Security

(Topic 110)
Topic objectives
• The following Exam objectives
– 110.1 Perform security administration tasks
– 110.2 Setup host security
– 110.3 Securing data with encryption
Topic agenda
• Administering Network Security
• Administering Local Security
• Configuring SSH
• Using GPG
Administering Network Security

• Using Super Server Restrictions

• Disabling Unused Servers
Administering Network Security

• Using Super Server Restrictions

– You can employ security checks in the super
daemon to protect the servers it manages.
Linux has two primary super daemons:
• inetd
• xinetd
• Configuring inetd
– Config file: /etc/inetd.conf, /etc/inetd.d/
ftp stream tcp nowait root /usr/sbin/tcpd
/usr/sbin/in.ftpd -l
Administering Network Security
• Configuring inetd
– Config file: /etc/inetd.conf, /etc/inetd.d/
ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.ftpd -l
• Service Name
• Socket Type: reliable two-way connection (stream), less
reliable connection with less overhead (dgram), low-level
connection to the network (raw)
• Protocol
• Wait/No Wait
• User: username used to run the server
• Server Name: This was the server’s filename
• Parameters
Administering Network Security

• Controlling Access via TCP Wrappers

– The inetd did not call a server directly instead, inetd
called tcpd
– tcpd
• It checked whether a client was authorized to access the
server
• Tcpd called the server program
– TCP wrappers is configured through two files:
• /etc/hosts.allow and /etc/hosts.deny.
daemon-list : client-list
[...]: 192.168.7. EXCEPT 192.168.7.105
Administering Network Security

• Configuring xinetd
– Xinetd: extended super daemon
• functionality of the legacy inetd
• security options that are similar to those of TCP
wrappers
– Setting Up xinetd
• /etc/xinetd.conf
• /etc/xinetd.d/
Administering Network Security

• Configuring xinetd
– $ cat /etc/xinetd.d/rsync
# default: off
[...]
service rsync
{
disable = yes
flags = IPv6
socket_type = stream
wait = no
user = root
server = /usr/bin/rsync
server_args = --daemon
log_on_failure += USERID
}
Administering Network Security

• Configuring xinetd
Administering Network Security

• Controlling Access via xinetd

– /etc/xinetd.conf or the server-specific
configuration files
• Network Interface: bind option (bind =
192.168.23.7)
• Allowed IP or Network Addresses: only_from
• Disallowed IP or Network Addresses: no_access
• Access Times: access_time (hour:min-hour:min)
Administering Network Security

• Disabling Unused Servers

– Several audit tools: netstat, lsof, and remote
network scanners.
– Unused servers can be disabled by
uninstalling the package or by reconfiguring
the server
Administering Network Security

• Disabling Unused Servers

– Using netstat.
# netstat -ap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q [...]
tcp 0 0 [...]
tcp 0 0 [...]
tcp 0 0 [...]
tcp 0 0 [...]
tcp 0 0 [...]
tcp 0 0 [...]
tcp 0 0 [...]
tcp 0 0 [...]
[...]
Administering Network Security

• Disabling Unused Servers

– Using netstat.
Administering Network Security

• Disabling Unused Servers

– Using lsof.
• The lsof program nominally lists open files.
Administering Network Security

• Disabling Unused Servers

– Using lsof.
• The lsof -i
[46][protocol][@hostname|hostaddr][:service|port]
# lsof -i :ftp
– Using Remote Network Scanners: nmap
Administering Network Security

• Using fuser:
– Determining the processes currently using a
particular network port.
– what process is currently using network port
22, -v option on the fuser command to see all
of the processes’ information
$fuser 22/tcp
$fuser -v 22/tcp
Administering Local Security

• Securing Passwords
• Limiting root Access
• Auditing User Access
• Setting Login, Process, and Memory
Limits
• Locating SUID/SGID Files
Administering Local Security
• Securing Passwords
– Looking at Password Risks
– Change Passwords Frequently
– Use Shadow Passwords
• pwconv
– Keep Passwords Secret
– Use Secure Remote Login Protocols
• telnet, ftp, ssh, sftp
– Be Alert to Shoulder Surfing
• Using public terminals
– Use Each Password on Just One System
– Be Alert to Social Engineering
Administering Local Security

• Choosing a Good Password

– Poor common password
• abcd or 123456, word “password”
• names of family members, friends, and pets
• Favorite books, movies, television shows, …
• Telephone numbers, street addresses
• Any single word that’s found in a dictionary
– The best possible passwords are random
collections of letters, digits, and punctuation.
Administering Local Security

• Choosing a Good Password

– Choose a base that’s easy to remember but difficult to
guess.
– Modify that base in ways that increase the difficulty of
guessing the password.
– Methods:
• two unrelated words
• “yesterday I went to the dentist” become yiwttd
• Adding Numbers or Punctuation
• Mixing Case
• making a password longer
• Using Tools for Password Management
Administering Local Security

• Securing Passwords
• Limiting root Access
• Auditing User Access
• Setting Login, Process, and Memory
Limits
• Locating SUID/SGID Files
Administering Local Security

