Free Essay

Linux Securities

In:

Submitted By SnackHappy
Words 1131
Pages 5
Security of a system when you are open to the internet is paramount in the world of servers. Linux has many layers of ever evolving security in order to keep up with the would be attackers in cyberspace. This is one of the reasons that Linux is one of the most used servers for internet sites and has few viruses engineered towards it.
IP Tables

Developed by the Netfilter organization the IP tables package for Linux is an evolution of the IP chains which came from the IPv4 Linux firewall package. Paul Russel was the initial head author of the organization and also behind the IP chains project The Netfilter organization began to come together in 1999 and through collaboration and research recognized the shortcomings of the IP chains package and developed this new product in order to address these concerns and make needed improvements. The improvements added to the new IP tables package helped improve performance and overall security. Better integration with the kernel led to improved speed and reliability but the true value came from the new security features. Stateful packet inspection allows the firewall to keep track of every connection passing through it allowing for better monitoring and can even view certain contents and attempt to anticipate actions of certain protocols. Also the ability to filter packets based on MAC address and TCP header flags helps to prevent attacks using malformed packets. Even a rate limiting feature that is designed to eliminate some denial of service type attacks. These improvements have led to IP tables being the default firewall package for installed under RedHat and Fedora Linux systems. Despite the work done to the IP tables package in order to improve it there are still vulnerabilities to be exploited. Vulnerabilities to denial of service and even an arbitrary filter rule issue have been exploited in the package. Even though these problems are patched as they are found it seems that the attackers always find new ways to compromise security.
Chroot Jail Chroot jail is a file access control system that first made its debut in BSD 4.2 used to regulate a users access to the rest of the system by maintaining the appearance that the user is in the system root directory. In actuality the user is in their own root prison and has restricted access to the rest of the system outside of that area. This prevents the user from being able to simply navigate up to the home directory and be able to view the directories of other users or otherwise compromise the system. Although it is a very useful security measure for the normal user, this system has been in use for a long time and therefore has given potential attackers and security professionals time to figure out the vulnerabilities and weaknesses inherit in the system. Programs that are run with root privileges can potentially escape the jail. For this reason all programs running inside the jail should have their privileges reduced. There is a very well known attack that has been published in many security columns in order to display the vulnerabilities of the system and what steps should be taken in order to prevent this from happening. In order to break out of jail a program must have access to a C or Perl compiler and have the ability to gain root access. Once this is done a series of steps can be taken for the program to trick the system into allowing it access to actual root privileges even though it still appears to be inside its chroot jail. Chroot is a very useful and reasonably secure tool for restricting access to your server. Although there are ways to break out of jail, reasonable accommodations can be made in order to make this process more difficult for potential attackers.
SELinux
SELinux has its origins as a project between Flux Advanced Security Kernel (FLASK) and the US Department of Defense. The development was later enhanced by the NSA and released as open source software. The NSA has stated that this is not a fix to OS issues nor is it meant as an all in one security solution but instead is an example of how mandatory access controls that can confine the actions of any process, including an administrator process, can be added into a system. Traditionally Linux security has been run using DAC ( Discretionary Access Control ), which is based on users and groups to control which users and processes can access files and how they do it. This runs into a problem since the owner of a file has control over its permissions which can be less than ideal. SELinux ( Security-Enhanced Linux ) implements MAC ( Mandatory Access Control ), which is under the direct control of the systems administrator and is located in the kernel where it can control and enforce security, giving only the permissions needed to processes and users.
In the way of vulnerabilities I could not find much for SELinux, which is a testament to the power of MAC. As secure as it may be, for most home users this system is a bit complicated and can block services and make it look like a common error, making troubleshooting problematic. I would still recommend using a firewall in conjunction with SELinux as security is best utilized when it is layered in order to make attacks more difficult.
Linux has a rich history of collaborations between different organizations and input from users worldwide. This has led to a world class piece of open source software that has proven itself to have both the reliability and security to provide the peace of mind for users and corporations worldwide to use for day to day operations and to run their websites. As more threats and vulnerabilities become exposed more organizations will collaborate to evolve the security systems to meet these challenges.

