Miloš Kukoleča
CNMS Workshop, Prague
Best Practice Document
Securing Linux Servers
25 - 26 April 2016
• Majority of production servers in academic environment are run by Linux
• Lack of server security related documents in the academic community
• Security awarenes is not on a high level
• Security challanges are on the rise
• Technical background of academic IT staff is very diverse
• Advanced sysadmins
Motivation
3
• Experience of sysadmins in academic institutions is invaluable
• Knowledge, common problems, solutions and best practices of academic Sysadmins formed this BPD
• Meeting with academic technical community produced a draft for the document
Server (Linux OS) Management
• Suitable installation: standard, specific or minimal ?
• Disabling and removing unnecessary services
• OS system and services update
• Distribution of production services on available Linux servers
• Provide secure communication with the Linux server
• Remote access • File transfer
• Web access (if needed)
• Telnet vs SSH
• FTP vs SCP/SFTP
• HTTP vs HTTPS
• Use trusted SSL/TLS certificates
Secure management
• Sometimes, Linux servers use remote filesystem
• Data is transffered over the network
• This data needs to be protected
• Sysadmins are advised to use SSHFS
• SSHFS uses SFTP protocol in order to securely transfer data to the remote filesystem
• Usualy the weakest link in the security chain – user ☺
• Create and maintain strict and clear user management policy
• DO NOT use root account.
• Enforce policy „ONE USER = ONE ACCOUNT“ • Enforce secure user password structure
• Lock or remove unused accounts • Use sudo access (if suitable)
• Centralised management of user accounts is a good practice for managing several Linux servers
• Security for all layers of TCP/IP protocol stack:
• L2 – arpwatch • L3, L4 – IPtables • L7 – Fail2Ban
• Kernel security – SELinux, AppArmor
• Fail2Ban is protecting applications by monitoring log files
• Key of successfull Linux management – gathering useful information
• Useful info:
• Services status • Network activity
• Use of system resources
• User activity (who, when, where, what...)
• Syslog, Syslog-ng and SNMP are fine tools for monitoring and diagnostics
• Sysadmins are advised to set up email notification system
• Reports on non-successful script action • Report on process resource consumption
• Reports on reaching thresholds in resource consumption
• Email notifications should be sent only if something is wrong
• Don’t get overwhelmed with emails which report that everything is OK ☺
Notifications and alarms
• Backup is essential in security related incidents and disaster recovery mechanisms
• Virtual environment makes the backup procedures quite easier
• Non-virtual environment brings the main challenge – what to backup?
• Key is to develop a backup strategy
• Define the data that should be copied • Define the backup technique
• Define the backup frequency • Define the backup cycle
• Define the time for keeping the backup
Backup
• Attempts to break user credentials are the most common attacks on the Internet
• Open ports are scanned and typical usernames are used in the attack (root, admin, john etc)
• Dictionaries used in these attacks are becoming more sophisticated
• Solution
• DNS amplification attack exploits open resolvers
• Open resolvers are used as intermediaries in these attacks
• Attacker spoofs the victim’s IP address and sends the DNS query
• The victim receives the DNS server reply
• This is unwanted traffic
• Amplification factor – small amount of bandwidth invested on attacker side can cause much larger response from open resolvers
• Solution:
• Restrict recursion only to local users in the network
Common attacks – DNS amplification
• NTP protocol enables time synchronization throughout network
• Amplification factor is similar as with DNS amplification attack
• Attacker spoofs the victim’s IP address and uses monolist command in order to get a list of last 600 peers
• Vulnerable NTP server responds and sends unwanted traffic to a victim
• Solution:
• BPDs should be written in close collaboration with Sysadmins in academic institutions
• The main aim of „Securing Linux Servers“ BPD is to give general overview of Linux security, not to be used as a Cookbook.
• „Securing Linux Servers“ is a good starting point for a number of spin-off documents which would explain in detail the protection of major network services
• Not to be forgotten – Server protection is not a one-time effort, but a lasting process that continues as long as the server is in use
Thank you
