Best Practices to Secure Linux Server homing Oracle Raj Ravikumar System Analyst BizTech Kyle Snyder CIO, Managing Partner - BizTech
Agenda About the Presenters About BizTech What is Linux Enterprise Linux Securing Linux Conclusion Questions
The Presenters Kyle Snyder CIO, Managing Partner BizTech 15 years of Oracle Experience End user, implementation consultant, and project manager Over 30 Full Cycle Implementations Primary area of focus in HRMS and Managed Services Accelerate R12 Implementations Raj Ravikumar Over 6 years of IT experience, specializing in System/Network/VM/Oracl e Apps/DBA architecture. Implemented and Managed Datacenter Operations. Lead System Analyst at BizTech MS IT, CCNA, VCP, OCP (Linux, 10g/11g DB, 11i Apps)
BizTech Leading Mid-Atlantic Oracle Platinum Partner and IT Services firm focused on Oracle Applications and Technology solutions Over 400 successful Oracle implementations over the past 15 years Based in King of Prussia, PA with offices in New Jersey, New York City and Washington DC Service Fortune 500 companies, organizations and government agencies 100 + Oracle certified and experienced consultants
Client-Centric Practice Areas Oracle Applications - Full Portfolio of Oracle Applications Solutions - Implementation, Upgrade, Migration - Since 1990 MPL6 to R12 Experience - Over 400 successful implementations to date Oracle Applications Oracle Technology BI/EPM Oracle Technology and Business Intelligence - End to end service offering in BI and EPM - Fully staffed team of Data Architects and DBAs - Solid experience in RAC, HA and HS designs - Understand full Oracle technology stack Clients Managed Services ITO Oracle Software Provider Managed Services and IT Outsource - Remote or Onsite services - Full portfolio of Oracle Applications and Technologies - World-Class Data Center with 24x7 Support - Instant capacity, operational focused business model Oracle Software Provider - Full Portfolio of Oracle License Resell - Help Clients Optimize License models - RapidApp BI Software for the agile enterprise - RapidApp Auditor to manage change and GRC
Linux Background FOSS Source code is free! From cell phones to supercomputer
Enterprise Linux
Enterprise Linux Unbreakable Enterprise Kernel is based on a stable 2.6.32 kernel and includes optimizations developed in collaboration with Oracle s Database, Middleware and Hardware engineering teams to ensure stability and optimal performance for the most demanding enterprise workloads.
Enterprise Linux Unbreakable Enterprise Kernel has been engineered and tested with performance in mind and internal benchmarks show tremendous performance improvements compared to a standard Enterprise Linux 5 kernel (2.6.18-194) Unbreakable Enterprise Kernel includes enhancements and bug fixes to improve virtual memory performance, network and disk I/O performance as well as improvements for largenuma (Non-Uniform Memory Access) systems
Enterprise Linux The latest Infiniband software stack, OFED 1.5.1 Improved RDS (reliable datagram sockets) stack for high speed, low latency networking Overall networking performance has been improved especially at high loads due to the inclusion of receive packet steering Improved asynchronous write back performance Increased scalability on fast storage such as solid state disk (SSD) Advanced support for large NUMA systems
Security Source:http://www.barcoding.com/services/professional-services.shtml
Security Source: http://msmvps.com/blogs/harrywaldron
Security Secure Shell SSH Patching Named User Accounts SUDO Access Audit Deamon Restricting Root Access Software and Services VNC Server Password Aging & Policy Firewall Network Security
Secure Shell What is SSH Versions of SSH SSH 1 SSH2 Why use SSH2 How to use SSH2 File - /etc/ssh/sshd_config Protocol 1 2 Protocol 2
Secure Shell Encryption Cipher Comparison Cipher SSH1 SSH2 DES Yes No 3DES Yes Yes IDEA Yes No Blowfish Yes Yes Twofish No Yes Arcfour No Yes Cast 128- cbc No Yes
Secure Shell Authentication Cipher Comparison Cipher SSH1 SSH2 RSA Yes No DSA No Yes
Patching Security Maintenance Supportability Error Fixing
Manual Process Patching
Built in OS tools Patching
Third Party Tools Patching Patch Link BlueLane's PatchPoint
Patching
Named User Accounts Users DBA s / Developers Custom Application Private Groups Restricted Access NIS / Individual Server
Sudo Access Super User DO /etc/sudoers visudo No Passwords to remember! Aliases Host User Command
Sudo Access setuid on sudo Defaults Specification User Privilege Specification Logging Security
Audit Daemon Used to Audit Kernel > 2.6 /etc/audit.rules
Audit Daemon
Root Access
Most Powerful User Root Access File - /etc/ssh/sshd_config PermitRootLogin no AllowGroups, AllowUsers, DenyGroups, and DenyUsers File - /etc/ssh/sshd_config AllowGroups dba AllowUsers scott
Software and Services During Install or After Install? Oracle Validated rpm package Installation pre-req document - Oralce
Software and Services
Software and Services
Software and Services
VNC Service / Source: http://www.heroturko.org/r/realvnc-enterprise-edition-4-4-2-keygen
Password Security Password Aging Password Strength Source: http://its.syr.edu/security/passwords /
Password Aging /etc/login.defs Parameter Value Definition PASS_MAX_DAYS 90 Maximum number of days a password may be used PASS_MIN_DAYS 0 Minimum number of days allowed between password changes PASS_MIN_LEN 5 Minimum acceptable password length PASS_WARN_AGE 7 Number of days warning given before a password expires
Password Aging Chage for users already created Option Definition -h Help -l List aging Information -m Minimum number of days between password changes -M Maximum number of days during which a password is valid -W Number of days of warning before a password change is required
Password Strength/Complexity /etc/pam.d/system-auth pam_cracklib.so module Default Config password requisite /lib/security/$isa/pam_cracklib.so retry=3 3 opportunities to enter the correct password
Password Strength/Complexity Option Value Description minlen N The minimum password length difok N The number of characters the new password should differ from the old password dcredit N The number of digits the password should have ucredit N The number of Upper case letter the password should have lcredit N The number of Lower case letter the password should have ocredit N The number of special characters the password should have
Linux Firewall Iptables Status Service iptables status Start Service iptables start Stop Service iptables stop Restart Service iptables restart
Linux Firewall Mangle Table/Queue Default Filter Table/Queue Forward Chain Input Chain Output Chain NAT Table/Queue Pre-Routing Chain Post-Routing Chain
Network Security Hardening /etc/sysctl.conf Option Value Definition net.ipv4.conf.all.rp_filter 1 Disables Routing Triangulation net.ipv4.conf.all.send_redirects 0 Disables Packet Redirects net.ipv4.conf.all.accept_source_route 0 Disables Source Routed Packets net.ipv4.conf.all.log_martians 1 Enabled Logging for packets with malicious IP
Network Security Hardening /etc/sysctl.conf Option Value Definition net.ipv4.conf.all.accept_redirects 0 Disables ICMP redirect acceptance net.ipv4.icmp_echo_ignore_broadca sts 1 Disables responding to ping broadcast net.ipv4.tcp_syncookies 1 Protects from DoS attacks
Conclusion
Questions Raj Ravikumar System Analyst rravikumar@biztech.com Kyle Snyder CIO, Managing Partner ksnyder@biztech.com