Linux All-in-One For Dummies, 5th Edition (2014)

Book VI. Security

width=

webextras.eps Visit www.dummies.com/extras/linuxaio for great Dummies content online.

Contents at a Glance

Chapter 1: Introducing Linux Security

Chapter 2: Securing Linux

Chapter 3: Computer Security Audits and Vulnerability Testing Types

Chapter 1. Introducing Linux Security

In This Chapter

Establishing a security policy and framework

Understanding host security issues

Understanding network security issues

Translating computer security terminology

Keeping up with security news and updates

This chapter explains why you need to worry about security — and offers a high-level view of how to get a handle on security. The idea of an overall security framework is explained and the two key aspects of security — host security and network security — are discussed. This chapter ends by introducing you to the terminology used in discussing computer security.

lxo-102.eps According to the weighting, 15 percent of the questions on the LX0-102 exam fall under the Security domain. This number should be viewed as being very conservative since so much of administration involves security. You’ll find topics related to it in domains such as Administrative Tasks, Essential System Services, Networking Fundamentals, and so on. Because of that, you’ll find a lot of security-relevant information in the three chapters of Book 6 and in other chapters as well.

Why Worry about Security?

In today’s networked world, you have to worry about your Linux system’s security. For a standalone system or a system used in an isolated local area network (LAN), you have to focus on protecting the system from the users, and the users from one another. In other words, you don’t want a user to modify or delete system files, whether intentionally or unintentionally — and you don’t want a user destroying another user’s files (or their own, if you can prevent it).

Since the odds are good that your Linux system is connected to the Internet, you have to secure the system from unwanted accesses over the Internet. These intruders — or crackers, as they’re commonly known — typically impersonate a user, steal or destroy information, and even deny you access to your own system — known as a Denial of Service (DoS), or Distributed Denial of Service (DDoS), attack.

By its very nature, an Internet connection makes your system accessible to any other system on the Internet. After all, the Internet connects a huge number of networks across the globe. In fact, the client/server architecture of Internet services, such as HTTP (web) and FTP, rely on the wide-open network access the Internet provides. Unfortunately, the easy accessibility to Internet services running on your system also means that anyone on the Net can easily access your system.

If you operate an Internet host that provides information to others, you certainly want everyone to access your system’s Internet services, such as FTP and web servers. However, these servers often have vulnerabilities that crackers may exploit to harm your system. You need to know about the potential security risks of Internet services — and the precautions you can take to minimize the risk of someone exploiting the weaknesses of your FTP or web server.

You also want to protect your company’s internal network from outsiders, even though your goal is to provide information to the outside world through your web or FTP server. You can protect your internal network by setting up an Internet firewall — a controlled-access point to the internal network — and placing the web and FTP servers on a host outside the firewall.

Establishing a Security Framework

The first step in securing your Linux system is to set up a security policy — a set of guidelines that state what you enable users (as well as visitors over the Internet) to do on your Linux system. The level of security you establish depends on how you use the Linux system — and on how much is at risk if someone gains unauthorized access to your system.

If you’re a system administrator for one or more Linux systems at an organization, you probably want to involve company management, as well as the users, in setting up the security policy. Obviously, you can’t create a draconian policy that blocks all access. (That would prevent anyone from effectively working on the system.) On the other hand, if the users are creating or using data valuable to the organization, you have to set up a policy that protects the data from disclosure to outsiders. In other words, the security policy should strike a balance between the users’ needs and the need to protect the system.

For a standalone Linux system or a home system that you occasionally connect to the Internet, the security policy can be just a listing of the Internet services that you want to run on the system and the user accounts that you plan to set up on the system. For any larger organization, you probably have one or more Linux systems on a LAN connected to the Internet — preferably through a firewall. (To reiterate, a firewall is a device that controls the flow of Internet Protocol — IP — packets between the LAN and the Internet.) In such cases, thinking of computer security systematically — across the entire organization — is best. Figure 1-1 shows the key elements of an organization-wide framework for computer security.

Figure 1-1: Start with an organization-wide framework for computer security.

The security framework outlined in Figure 1-1 focuses on

· Determining the business requirements for security

· Performing risk assessments

· Establishing a security policy

· Implementing a cybersecurity solution that includes people, process, and technology to mitigate identified security risks

· Continuously monitoring and managing security

The following sections discuss some of the key elements of the security framework.

