Securing Linux Servers Best Practice Document

Transcription

1 Securing Linux Servers Best Practice Document Miloš Kukoleča Network Security Engineer CNMS Workshop, Prague April 2016

2 Motivation Majority of production servers in academic environment are run by Linux Lack of server security related documents in the academic community Security awarenes is not on a high level Security challanges are on the rise Technical background of academic IT staff is very diverse Advanced sysadmins Beginners 2

3 Document planning Experience of sysadmins in academic institutions is invaluable Knowledge, common problems, solutions and best practices of academic Sysadmins formed this BPD Meeting with academic technical community produced a draft for the document 3

4 Server (Linux OS) Management Suitable installation: standard, specific or minimal? Disabling and removing unnecessary services OS system and services update Distribution of production services on available Linux servers The system is as secure as the most vulnerable service in it! 4

5 Secure management Provide secure communication with the Linux server Remote access File transfer Web access (if needed) Telnet vs SSH FTP vs SCP/SFTP HTTP vs HTTPS Use trusted SSL/TLS certificates 5

6 Remote filesystems Sometimes, Linux servers use remote filesystem Data is transffered over the network This data needs to be protected Sysadmins are advised to use SSHFS SSHFS uses SFTP protocol in order to securely transfer data to the remote filesystem 6

7 User Management Usualy the weakest link in the security chain user Create and maintain strict and clear user management policy DO NOT use root account. Enforce policy ONE USER = ONE ACCOUNT Enforce secure user password structure Lock or remove unused accounts Use sudo access (if suitable) Centralised management of user accounts is a good practice for managing several Linux servers 7

8 Security Tools Security for all layers of TCP/IP protocol stack: L2 arpwatch L3, L4 IPtables L7 Fail2Ban Kernel security SELinux, AppArmor Fail2Ban is protecting applications by monitoring log files Applies block rules in IPtables Notifies sysadmin about new actions Includes some predefined patterns for the well known applications 8

9 Monitoring and Diagnostics Key of successfull Linux management gathering useful information Useful info: Services status Network activity Use of system resources User activity (who, when, where, what...) Syslog, Syslog-ng and SNMP are fine tools for monitoring and diagnostics 9

10 Notifications and alarms Sysadmins are advised to set up notification system Reports on non-successful script action Report on process resource consumption Reports on reaching thresholds in resource consumption notifications should be sent only if something is wrong Don t get overwhelmed with s which report that everything is OK 10

11 Backup Backup is essential in security related incidents and disaster recovery mechanisms Virtual environment makes the backup procedures quite easier Non-virtual environment brings the main challenge what to backup? Key is to develop a backup strategy Define the data that should be copied Define the backup technique Define the backup frequency Define the backup cycle Define the time for keeping the backup Define the space needed for storing backups 11

12 Common attacks compromising user accounts Attempts to break user credentials are the most common attacks on the Internet Open ports are scanned and typical usernames are used in the attack (root, admin, john etc) Dictionaries used in these attacks are becoming more sophisticated Solution Enforce password policy Use SSH only Restrict access to trusted networks using IPtables Use VPN solution for accessing from untrusted networks 12

13 Common attacks DNS amplification DNS amplification attack exploits open resolvers Open resolvers are used as intermediaries in these attacks Attacker spoofs the victim s IP address and sends the DNS query The victim receives the DNS server reply This is unwanted traffic Amplification factor small amount of bandwidth invested on attacker side can cause much larger response from open resolvers Solution: Restrict recursion only to local users in the network 13

14 Common attacks NTP reflection NTP protocol enables time synchronization throughout network Amplification factor is similar as with DNS amplification attack Attacker spoofs the victim s IP address and uses monolist command in order to get a list of last 600 peers Vulnerable NTP server responds and sends unwanted traffic to a victim Solution: Get the newest ntpd package or disable the monolist command Restrict NTP synchronization only to local network nodes 14

15 Conclusions BPDs should be written in close collaboration with Sysadmins in academic institutions The main aim of Securing Linux Servers BPD is to give general overview of Linux security, not to be used as a Cookbook. Securing Linux Servers is a good starting point for a number of spin-off documents which would explain in detail the protection of major network services Not to be forgotten Server protection is not a one-time effort, but a lasting process that continues as long as the server is in use 15

16 Thank you Any Questions? Networks Services People This work is part of a project that has received funding from the European Union s Horizon 2020 research and innovation programme under Grant Agreement No (GN4-1). 16