Securing Linux Servers Best Practice Document



Similar documents
Ranch Networks for Hosted Data Centers

Cyber Essentials. Test Specification

Acano solution. Security Considerations. August E

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Securing Linux Servers

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

WhatsUp Gold v11 Features Overview

SonicWALL PCI 1.1 Implementation Guide

Management, Logging and Troubleshooting

FortiOS Handbook - Hardening your FortiGate VERSION 5.2.3

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

IBM. Vulnerability scanning and best practices

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

CTS2134 Introduction to Networking. Module Network Security

CMPT 471 Networking II

Hervey Allen. Network Startup Resource Center. PacNOG 6: Nadi, Fiji. Security Overview

State of Wisconsin DET File Transfer Protocol Service Offering Definition (FTP & SFTP)

Linux Server Configuration Guidelines

Firewall VPN Router. Quick Installation Guide M73-APO09-380

VMware vcenter Log Insight Security Guide

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Project 2: Firewall Design (Phase I)

March

Inside-Out Attacks. Security Event April 28, 2004 Page 1. Responses to the following questions

Installing, Uninstalling, and Upgrading Service Monitor

Altus UC Security Overview

Network Defense Tools

Securing the Apache Web Server

Inside-Out Attacks. Covert Channel Attacks Inside-out Attacks Seite 1 GLÄRNISCHSTRASSE 7 POSTFACH 1671 CH-8640 RAPPERSWIL

Own your LAN with Arp Poison Routing

Network Security. Network Packet Analysis

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

RemotelyAnywhere. Security Considerations

Network Security Fundamentals

Annexure - " SERVICE REQUIREMENTS"

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

NetCrunch 6. AdRem. Network Monitoring Server. Document. Monitor. Manage

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

8 steps to protect your Cisco router

Linux Network Security

Multi-Homing Dual WAN Firewall Router

Bypassing PISA AGM Theme Seminar Presented by Ricky Lou Zecure Lab Limited

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

information security and its Describe what drives the need for information security.

How to protect your home/office network?

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Deployment Topologies

Firewalls. Pehr Söderman KTH-CSC

EXPLORER. TFT Filter CONFIGURATION

A REVIEW OF METHODS FOR SECURING LINUX OPERATING SYSTEM

VMware ESX Server 3 Configuration Guide

Security + Certification (ITSY 1076) Syllabus

SERVER HARDENING. Presented by: Daniel Waymel and Corrin Thompson at TexSAW 2014 at the University of Texas at Dallas

Preinstallation Requirements Guide

DMZ Gateways: Secret Weapons for Data Security

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Internet Security [1] VU Engin Kirda

Operating System Security Hardening for SAP HANA

Solution of Exercise Sheet 5

Using a VPN with Niagara Systems. v0.3 6, July 2013

Directory and File Transfer Services. Chapter 7

General Network Security

HIPAA Compliance Use Case

Firewall Firewall August, 2003

1Y0-250 Implementing Citrix NetScaler 10 for App and Desktop Solutions Practice Exam

How to build an Identity Management System on Linux. Simo Sorce Principal Software Engineer Red Hat, Inc.

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

VMware vcenter Log Insight Security Guide

Service Level Agreement

Codes of Connection for Devices Connected to Newcastle University ICT Network

Linux MDS Firewall Supplement

Security Advice for Instances in the HP Cloud

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

CCNA Security. Chapter Two Securing Network Devices Cisco Learning Institute.

Multi-Homing Gateway. User s Manual

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Internet infrastructure. Prof. dr. ir. André Mariën

MSP End User. Version 3.0. Technical Solution Guide

Linux VPS with cpanel. Getting Started Guide

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

Network Management Card Security Implementation

1 Introduction 2. 2 Document Disclaimer 2

UMHLABUYALINGANA MUNICIPALITY FIREWALL MANAGEMENT POLICY

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Basic & Advanced Administration for Citrix NetScaler 9.2

Outline. Security. Security of network. Security

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Configuring Security for FTP Traffic

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

- Basic Router Security -

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Hardening Guide. Installation Guide

Transcription:

Securing Linux Servers Best Practice Document Miloš Kukoleča Network Security Engineer CNMS Workshop, Prague 25-26 April 2016