Sources for IP tables http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables http://people.netfilter.org/rusty/ipchains/HOWTO-1.html#ss1.1 http://www.netfilter.org/about.html http://www.juniper.net/security/auto/vulnerabilities/vuln2602.html http://linuxdevcenter.com/pub/a/linux/2004/11/19/security_alerts.html sources for chroot jail
Impson, Jeremy. "Jail Time -- The chroot function in Unix and Linux lets you restrict file access for users-and intruders." Network Computing 30 Oct. 2003. Computer Database. Web. 10 Oct. 2012.
Document URL http://go.galegroup.com.proxy.itt-tech.edu/ps/i.do?id=GALE%7CA109583760&v=2.1&u=itted&it=r&p=CDB&sw=w http://www.unixwiz.net/techtips/chroot-practices.html

http://www.bpfh.net/simes/computing/chroot-break.html

Sources for SELinux

http://selinuxproject.org/page/NB_Overview#SELinux_Overview

http://www.cvedetails.com/vendor/7632/Selinux.html

Similar Documents

Free Essay

Linux Security

...Gramm-Leach-Bliley Act (GLBA) is one of the federal regulations that the First World Bank needs to be in complaint and stay in compliance with. Gramm-Leach-Bliley is a regulation that requires banks to safe guard customer’s information and to provide how the institution shares customer’s information, what information is collected, who they share the information with, and how they protect it. This information is required to be disclosed to customers in writing, in the written notice the customer will also be advised of their rights. The Federal Deposit Insurance Corporation (FDIC) is an insurance that guarantees the money is a customer’s account up to $250,000 per depositor. A depositor is any one on the account that has provide their Social Security Number. Member banks are required to place a sign at their place of business stating that the deposits are backed by the full faith and credit of the...

Words: 1405 - Pages: 6

Free Essay

Linux Security

...programs and libraries need to be copied or linked to the appropriate locations in the new directory tree.” (Haas) The term sandbox is a metaphor for the type of security that chroot jail uses. Once you put a program or utility into the jail, it only knows of what is contained in the cell, the rest of your system becomes invisible to it. It does this by changing the apparent root directory for the current running process and its children. A program that is run in a modified environment cannot name files outside the designated directory tree. For example if you place Apache into a chroot jail and somebody would hack into your system, the only thing that they would be able to see and access would be Apache and the files needed to run it, the rest of your system does not even exist according to chroot jail. Chroot makes it more difficult for attacks to take place in your environment. To set up a useful chroot jail, first determine which utilities and or programs the users of the chroot jail will need. Then you must copy the appropriate binaries and their libraries into the jail. II. SELinux SELinux was developed by The U.S. National Security Agency(NSA). “SELinux was released under the NSA under the GNU GPL open source license. SELinux is essentially a Linux kernel with a number of utilities that provide enhanced security functionality. But the critical component of SELinux is how it implements and handles mandatory access controls. SELinux is important because mandatory access...

Words: 1582 - Pages: 7

Free Essay

Linux Security Basics

...IT302 7/9/2012 Research Linux Security Basics Linux, being one of the most secure operating systems in the world, has many features and services that enhance security to the maximum. Linux isn’t completely secure, like some people like to claim, but many distributions strive to make security a key feature. One of the greatest reasons Linux is more secure, is the simple fact of having a smaller user base than other operating systems; this means that Linux is a smaller target for most malicious intents. That doesn’t mean that distributions rely on this to secure their OS. There are many great and complex security features and services that come with Linux. One of the most complicated security features, I believe, is SELinux. Security Enhanced Linux is a security model developed by the NSA and provides a fine grained permissions system for files, users, groups, sockets, ports, and processes. SELinux was conceived because the current user level security system that Linux, and other operating systems, offer is insufficient for. To ensure a maximum security environment, SELinux uses the MAC security model. This means that an object only has the minimal set of permissions it requires to operate. SELinux uses sets of policies to handle permissions providing the system with a great level of security. These policies can be assigned as roles to users enabling specific rules and regulations for specific individuals. SELinux may be a powerful security feature, but it can also be a pain...

