Perform the following steps:

1. You will first create a normal account and then give it sudo access. Once done, you will be able to use the sudo command from the new account and then execute the administrative commands. Follow the steps given to configure sudo access. First, use the root account to log in to the system then create a user account using the useradd command, as shown. Replace USERNAME in the command with any name of your choice:

1. Now, using the passwd command set a password for the new user account, as shown:

1. Now edit the /etc/sudoers file by running the visudo as shown. The policies applied when using the sudo command, are defined by the /etc/sudoers file:

1. Once the file is open in the editor, search for the following lines which allow sudo access to the users in the test group:

1. You can enable the given configuration by deleting the comment character ( # ) at the beginning of the second line. Once the changes are done, save the file and exit from the editor. Now using the usermod command, add the previously created user to the test group:

1. Now you need to check whether the configuration created now allows the new user account to run commands using sudo .

1. To switch to the newly created user account, use the su option:

1. Now use the groups command to confirm the presence of the user account in the test group:

Finally, run the whoami command with sudo from the new account. As you have executed a command using sudo for the first time using this new user account, the default banner message will be displayed for the sudo command. The screen will also ask for the user account password to be entered:

1. The last line of the output shown is the username returned by the whoami command. If sudo is configured correctly this value will be root.

You have successfully configured a user with sudo access. You can now log in to this user account and use sudo to run commands the same way as you would from the root user.

How it works…

When you create a new account, it does not have the permission to run administrator commands. However, after editing the /etc/sudoers file, and making appropriate entry to grant sudo access to the new user account, you can start using the new user account to run all administrator commands.

There’s more…

Here are some extra measures that you can take to ensure total security.

Vulnerability assessment

A vulnerability assessment is the process of auditing your network and system security, through which you can come to know about the confidentiality, integrity, and availability of your network. The first phase in vulnerability assessment is reconnaissance, and this further leads to the phase of system readiness, in which we mainly check for all known vulnerabilities in the target. Next follows the phase of reporting in which we group all the vulnerabilities found into categories of low, medium, and high risk.

Scanning hosts with Nmap

Nmap, which can be used for scanning a network, is one of the most popular tools included in Linux. It has been in existence for many years, and is currently one of the preferred tools for gathering information about a network. Nmap can be used by administrators on their networks to find any open ports and the host systems. When performing vulnerability assessments, Nmap is surely a tool not to be missed.

Getting ready

Most Linux versions come with Nmap installed. The first step is to check whether you already have it by using the following command:

If Nmap exists, you should see output similar to this:

If Nmap is not already installed, you can download and install it from this link: https://nmap.org/download.html.

The following command will quickly install Nmap on your system:

How to do it.

Follow these steps for scanning hosts with Nmap:

1. The most common use of Nmap is to find all the hosts online within a given IP range. The default command used takes some time to scan the complete network, depending on the number of hosts in the network.
2. The following screenshot shows an example:

1. To perform a SYN scan on a particular IP from a subnet, use the following command:

1. To detect the version number of the services running on the remote host, you can perform Service Version Detection scan as follows:

1. The output here has been truncated:

How it works.

Nmap checks for the services that are listening by testing the most common network communication ports. This information helps the network administrator to close all unwanted or unused ports and services. The previous examples show how to use port scanning and Nmap as a powerful tool to study the network around us.

See also

Nmap also has scripting features that we can use to write custom scripts. These scripts can be used with Nmap to automate and extend the scanning capabilities of Nmap.

You can find more information about using Nmap at its official homepage: https://nmap.org/ . https://nmap.org/

Gaining root on a vulnerable Linux system

When trying to learn how to scan and exploit a Linux machine, one major problem we encounter is where to try. For this purpose, the Metasploit team has developed and released a virtual machine called Metasploitable . This machine has been made vulnerable purposefully, having many services running unpatched. Due to this, it has become a great platform for practicing or developing penetration testing skills. In this section, we will learn how to scan a Linux system and then, using the scanning result, how to find a service that is vulnerable. Using that vulnerable service, we shall gain root access to the system.

Getting ready

Kali Linux and the Metasploitable VMware system will be used in this section. The image file of Metasploitable can be downloaded from these links:

How to do it.

The Metasploit Framework is an open source tool used by security professionals globally to perform penetration tests by executing exploit code on target systems from within the framework. It comes pre-installed with Kali Linux (the preferred choice of distribution for security professionals).

Follow these steps to gain root access to a vulnerable Linux system:

1. First open the Metasploit console on the Kali system by running the following command:

1. At the bottom of the screen, you should get the Metasploit framework prompt denoted by msf> .
2. Next, we need to scan the target, which is 192.168.0.102 in this example, using Nmap:

The following screenshot shows the output of the command:

1. In the previous command, you can see there are many services running on different ports. Among them you can see FTP is also running on port 21 .
2. We will focus on the FTP service for now. From the output shown, you can see that the FTP service is provided by the vsftpd application version 2.3.4.
3. Now lets try to find an exploit for vsftpd within the Metasploit framework by simply executing the command search vsftpd. Here is the output:

1. The search results are showing a module, VSFTPD Backdoor Command Execution, with an excellent rating, which means that this exploit will work perfectly fine.