Determining business requirements for security

The business requirements for security identify the computer resources and information you have to protect (including any requirements imposed by applicable laws, such as the requirement to protect the privacy of some types of data). Typical security requirements may include items such as the following:

· Enabling access to information by authorized users

· Implementing business rules that specify who has access to what information

· Employing a strong user-authentication system

· Denying execution to malicious or destructive actions on data

· Protecting data from end to end as it moves across networks

· Implementing all security and privacy requirements that applicable laws impose

Performing risk analysis

Risk analysis is all about identifying and assessing risks — potential events that can harm your Linux system. The analysis involves determining the following and performing some analysis to establish the priority for handling the risks:

· Threats: What you’re protecting against

· Vulnerabilities: Weaknesses that may be exploited by threats (these are the risks)

· Probability: The likelihood that a threat will exploit the vulnerability

· Impact: The effect of exploiting a specific vulnerability

· Mitigation: What to do to reduce vulnerabilities

Typical threats

Some typical threats to your Linux system include the following:

· Denial of Service: The computer and network are tied up so legitimate users can’t make use of the systems. For businesses, Denial of Service (DoS) can mean a loss of revenue. Since bringing a system to its knees with a single computer attack is a bit of a challenge these days, the more common tactic is to point a number of computers at a single site and let them do the dirty work. While the purpose and result are the same as ever, this ganging up is referred to as Distributed Denial of Service (DDoS) attack because more than one computer is attacking the host.

· Unauthorized access: Use of the computer and network by someone who isn’t an authorized user. The unauthorized user can steal information or maliciously corrupt or destroy data. Some businesses may be hurt by the negative publicity resulting from the mere act of an unauthorized user gaining access to the system, even if the data shows no sign of explicit damage.

· Disclosure of information to the public: The unauthorized release of information to the public. For example, the disclosure of a password file enables potential attackers to figure out username and password combinations for accessing a system. Exposure of other sensitive information, such as financial and medical data, may be a potential liability for a business.

Typical vulnerabilities

The threats to your system and network come from exploitation of vulnerabilities in your organization’s resources — both computer and people. Some common vulnerabilities follow:

· People’s foibles (divulging passwords, losing security cards, and so on)

· Internal network connections (routers, switches)

· Interconnection points (gateways — routers and firewalls — between the Internet and the internal network)

· Third-party network providers (ISPs, long-distance carriers) with looser security

· Operating system security holes (potential holes in Internet servers, such as those associated with sendmail, named, and bind)

· Application security holes (known weaknesses in specific applications)

The 1-2-3 of risk analysis (probability and effect)

To perform risk analysis, assign a numeric value to the probability and effect of each potential vulnerability. To develop a workable risk analysis, do the following for each vulnerability or risk:

1. Assign subjective ratings of low, medium, and high to the probability. As the ratings suggest, low probability means a lesser chance that the vulnerability will be exploited; high probability means a greater chance.

2. Assign similar ratings to the effect. What you consider the effect is up to you. If the exploitation of a vulnerability will affect your business greatly, assign it a high effect rating.

3. Assign a numeric value to the three levels — low = 1, medium = 2, and high = 3 — for both probability and effect.

4. Multiply the probability by the effect — you can think of this product as the risk level. Then make a decision to develop protections for vulnerabilities that exceed a specific threshold for the product of probability and effect. For example, you may choose to handle all vulnerabilities that have a probability-times-effect value greater than 6.

If you want to characterize the probability and effect with finer gradations, use a scale of 1 through 5 (for example) instead of 1 through 3, and follow the same steps as before.

Establishing a security policy

Using risk analysis and any business requirements that you may have to address (regardless of risk level) as a foundation, you can craft a security policy for the organization. Such a security policy typically addresses high-level objectives such as ensuring the confidentiality, integrity, and availability of data and systems.

The security policy typically addresses the following areas:

· Authentication: What method is used to ensure that a user is the real user? Who gets access to the system? What is the minimum length and complexity of passwords? How often do users change passwords? How long can a user be idle before that user is logged out automatically?