Words: 1200 - Pages: 5

Free Essay

Security in Linux

...Security in Linux Linux, like any other computing platform, is constantly changing. There are a few major focus points for new and upgraded platforms, one of which is how user friendly it is. User friendliness goes beyond the ability to simply point and click, it also goes behind the lines deep into the inner workings of the system. Security is one of the most important functions of any operating system, very commonly overlooked and taken for granted. A system administrator can configure tables that are provided by the Linux kernel firewall in a program called iptables. Iptables has the ability to redirect, modify or stop packets of data all based on the state of a connection at any given time. There are many different tables that can be defined and each table contains built in chains or user defined chains. Every chain is essentially a list of rules that matches a set of packets and it specifies what to do with a packet that matches the rules. For the casual user it is best to use the predefined rules, they are often more than adequate. In an enterprise situation the administrator would likely want to define additional rules in order to best suit the business needs. Before iptables Linux mainly used ipchains as a firewall package. Iptables is an improvement on ipchains because it monitors the state of connections. Iptables can use the state of the connection as opposed to ipchains using the source destination and content only, to redirect, modify or drop a packet. At least...

Words: 965 - Pages: 4

Free Essay

Linux Security Technologies

...different types of Linux Security Technologies. Discretionary Access Control, SELinux (Security Enhanced Linux), chroot jail, and iptables are just a few. This paper is only going to discuss the latter three. Discretionary Access Control is the more traditional, however; DAC is not as secure and will not be discussed here.1 The U.S National Security Agency (NSA) is the organization behind the creation of SELinux. The reason the NSA is involved in this project is because this organization is responsible for carrying out the research and advanced development of technologies needed to enable NSA to provide the solutions, products, and services to achieve Information Assurance for information infrastructures critical to U.S. National Security interests. The NSA implemented a Mandatory Access control within the Linux Kernel. This MAC is named Flask.2 There are three main policies that SELinux uses to apply MAC. There is the Targeted, where the MAC controls will only be used for a specific process or processes, there is the Multilevel Security protection, and the Strict. The strict puts MAC controls to all processes. The targeted is not as secure as the strict, however; the targeted is easier to maintain. If one uses the strict, the administrator will have to customize the policy. Failure to do so could cause other users a significant problem in performing his or her assigned duties. 3 The main reason the MAC has been created is to help prevent security threats to...

Words: 919 - Pages: 4

Free Essay

Linux Security Technologies

...threats to consumers alike. Such as hackers, viruses, people who don’t know what they are doing, and even people who you may call your best friend. Threat comes in many shapes and sizes which is why operating systems such as Linux develop ways to keep your personal files safe from these unwarranted threats. Some of these measures include, but is not limited to; iptables, SELinux, chroot jail, TCP Wrappers, firewalls, PolicyKit, NX or No eXecute, PIE or Position Independent Executables, Netfilter, and the list goes on (“Fedora Projects” & Vepstas). When a user first approaches Linux it looks similar to what a windows operating system would resemble. With Linux a user has the ability to access every file within the operating system through the use of a terminal or command prompt. Through the use of Linux programming potential threats can gain access to you file system and everything housed within it. Linux is free software that comes with many great security features that any user or administrator greater access and control over the system. The choice can be a bit much for most, but we will discuss a few of these choices here. Security-Enhanced Linux also known as SELinux is a security program that was developed in partner by the National Security Agency or NSA and Red Hat Developers (“Fedora Project”). So what exactly is it that SELinux does? SELinux was designed so that the Administrator could enforce policies that will limit what a user or particular program...

Words: 1082 - Pages: 5

Premium Essay

Windows Linux Security

...Electrical & Computer Sciences IJECS-IJENS Vol:12 No:04 25 Studying Main Differences Between Linux & Windows Operating Systems Lecturer/ Hadeel Tariq Al-Rayes  Abstract—Comparisons between the Microsoft Windows and Linux computer operating systems are a long-running discussion topic within the personal computer industry. Throughout the entire period of the Windows 9x systems through the introduction of Windows 7, Windows has retained an extremely large retail sales majority among operating systems for personal desktop use, while Linux has sustained its status as the most prominent Free Software and Open Source operating system. After their initial clash, both operating systems moved beyond the user base of the personal computer market and share a rivalry on a variety of other devices, with offerings for the server and embedded systems markets, and mobile internet access. Linux and Microsoft Windows differ in philosophy, cost, versatility and stability, with each seeking to improve in their perceived weaker areas. Comparisons of the two operating systems tend to reflect their origins, historic user bases and distribution models. Index Term— Kernel, Linux, Operating Systems, Windows II. THE ESSENTIAL DIFFERENCES BETWEEN LINUX & WINDOWS (BEGINNERS LEVEL) 1- Drives don’t have letters, they have mountpoints The first thing that usually trips up people who come from Windows to Linux is that filesystems aren’t assigned letters the way they are in Windows. Instead, there is...