1. Now run the following commands to use the exploit and check its options:

1. As you can see from the screenshot, you need to set the value of RHOST , which is 192.168.1.102 in our case.
2. Set the value for RHOST and then run the exploit as shown here:

1. Once the exploit runs successfully, you will get root access, as shown in the preceding screenshot.

How it works.

We first did an Nmap scan to check for running services and open ports and found the FTP service running. Then we tried to find the version of the FTP service. Once we got the information, we searched for any exploit available for VSFTPD. The VSFTPD backdoor module that was found in the search result is actually a code that is being sent to the target machine by the Metasploit framework. The code gets executed on the target machine due to a module of the VSFTPD being improperly programmed. Once the code gets executed, we get a root shell access on our Kali machine

Using the exploit found for VSFTPD, we tried to attack the target system and got the root shell on it.

There’s more.

Let’s learn about a few more exploits and attacks that are common in Linux.

Missing backup plans

In this era of malicious attacks and dangerous cyberattacks, your data is never safe. Your data needs something more than just protection. Its needs insurance in the form of backups. At any point of time, if your data is lost, having data backups ensures that your business can be up and running in no time.

Getting ready

When we talk about data backup in Linux, choosing the best backup tool that matches your business needs is essential. Everyone needs to have a data backup tool that is dependable, but it’s not necessary to spend too much to get a tool that has features that meets your needs. The backup tool should allow you to have local backups, remote backups, one-time backups, scheduled backups, and many other features.

How to do it.

Let’s look at a few outstanding backup tools for Linux.

fwbackups

This is the easiest of all Linux backup tools. fwbackups has a user-friendly interface and it can be used for single backups and also for recurring scheduled backups.

Local as well as remote backups can be done in various formats, such as tar , tar.gz , tar.bz , or rsync format. A single file or an entire computer can be backed up using this tool.

Using this tool, backup and restoring can be done easily. Incremental or differential backups can be done to speed the process.

rsync

This is one of the most widely used backup solutions for Linux. It can be used for incremental backups, whether local or remote.

rsync can be used to update directory trees and filesystems while preserving links, ownerships, permissions, and privileges.

Being a command-line tool, rsync is perfect for creating simple scripts to use in conjunction with cron , so as to create automated backups.

Amanda (Advanced Maryland Automatic Network Disk Archiver)

This is a free and open source tool developed for » moderately sized computer centers «. It is designed for performing the backup of multiple machines over the network to tape drives, disks, or optical disks.

Amanda can be used to backup about everything on a diverse network, using a combination of a master backup server and Linux or Windows.

LVM snapshots and hardware snapshots can also be handled using this tool.

Simple Backup Solution (SBS)

Primarily targeted at desktop backup, SBS can be used to backup files and directories. It also allows regular expressions to be used for exclusion purposes.

It includes pre-defined backup configurations that can be used to back up directories such as /var/ , /etc/ , /usr/local .

SBS can be used for custom backups, manual backups and scheduled backups, and is not limited to just pre-defined backups.

Bacula

Bacula is a free and open source tool and requires client programs to be installed on each system targeted for backup. All these systems are controlled using a server that centrally handles the backup rules.

Bacula has its own file format, which is not proprietary as the tool is open source.

Routine full and incremental backups can be done using the tool and it offers better support for setups if multiple servers are being used with their own tape drives.

Encryption and RAID is supported by Bacula. Scripting language for customizing your backup jobs is also offered by Bacula, which can be used to incorporate encryption.

How it works.

A backup tool is necessary for anyone in the IT industry or a computer power user. The backup tool should be capable of scheduled backups, one-time backups, local backups, remote backups, and many other features.

About the Author

Tajinder Kalsi

Tajinder Kalsi is an innovative professional with more than 9 years’ progressive experience within the information security industry. He has a good amount of knowledge and experience in web application testing, vulnerability assessment, network penetration testing, and risk assessment. At present, he is working as an information security consultant. He started his career with Wipro as a technical associate, and later on he became an ISMS consultant-cum-technical evangelist. In his free time, he conducts seminars in colleges all across India on various topics, in more than 125 colleges; he has spoken to 10,000+ students. Tajinder is a certified ISO 27001:2013 Auditor. Tajinder authored Practical Linux Security Cookbook published by Packt Publishing. He has also reviewed the following books: Web Application Penetration Testing with Kali Linux and Mastering Kali Linux for Advanced Penetration Testing. He has also authored three video courses with Packt: Getting Started with Pentensing, Finding and Exploiting Hidden Vulnerabilities, and Pentesting Web Applications. He is best described as dedicated, devoted, and determined and a person who strongly believes in making his dreams come true. He defines himself as a tireless worker, who loves to laugh and make others laugh. He is also very friendly and level-headed.

Источник