· Authorization: What can different classes of users do on the system? Who can have the root password?

· Data protection: What data must be protected? Who has access to the data? Is encryption necessary for some data?

· Internet access: What are the restrictions on users (from the LAN) accessing the Internet? What Internet services (such as web, Internet Relay Chat, and so on) can users access? Are incoming e-mails and attachments scanned for viruses? Is there a network firewall? Are virtual private networks (VPNs) used to connect private networks across the Internet?

· Internet services: What Internet services are allowed on each Linux system? Are there any file servers, mail servers, or web servers? What services run on each type of server? What services, if any, run on Linux systems used as desktop workstations?

· Security audits: Who tests whether the security is adequate? How often is the security tested? How are problems found during security testing handled?

· Incident handling: What are the procedures for handling any computer security incidents? Who must be informed? What information must be gathered to help with the investigation of incidents?

· Responsibilities: Who is responsible for maintaining security? Who monitors log files and audit trails for signs of unauthorized access? Who maintains the security policy?

Implementing security solutions (mitigation)

After you analyze the risks — vulnerabilities — and develop a security policy, you have to select the mitigation approach: how to protect against specific vulnerabilities. This is where you develop an overall security solution based on security policy, business requirements, and available technology — a solution that makes use of people, process, and technology and includes the following:

· Services (authentication, access control, encryption)

· Mechanisms (username and password, firewalls)

· Objects (hardware, software)

Because it’s impossible to protect computer systems from all attacks, solutions identified through the risk management process must support three integral concepts of a holistic security program:

· Protection: Provides countermeasures such as policies, procedures, and technical solutions to defend against attacks on the assets being protected.

· Detection: Monitors for potential breakdowns in the protective measures that could result in security breaches.

· Reaction or Response: Responds to detected breaches to thwart attacks before damage occurs; often requires human involvement.

Because absolute protection from attacks is impossible to achieve, a security program that doesn’t incorporate detection and reaction is incomplete.

Managing security

In addition to implementing security solutions, you have to install security management that continually monitors, detects, and responds to any security incidents.

The combination of the risk analysis, security policy, security solutions, and security management provides the overall security framework. Such a framework helps establish a common level of understanding of security concerns — and a common basis for the design and implementation of security solutions.

Securing Linux

After you define a security policy, you can proceed to secure the system according to the policy. The exact steps depend on what you want to do with the system, whether the system is a server or workstation, and how many users must access the system.

To secure the Linux system, you have to handle two broad categories of security issues:

· Host-security issues: These issues relate to securing the operating system and the files and directories on the system.

· Network-security issues: These issues refer to the threat of attacks over the network connection.

tip.eps If your host is connecting to a large network, Directory Services can become a significant issue. Directory Services security is outside the scope of this book, but you can find a number of sources addressing the issue with a Google search.

Understanding the host-security issues

Here are some high-level guidelines to address host security. (I cover some of these topics in detail in Chapter 2 of this minibook.)

· lxo-102_fmt.png.eps When installing Linux, select only the package groups that you need for your system. Don’t install unnecessary software. For example, if your system is used as a workstation, you don’t have to install most of the servers (web server, news server, and so on).

· Create initial user accounts and make sure that all passwords are strong enough that password-cracking programs can’t guess them. Linux includes tools to enforce strong passwords.

· Set file ownerships and permissions to protect important files and directories.

· If mandatory access-control capabilities are available, enable them. Support for this feature has been incorporated, through Security Enhanced Linux (SELinux), since kernel 2.6.

· lxo-102_fmt.png.eps Use the GNU Privacy Guard (GnuPG) to encrypt or decrypt files with sensitive information and to authenticate files that you download from the Internet. GnuPG comes with Linux, and you can use the gpg command to perform tasks such as encrypting or decrypting a file and digitally signing a file. (See Chapter 2 of this minibook for an explanation of digital signatures.)

· Use file-integrity checking tools, such as Tripwire, to monitor any changes to crucial system files and directories. Visit www.tripwire.com for the commercial version.

· Periodically, check various log files for signs of any break-ins or attempted break-ins. These log files are in the /var/log directory of your system.

· Install security updates as soon as they are available and tested. These security updates fix known vulnerabilities in Linux. Be sure to test the update on nonproduction machines before rolling it out to your production servers.