Motivation Majority of production servers in academic environment are run by Linux Lack of server security related documents in the academic community Security awarenes is not on a high level Security challanges are on the rise Technical background of academic IT staff is very diverse Advanced sysadmins Beginners 2

Document planning Experience of sysadmins in academic institutions is invaluable Knowledge, common problems, solutions and best practices of academic Sysadmins formed this BPD Meeting with academic technical community produced a draft for the document 3

Server (Linux OS) Management Suitable installation: standard, specific or minimal? Disabling and removing unnecessary services OS system and services update Distribution of production services on available Linux servers The system is as secure as the most vulnerable service in it! 4

Secure management Provide secure communication with the Linux server Remote access File transfer Web access (if needed) Telnet vs SSH FTP vs SCP/SFTP HTTP vs HTTPS Use trusted SSL/TLS certificates 5

Remote filesystems Sometimes, Linux servers use remote filesystem Data is transffered over the network This data needs to be protected Sysadmins are advised to use SSHFS SSHFS uses SFTP protocol in order to securely transfer data to the remote filesystem 6

User Management Usualy the weakest link in the security chain user Create and maintain strict and clear user management policy DO NOT use root account. Enforce policy ONE USER = ONE ACCOUNT Enforce secure user password structure Lock or remove unused accounts Use sudo access (if suitable) Centralised management of user accounts is a good practice for managing several Linux servers 7

Security Tools Security for all layers of TCP/IP protocol stack: L2 arpwatch L3, L4 IPtables L7 Fail2Ban Kernel security SELinux, AppArmor Fail2Ban is protecting applications by monitoring log files Applies block rules in IPtables Notifies sysadmin about new actions Includes some predefined patterns for the well known applications 8

Monitoring and Diagnostics Key of successfull Linux management gathering useful information Useful info: Services status Network activity Use of system resources User activity (who, when, where, what...) Syslog, Syslog-ng and SNMP are fine tools for monitoring and diagnostics 9

Notifications and alarms Sysadmins are advised to set up email notification system Reports on non-successful script action Report on process resource consumption Reports on reaching thresholds in resource consumption Email notifications should be sent only if something is wrong Don t get overwhelmed with emails which report that everything is OK 10

Backup Backup is essential in security related incidents and disaster recovery mechanisms Virtual environment makes the backup procedures quite easier Non-virtual environment brings the main challenge what to backup? Key is to develop a backup strategy Define the data that should be copied Define the backup technique Define the backup frequency Define the backup cycle Define the time for keeping the backup Define the space needed for storing backups 11

Common attacks compromising user accounts Attempts to break user credentials are the most common attacks on the Internet Open ports are scanned and typical usernames are used in the attack (root, admin, john etc) Dictionaries used in these attacks are becoming more sophisticated Solution Enforce password policy Use SSH only Restrict access to trusted networks using IPtables Use VPN solution for accessing from untrusted networks 12

Common attacks DNS amplification DNS amplification attack exploits open resolvers Open resolvers are used as intermediaries in these attacks Attacker spoofs the victim s IP address and sends the DNS query The victim receives the DNS server reply This is unwanted traffic Amplification factor small amount of bandwidth invested on attacker side can cause much larger response from open resolvers Solution: Restrict recursion only to local users in the network 13

Common attacks NTP reflection NTP protocol enables time synchronization throughout network Amplification factor is similar as with DNS amplification attack Attacker spoofs the victim s IP address and uses monolist command in order to get a list of last 600 peers Vulnerable NTP server responds and sends unwanted traffic to a victim Solution: Get the newest ntpd package or disable the monolist command Restrict NTP synchronization only to local network nodes 14

Conclusions BPDs should be written in close collaboration with Sysadmins in academic institutions The main aim of Securing Linux Servers BPD is to give general overview of Linux security, not to be used as a Cookbook. Securing Linux Servers is a good starting point for a number of spin-off documents which would explain in detail the protection of major network services Not to be forgotten Server protection is not a one-time effort, but a lasting process that continues as long as the server is in use 15

Thank you Any Questions? milos.kukoleca@amres.ac.rs Networks Services People www.geant.org This work is part of a project that has received funding from the European Union s Horizon 2020 research and innovation programme under Grant Agreement No. 691567 (GN4-1). 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information