• Limiting root Access

– Using su.
• su -c "lsof -i"
– Using sudo.
Administering Local Security

• Securing Passwords
• Limiting root Access
• Auditing User Access
• Setting Login, Process, and Memory
Limits
• Locating SUID/SGID Files
Administering Local Security

• Auditing User Access

– Determining Who Is Logged On.
Administering Local Security

• Auditing User Access

– Determining Last Access to the System.
• last command
Administering Local Security

• Securing Passwords
• Limiting root Access
• Auditing User Access
• Setting Login, Process, and Memory
Limits
• Locating SUID/SGID Files
Administering Local Security

• Setting Login, Process, and Memory Limits

– how much CPU time they can consume, how much
memory they can use, and so on.
– pam_limits
• /etc/security/limits.conf
Syntax: domain type item value
• domain: user, @group, wildcard
• type: soft limit, hard limit
• Limit item: core, fsize, nofile, cpu, nproc, …
– ulimit command.
– /etc/nologin
Administering Local Security

• Securing Passwords
• Limiting root Access
• Auditing User Access
• Setting Login, Process, and Memory
Limits
• Locating SUID/SGID Files
Administering Local Security

• Locating SUID/SGID Files

– $ sudo find / -perm +6000 -type f
Configuring SSH

• Understanding SSH Basics

– telnet, vnc (unencrypted)
• Setting SSH Options
– /etc/ssh/sshd_config
• Protocol
• PermitRootLogin
• X11Forwarding
– SSH key
• # ssh-keygen -q -t rsa1 -f /etc/ssh/ssh_host_key -C '' -N '‘
• # ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N '‘
• # ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C '' -N ''
Using GPG

• Generating Keys
• Importing Keys
• Revoking a Key
• Encrypting and Decrypting Data
• Signing Messages and Verifying
Signatures
Using GPG

• Generating Keys
– To generate keys, you use the gpg program
with its --gen-key option:
• $ gpg --gen-key
– Once you’ve generated your keys, you can
export your public key:
• $ gpg --export name > gpg.pub
Using GPG

• Importing Keys
– To encrypt a fi le you send to others, you must
obtain their public keys:
• $ gpg --import filename
• $ gpg --list-keys
– Once you’ve generated your keys, you can
export your public key:
• $ gpg --export name > gpg.pub
Using GPG
• Importing Keys
– Sometimes, you might have cause to revoke
a public key:
• $ gpg --gen-revoke [email protected]
• Encrypting and Decrypting Data
– To encrypt data
• $ gpg --out encrypted-file --recipient uid --
armor --encrypt original-file
– you can reverse the encryption
• $ gpg --out decrypted-file --decrypt encrypted-
file
Using GPG

• Signing Messages and Verifying

Signatures
– GPG can be used to sign messages so that
recipients know that they come from you.
• $ gpg --sign original-file
• $ gpg --clearsign original-file
• $ gpg --verify received-file
 Checkpoint
1. Which of the following utilities allows you to
scan a system’s network ports and see the
services offered for each port, and you don’t have
to be logged onto the system you are scanning?
A. fuser
B. lsof
C. nmap
D. netstat
E. ss
 Checkpoint
• 2. Nickie needs to scan his system to see what
ports are listening for incoming TCP
connections. He decides to use the netstat
utility. What options should he employ? (Choose
all that apply.)
A. -l
B. -u
C. -s
D. -T
E. -t
 Checkpoint
Case is trying to lock down an older Linux system. He was
surprised to find that it may be offering FTP services. He
discovers in the /etc/services file that these older FTP
services typically run on ports 20 and 21. What lsof
command should he run to see if there are active
connections to the FTP services?
A. lsof -i UDP
B. lsof -i 20:TCP
C. lsof -i ftp:TCP
D. lsof -i :ftp
E. lsof -i 20:ftp
 Checkpoint
What is the main difference between using the lsof utility
and the fuser utility to audit network services on your
system?
A. The lsof command utility displays open files on the system.
B. The fuser command utility shows the port and protocol in use.
C. The lsof command utility is deprecated.
D. The fuser command utility shows the process PID using the
port.
E. The lsof command utility shows the port and protocol in use.
 Checkpoint
Hiro has completed a network service audit of his
systemd systems. He now needs to disable all the
unnecessary network services. What command
should he use?

service
systemctl
chkconfig
update-rc.d
init
 Checkpoint
Which of the following is true concerning
passwords on Linux? (Choose all that apply.)
A. Passwords should be stored in the /etc/shadow file.
B. Passwords should be stored in the /etc/passwd file.
C. Passwords are stored as salted hashes.
D. Use the pwconv utility to move passwords to the
/etc/shadow file.
E. Use the passwd command to change your password.
 Checkpoint
Yoyo is a new system administrator for Virgin
Galactic. She needs to use super user privileges to
perform several of her duties. What should be
done?Give Yoyo the root account password
shared by the system admin team and have her
log into the root account via the GUI.Give Yoyo the
root account password shared by the system
admin team and have her log into the root account
via the su - command.Give Yoyo the root account
password shared by the system admin team and
have her issue commands that need super user
privileges via the su -c command.Set Yoyo up in
the /etc/sudoers file and have her issue commands