Understanding network-security issues

The issue of security comes up as soon as you connect your organization’s internal network to the Internet. You need to think of security even if you connect a single computer to the Internet, but security concerns are more pressing when an entire internal network is opened to the world.

If you’re an experienced system administrator, you already know that the cost of managing an Internet presence doesn’t worry corporate management; their main concern is security. To get your management’s backing for the website, you have to lay out a plan to keep the corporate network secure from intruders.

You may think that you can avoid jeopardizing the internal network by connecting only external servers, such as web and FTP servers, to the Internet. However, employing this simplistic approach isn’t wise. It’s like deciding not to drive because you may have an accident. Not having a network connection between your web server and your internal network also has the following drawbacks:

· You can’t use network file transfers, such as FTP, to copy documents and data from your internal network to the web server.

· Users on the internal network can’t access the corporate web server.

· Users on the internal network don’t have access to web servers on the Internet. Such a restriction makes a valuable resource — the web — inaccessible to the users in your organization.

A practical solution to this problem is to set up an Internet firewall and to put the web server on a highly secured host outside the firewall.

In addition to using a firewall, here are some other steps to take to address network security. (I explain these further in Chapter 2 of this minibook.)

· Enable only those Internet services you need on a system. In particular, don’t enable services that aren’t properly configured.

· Use Secure Shell (ssh) for remote logins. Don’t use the r commands, such as rlogin and rsh.

· Secure any Internet services, such as FTP or TELNET, that you want to run on your system. You can use the TCP wrapper access-control files — /etc/hosts.allow and /etc/hosts.deny — to secure some of these services. (See Chapter 3 of this minibook for more on the TCP wrapper.)

· Promptly fix any known vulnerabilities of Internet services that you choose to run. Typically, you can download and install the latest security updates from your Linux distribution’s online update sites.

Delving into Computer Security Terminology and Tools

Computer books, magazine articles, and experts on computer security use a number of terms that you need to know in order to understand discussions about computer security (and to communicate effectively with security vendors).

lxo-102.eps Table 1-1 describes some of the commonly used computer security terms. If you’re taking the LX0-102 exam, port scanning and setuid are important.

