Host Security Overview Onion concept of security Defense in depth How secure do you need to be? You can only reduce risk Tradeoffs - more security means:

Slides:

Advertisements

Similar presentations

Basic Unix system administration

Advertisements

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

BSD Security Fundamentals Sean Lewis Sean Lewis

2000 Copyrights, Danielle S. Lahmani UNIX Tools G , Fall 2000 Danielle S. Lahmani Lecture 12.

Linux Security 資管研究生劉順德. Outline General Security –Account –Local –Network –Patch Services Security –Sendmail –BIND/DNS –Apache –FTP Recent Linux security.

Installing and Configuring a Secure Web Server COEN 351 David Papay.

Voyager Server Security and Monitoring Best practices and tools.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

AfChix 2011 Blantyre, Malawi Log management. Log management and monitoring ■ What is log management and monitoring ? ● It's about keeping your logs in.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

Linux System Administration LINUX SYSTEM ADMINISTRATION.

Telnet/SSH: Connecting to Hosts Internet Technology1.

CIS 193A – Lesson10 Protecting Your Network. CIS 193A – Lesson10 Focus Question What information contained in packets can be used as matching criteria.

Va-scanCopyright 2002, Marchany Securing Solaris Servers Randy Marchany.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

CLI modes Accessing the configuration Basic configuration (hostname and DNS) Authentication and authorization (AAA) Log collection Time Synchronization.

SSH. Review 1-minute exercise: Find the open ports on you own VM [Good] nmap [Better] netstat -lpunt.

Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.

SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

1 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Public Remote access typically involves allowing telnet, SSH connections to the router Remote requires.

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

Linux in a Virtual Environment Nagarajan Prabakar School of Computing and Information Sciences Florida International University.

FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.

Linux Administration. Pre-Install Different distributions –Redhat, Caldera, mandrake, SuSE, FreeBSD Redhat Server Install –Check HCL –Significant issues.

Manage Directories and Files in Linux. 2 Objectives Understand the Filesystem Hierarchy Standard (FHS) Identify File Types in the Linux System Change.

Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.

Topics Network topology Virtual LAN Port scanners and utilities Packet sniffers Weak protocols Practical exercise.

1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.

Networking in Linux. ♦ Introduction A computer network is defined as a number of systems that are connected to each other and exchange information across.

FTP File Transfer Protocol Graeme Strachan. Agenda  An Overview  A Demonstration  An Activity.

1 LINUX SECURITY. 2 Outline Introduction Introduction - UNIX file permission - UNIX file permission - SUID / SGID - SUID / SGID - File attributes - File.

© 2008 Cisco Systems, Inc. All rights reserved.CIPT1 v6.0—1-1 Getting Started with Cisco Unified Communications Manager Installing and Upgrading Cisco.

Configuring AAA requires four basic steps: 1.Enable AAA (new-model). 2.Configure security server network parameters. 3.Define one or more method lists.

Securing the Linux Operating System Erik P. Friebolin.

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

VIRTUAL HOSTING WITH PureFTPd And MYSQL (Quota And Bandwidth Management) BY Odoh Kenneth Emeka Sun Yu Patrick Appiah.

WinSCP  Tool for accessing files on beaglebone system.

FTP COMMANDS OBJECTIVES. General overview. Introduction to FTP server. Types of FTP users. FTP commands examples. FTP commands in action (example of use).

IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.

Unit – 5 FTP Server. FTP Introduction One of the oldest and most commonly used protocols The original specification for the File Transfer Protocol was.

 Introduction  Tripwire For Servers  Tripwire Manager  Tripwire For Network Devices  Working Of Tripwire  Advantages  Conclusion.

Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

PRESENTED BY ALI NASIR BITF13M040 AMMAR HAIDER BITF13M016 SHOIAB BAJWA BITF13M040 AKHTAR YOUNAS BITF13M019.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

 Each interface card that was detected correctly will be listed under the Network Devices section. Ethernet devices in Linux are named eth0, eth1, eth2,

Secure services Unit-IV CHAP-1

VMware ESX and ESXi Module 3.

New Capabilities of the Web Enabled User Interfaces

Configuring ALSMS Remote Navigation

NTP, Syslog & Secure Shell

Setting-Up and Securing a Server

Chapter 9 Router Configuration (Ospf, Rip) Webmin, usermin Team viewer

APRICOT 2008 Network Management Taipei, Taiwan February 20-24, 2008

FTP - File Transfer Protocol

Vulnerability Scanning With 'lynis'

Log management AfNOG 2008 Rabat, Morocco.

IS3440 Linux Security Unit 6 Using Layered Security for Access Control

Telnet/SSH Connecting to Hosts Internet Technology.

IS3440 Linux Security Unit 4 Securing the Linux Filesystem

Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH

Linux Security.

Welcome to all Participants

Chapter 7 Network Applications

Convergence IT Services Pvt. Ltd

6. Application Software Security

Presentation transcript:

Host Security Overview Onion concept of security Defense in depth How secure do you need to be? You can only reduce risk Tradeoffs - more security means: harder access more work

Verify what services are running netstat or lsof nmap for remote check Turn off unnecessary services Lock-down running services

ssh Several approaches to making this more secure restrict users  only 'users' who need access should have it protocol 2 only changing default port no root access with passwd  login as 'user' and then sudo no passwd access – use keys only Restrictions apply to scp, sftp, rsync etc

ftp No user account access passwords in the clear anonymous logins OK Do you allow uploads? consider isolating upload dir Could you use other protocols for downloads? http, sftp, scp

Other services These will be covered later Apache2 DNS

Firewalls - are they necessary on a server? Yes/No Problems (most attack vectors aimed at open services) False sense of security Useful to protect others from _you_ Useful (in some cases) in case of DDoS attacks Your provider is your real defense

iptables Basics Installing iptables tools in Ubuntu A very simple ruleset Flushing, saving rules Verifying that rules start at system boot

Logging Critical and often overlooked syslog syslog-ng rsyslogd - reliable and extended syslogd Can collect information from many different hosts e.g. servers, routers, switches in one location Must have accurate clocks across systems using NTP

Swatch The swatch utility can assist with logfile analysis, providing immediate notification if log entries matching a regular expression are spotted, or to review logfiles for unknown data There are other options!

User security Strong passwords e.g. qcE8SmQA R2(e{M8T Is shell access necessary? Are user accounts necessary (virtual mailboxes) Use quotas or isolate /home

Filesystem security Options for filesystems: nosuid - Do not set SUID/SGID access on this partition nodev - Do not allow character or special devices on this partition noexec - Do not allow execution of any binaries on this partition ro - Mount file system as readonly quota - Enable disk quota

Filesystem security Consider separate disk partitions for: /home - Set option nosuid, and nodev with diskquota option /usr - Set option nodev /tmp - Set option nodev, nosuid, noexec /var - Set option nodev, nosuid