Best Practices to Secure Linux Server homing Oracle

Transcription

1 Best Practices to Secure Linux Server homing Oracle Raj Ravikumar System Analyst BizTech Kyle Snyder CIO, Managing Partner - BizTech

2 Agenda About the Presenters About BizTech What is Linux Enterprise Linux Securing Linux Conclusion Questions

3 The Presenters Kyle Snyder CIO, Managing Partner BizTech 15 years of Oracle Experience End user, implementation consultant, and project manager Over 30 Full Cycle Implementations Primary area of focus in HRMS and Managed Services Accelerate R12 Implementations Raj Ravikumar Over 6 years of IT experience, specializing in System/Network/VM/Oracl e Apps/DBA architecture. Implemented and Managed Datacenter Operations. Lead System Analyst at BizTech MS IT, CCNA, VCP, OCP (Linux, 10g/11g DB, 11i Apps)

4 BizTech Leading Mid-Atlantic Oracle Platinum Partner and IT Services firm focused on Oracle Applications and Technology solutions Over 400 successful Oracle implementations over the past 15 years Based in King of Prussia, PA with offices in New Jersey, New York City and Washington DC Service Fortune 500 companies, organizations and government agencies Oracle certified and experienced consultants

5 Client-Centric Practice Areas Oracle Applications - Full Portfolio of Oracle Applications Solutions - Implementation, Upgrade, Migration - Since 1990 MPL6 to R12 Experience - Over 400 successful implementations to date Oracle Applications Oracle Technology BI/EPM Oracle Technology and Business Intelligence - End to end service offering in BI and EPM - Fully staffed team of Data Architects and DBAs - Solid experience in RAC, HA and HS designs - Understand full Oracle technology stack Clients Managed Services ITO Oracle Software Provider Managed Services and IT Outsource - Remote or Onsite services - Full portfolio of Oracle Applications and Technologies - World-Class Data Center with 24x7 Support - Instant capacity, operational focused business model Oracle Software Provider - Full Portfolio of Oracle License Resell - Help Clients Optimize License models - RapidApp BI Software for the agile enterprise - RapidApp Auditor to manage change and GRC

6 Linux Background FOSS Source code is free! From cell phones to supercomputer

7 Enterprise Linux

8 Enterprise Linux Unbreakable Enterprise Kernel is based on a stable kernel and includes optimizations developed in collaboration with Oracle s Database, Middleware and Hardware engineering teams to ensure stability and optimal performance for the most demanding enterprise workloads.

9 Enterprise Linux Unbreakable Enterprise Kernel has been engineered and tested with performance in mind and internal benchmarks show tremendous performance improvements compared to a standard Enterprise Linux 5 kernel ( ) Unbreakable Enterprise Kernel includes enhancements and bug fixes to improve virtual memory performance, network and disk I/O performance as well as improvements for largenuma (Non-Uniform Memory Access) systems

10 Enterprise Linux The latest Infiniband software stack, OFED Improved RDS (reliable datagram sockets) stack for high speed, low latency networking Overall networking performance has been improved especially at high loads due to the inclusion of receive packet steering Improved asynchronous write back performance Increased scalability on fast storage such as solid state disk (SSD) Advanced support for large NUMA systems

11 Security Source:

12 Security Source:

13 Security Secure Shell SSH Patching Named User Accounts SUDO Access Audit Deamon Restricting Root Access Software and Services VNC Server Password Aging & Policy Firewall Network Security

14 Secure Shell What is SSH Versions of SSH SSH 1 SSH2 Why use SSH2 How to use SSH2 File - /etc/ssh/sshd_config Protocol 1 2 Protocol 2

15 Secure Shell Encryption Cipher Comparison Cipher SSH1 SSH2 DES Yes No 3DES Yes Yes IDEA Yes No Blowfish Yes Yes Twofish No Yes Arcfour No Yes Cast 128- cbc No Yes

16 Secure Shell Authentication Cipher Comparison Cipher SSH1 SSH2 RSA Yes No DSA No Yes

17 Patching Security Maintenance Supportability Error Fixing

18 Manual Process Patching

19 Built in OS tools Patching

20 Third Party Tools Patching Patch Link BlueLane's PatchPoint

21 Patching

22 Named User Accounts Users DBA s / Developers Custom Application Private Groups Restricted Access NIS / Individual Server

23 Sudo Access Super User DO /etc/sudoers visudo No Passwords to remember! Aliases Host User Command

24 Sudo Access setuid on sudo Defaults Specification User Privilege Specification Logging Security

25 Audit Daemon Used to Audit Kernel > 2.6 /etc/audit.rules

26 Audit Daemon

27 Root Access

28 Most Powerful User Root Access File - /etc/ssh/sshd_config PermitRootLogin no AllowGroups, AllowUsers, DenyGroups, and DenyUsers File - /etc/ssh/sshd_config AllowGroups dba AllowUsers scott

29 Software and Services During Install or After Install? Oracle Validated rpm package Installation pre-req document - Oralce

30 Software and Services

31 Software and Services

32 Software and Services

33 VNC Service / Source:

34 Password Security Password Aging Password Strength Source: /

35 Password Aging /etc/login.defs Parameter Value Definition PASS_MAX_DAYS 90 Maximum number of days a password may be used PASS_MIN_DAYS 0 Minimum number of days allowed between password changes PASS_MIN_LEN 5 Minimum acceptable password length PASS_WARN_AGE 7 Number of days warning given before a password expires

36 Password Aging Chage for users already created Option Definition -h Help -l List aging Information -m Minimum number of days between password changes -M Maximum number of days during which a password is valid -W Number of days of warning before a password change is required

37 Password Strength/Complexity /etc/pam.d/system-auth pam_cracklib.so module Default Config password requisite /lib/security/$isa/pam_cracklib.so retry=3 3 opportunities to enter the correct password

38 Password Strength/Complexity Option Value Description minlen N The minimum password length difok N The number of characters the new password should differ from the old password dcredit N The number of digits the password should have ucredit N The number of Upper case letter the password should have lcredit N The number of Lower case letter the password should have ocredit N The number of special characters the password should have

39 Linux Firewall Iptables Status Service iptables status Start Service iptables start Stop Service iptables stop Restart Service iptables restart

40 Linux Firewall Mangle Table/Queue Default Filter Table/Queue Forward Chain Input Chain Output Chain NAT Table/Queue Pre-Routing Chain Post-Routing Chain

41 Network Security Hardening /etc/sysctl.conf Option Value Definition net.ipv4.conf.all.rp_filter 1 Disables Routing Triangulation net.ipv4.conf.all.send_redirects 0 Disables Packet Redirects net.ipv4.conf.all.accept_source_route 0 Disables Source Routed Packets net.ipv4.conf.all.log_martians 1 Enabled Logging for packets with malicious IP

42 Network Security Hardening /etc/sysctl.conf Option Value Definition net.ipv4.conf.all.accept_redirects 0 Disables ICMP redirect acceptance net.ipv4.icmp_echo_ignore_broadca sts 1 Disables responding to ping broadcast net.ipv4.tcp_syncookies 1 Protects from DoS attacks

43 Conclusion

44 Questions Raj Ravikumar System Analyst Kyle Snyder CIO, Managing Partner