Table 1-1 Common Computer Security Terminology

*Term*	*Description*
Application gateway	A proxy service that acts as a gateway for application-level protocols, such as FTP, HTTP, NNTP, and SSH.
Authentication	The process of confirming that a user is indeed who he or she claims to be. The typical authentication method is a challenge-response method wherein the user enters a username and secret password to confirm his or her identity.
Backdoor	A security weakness that a cracker places on a host to bypass security features.
Bastion host	A highly secured computer that serves as an organization’s main point of presence on the Internet. A bastion host typically resides on the perimeter network, but a dual-homed host (with one network interface connected to the Internet and the other to the internal network) is also a bastion host.
Buffer overflow	A security flaw in a program that enables a cracker to send an excessive amount of data to that program and to overwrite parts of the running program with code in the data being sent. The result is that the cracker can execute arbitrary code on the system and possibly gain access to the system as a privileged user. The new exec-shield feature of the Linux kernel protects against buffer overflows.
Certificate	An electronic document that identifies an entity (such as an individual, an organization, or a computer) and associates a public key with that identity. A certificate contains the certificate holder’s name, a serial number, an expiration date, a copy of the certificate holder’s public key, and the digital signature of the certificate authority so a recipient can verify that the certificate is real.
Certificate authority (CA)	An organization that validates identities and issues certificates.
Confidentiality	Of data, a state of being accessible to no one but authorized users (usually achieved by encryption).
Cracker	A person who breaks into (or attempts to break into) a host, often with malicious intent.
Decryption	The process of transforming encrypted information into its original, intelligible form.
Denial of Service (DoS)	An attack that uses so many of the resources on your computer and network that legitimate users can’t access and use the system. From a single source, the attack overwhelms the target computer with messages and blocks legitimate traffic. It can prevent one system from being able to exchange data with other systems or prevent the system from using the Internet.
Digital signature	A one-way MD5 (Message Digest algorithm 5) or SHA-1 (Secure Hash Algorithm-1) hash of a message encrypted with the private key of the message originator, used to verify the integrity of a message and ensure nonrepudiation.
Distributed Denial of Service (DDoS)	A variant of the Denial of Service attack that uses a coordinated attack from a distributed system of computers rather than a single source. It often makes use of worms to spread to — and take control of — multiple computers that can then attack the target.
DMZ	Another name for the perimeter network. (DMZ originally stood for demilitarized zone, the buffer zone separating the warring North and South in Korea and Vietnam.)
Dual-homed host	A computer with two network interfaces (think of each network as a home).
Encryption	The process of transforming information so it’s unintelligible to anyone but the intended recipient. The transformation is performed by a mathematical operation between a key and the information.
Exploit tools	Publicly available and sophisticated tools that intruders of various skill levels can use to determine vulnerabilities and gain entry into targeted systems.
Firewall	A controlled-access gateway between an organization’s internal network and the Internet. A dual-homed host can be configured as a firewall.
Hash	The result when a mathematical function converts a message into a fixed-size numeric value known as a message digest (or hash). The MD5 algorithm, for example, produces a 128-bit message digest; SHA-1 generates a 160-bit message digest. The hash of a message is encrypted with the private key of the sender to produce the digital signature.
Host	A computer on a network that’s configured to offer services to other computers on the network.
Integrity	Of received data, a state of being the same as originally sent (that is, unaltered in transit).
IP spoofing	An attack in which a cracker figures out the IP address of a trusted host and then sends packets that appear to come from the trusted host. The attacker can send packets but can’t see responses. However, the attacker can predict the sequence of packets and essentially send commands that set up a backdoor for future break-ins.
IPSec (IP Security Protocol)	A security protocol for the network layer of the OSI networking model, designed to provide cryptographic security services for IP packets. IPSec provides encryption-based authentication, integrity, access control, and confidentiality. (For information on IPSec for Linux, visit www.ipsec-howto.org.)
Logic bombs	A form of sabotage in which a programmer inserts code that causes the program to perform a destructive action when some triggering event occurs, such as terminating the programmer’s employment.
Nonrepudiation	A security feature that prevents the sender of data from being able to deny ever having sent the data.
Packet	A collection of bytes, assembled according to a specific protocol, that serves as the basic unit of communication on a network. On TCP/IP networks, for example, the packet may be referred to as an IP packet or a TCP/IP packet.
Packet filtering	Selective blocking of packets according to type of packet (as specified by the source and destination IP address or port).
Perimeter network	A network between the Internet and the protected internal network. The perimeter network (also known as DMZ) is where the bastion host resides.
Port scanning	A method of discovering which ports are open (in other words, which Internet services are enabled) on a system, performed by sending connection requests to the ports, one by one. This procedure is usually a precursor to further attacks; two port-scanning tools to know are nmap, and netstat.
Proxy server	A server on the bastion host that enables internal clients to access external servers (and enables external clients to access servers inside the protected network). There are proxy servers for various Internet services, such as FTP and HTTP.
Public key cryptography	An encryption method that uses a pair of keys — a private key and a public key — to encrypt and decrypt the information. Anything encrypted with the public key is decrypted only with the corresponding private key, and vice versa.
Public Key Infrastructure (PKI)	A set of standards and services that enables the use of public key cryptography and certificates in a networked environment. PKI facilitates tasks such as issuing, renewing, and revoking certificates, and generating and distributing public and private key pairs.
Screening router	An Internet router that filters packets.
setuid program	A program that runs with the permissions of the owner regardless of who runs the program. For example, if root owns a setuid/suid program, that program has root privileges regardless of who started the program. Crackers often exploit vulnerabilities in setuid programs to gain privileged access to a system. Similarly, sgid programs are used to run with the permissions of the group, regardless of who runs the program, and have their own similar vulnerabilities.
Sniffer	Synonymous with packet sniffer — a program that intercepts routed data and examines each packet in search of specified information, such as passwords transmitted in clear text.
Spyware	Any software that covertly gathers user information through the user’s Internet connection and usually transmits that information in the background to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers. Spyware is similar to a Trojan horse in that users are tricked into installing spyware when they install something else.
Symmetric key encryption	An encryption method wherein the same key is used to encrypt and decrypt the information.
Threat	An event or activity, deliberate or unintentional, with the potential for causing harm to a system or network.
Trojan horse	A program that masquerades as a benign program but is really a backdoor used for attacking a system. Attackers often install a collection of Trojan horse programs that enable the attacker to freely access the system with root privileges, yet hide that fact from the system administrator. Such collections of Trojan horse programs are called rootkits.
Virus	A self-replicating program that spreads from one computer to another by attaching itself to other programs.
Vulnerability	A flaw or weakness that may cause harm to a system or network.
War-dialing	Simple programs that dial consecutive phone numbers looking for modems.
War-driving	A method of gaining entry into wireless computer networks that uses a laptop, antennas, and a wireless network card and involves patrolling locations to gain unauthorized access.
Worm	A self-replicating program that copies itself from one computer to another over a network.

lxo-102.eps Table 1-2 lists some of the commonly used computer security-related tools. Some of these you’ve seen before as they were discussed in other chapters where they related to the topics there; some others are new as they are relevant to security only.

Table 1-2 Common Computer Security Tools

*Tool*	*Description*
chage	With this command, you can modify the time between required password changes (both minimum and maximum number of days), the number of days of warning to be given that a change must be made, and expiration date.
find	One of the most powerful all-around tools, this command allows you to find almost anything on machine if you can come up with the right syntax. Among the plethora of choices, you can find files created by a user, by a group, on a certain date, with certain permissions.
lsof	An acronym for list open files, this utility does just that. Depending on the parameters used, you can choose to see files opened by a process, or by a user.
netstat	To see the status of the network, including network connections, routing tables and statistics per interface, this tool does it all. A similar command, ss, is intended to replace much of the functionality here.
nmap	This tool is used to scan the network and essentially create a map of what is available on it. This capability makes it an ideal tool for port scanning and security auditing.
passwd	A utility (not the file by the same name that holds user account information), with which users can change their passwords at the command line whenever necessary. Many users don’t know this utility exists, so they change their passwords when required, through one of the graphical interface tools.
su	To temporarily become another user, su can be used within the current user’s session. Another shell is created; upon exiting from this second shell, the user goes back to the original session. This utility can be used to become the root user or any other user (provided the corresponding password is given).
sudo	Instead of creating a new session (as su requires) to perform a job with elevated privileges, sudo enables the user to just run that task.
ulimit	Resource limits on shells can be set or viewed using this command to keep one user from excessively hogging system resources.
usermod	This utility can be thought of as an enhanced version of chage. Not only can it be used to set/change password expiration parameters, it can also be used to specify a default shell, lock/unlock an account, and so on.

Keeping Up with Security News and Updates

To keep up with the latest security alerts, you may want to visit one or both of the following sites on a daily basis:

· CERT Coordination Center (CERT/CC) at www.cert.org

· United States Computer Emergency Readiness Team (US-CERT) at www.us-cert.gov

If you prefer to receive regular security updates through e-mail, you can also sign up for (subscribe to) various mailing lists:

· Focus on Linux: Fill out the form at www.securityfocus.com/archive to subscribe to this mailing list focused on Linux security issues.

· US-CERT National Cyber Alert System: Follow the directions at www.us-cert.gov to subscribe to this mailing list. The Cyber Alert System features four categories of security information through its mailing lists:

· Technical Cyber Security Alerts: Alerts that provide technical information about vulnerabilities in various common software products.

· Cyber Security Alerts: Alerts sent when vulnerabilities affect the general public. Each alert outlines the steps and actions that nontechnical home and corporate computer users can take to protect themselves from attacks.

· Cyber Security Bulletins: Biweekly summaries of security issues and new vulnerabilities along with patches, workarounds, and other actions that users can take to help reduce risks.

· Cyber Security Tips: Advice on common security issues for nontechnical computer users.

width= Finally, check your distribution’s website for updates that may fix any known security problems with that distribution:

· In Debian and Ubuntu, you can update the system with the commands apt-get update followed by apt-get upgrade.

· For Fedora, the website is http://fedoraproject.org.

· In SUSE, use YaST Online Update to keep your system up to date.

· In Xandros, obtain the latest updates from Xandros Networks.