Words: 5726 - Pages: 23

Premium Essay

Linux Security

...The Linux security technologies I researched are SELinux, chroot jail and iptables. SELinux (Security-Enhanced Linux) is a Linux feature that provides the mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls, through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of kernel modifications and user-space tools that can be added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy itself and streamlines the volume of software charged with security policy enforcement. The key concepts underlying SELinux can be traced to several earlier projects by the United States National Security Agency. The United States National Security Agency (NSA), the original primary developer of SELinux, released the first version to the open source development community under the GNU GPL on December 22, 2000. The software merged into the mainline Linux kernel 2.6.0-test3, released on 8 August 2003. Other significant contributors include Network Associates, Red Hat, Secure Computing Corporation, Tresys Technology, and Trusted Computer Solutions. Experimental ports of the FLASK/TE implementation have been made available via the TrustedBSD Project for the FreeBSD and Darwin operating systems. It provides an enhanced mechanism to enforce the separation of information based on confidentiality...

Words: 1300 - Pages: 6

Premium Essay

Linux Securities

...Since its release to the public in 1991, the Linux operating system has become one of the most widely used operating systems in the world. This is largely because of the security features. The most popular of these three technologies are SELinux, chroot jail and iptables. We are going to break down the advantages and benefits of each of these features. The United States National Security Agency (NSA), the original developer of SELinux released the first version of this feature in December of 2000. According to a statement by the NSA "NSA Security-enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, flexible mandatory access control (MAC) architecture into the major subsystems of the kernel. It provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering and bypassing of application security mechanisms to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications. It includes a set of sample security policy configuration files designed to meet common, general-purpose security goals" It provides the ability to separate information based on confidentiality and integrity requirements. The flexibility allows control over what activities can be done by each daemon, user, or process. Standard Linux access controls are modifiable by the user and the applications which the user runs. SELinux access...

Words: 600 - Pages: 3

Premium Essay

Linux Security

...| Linux Security | A review of some current technologies | | | | | In the pre-Internet world you have criminals looking for “hard” assets: money, jewelry and other items that could be easily turned into hard currency. We have always had “white-collar” crime such as embezzlement, fraud and insider trading. With the proliferation of the Internet and our personal and professional lives stored in the cloud; criminals can now take one ubiquitous piece of information and turn themselves into a whole other person. The ease in which such information can be used has turned people who would never think of ever holding up a bank, mugging someone or other physical crime, into criminals. This type crime has spawned a whole new “industry”: cyber security. One of the most important aspects of a network administrator’s job is to secure the system from any person who wishes to do criminal activities. These people are both within and outside the organization. With the Linux system there are three main technologies that are in use today. They are SELinux, chroot jail, and iptables. The first line of defense in a Linux system is chroot jail. Chroot is a process or application that changes the root directory for a user. To the user it appears that they are in their root directory, but they are actually in a modified root directory. This modified root directory is called jail. Without a chroot jail, a user with limited file permissions would still be able to navigate...

Words: 942 - Pages: 4

Premium Essay

Linux Security

...Robert Hoffman Linux Research 2.1 Security for computers is one of the most important aspects of a system that has to be in place. For this paper I will be writing about four security features that Linux systems use; these are SELinux, chroot jail, openSSH, and iptables. I will briefly describe what they do to provide security. SELinux (security enhanced Linux) was developed by the NSA, who chose Linux as its operating system to create a more secure operating system. Since the development of SELinux by the NSA most Linux distributions now implement SELinux as a standard. Traditional Linux systems use a security called (DAC) discretionary access control. With this approach users and their objects, i.e., files or processes run by the user have the same access as the user. So if an attacker got hold of an admin account they would have complete control over any files or services that account runs or has access to. SELinux uses (MAC) mandatory access control. With this, services and files are controlled by policies saying what may or may not be done. MAC enforces these security policies that limit what users and programs can do. Security threats coming from user errors, attackers, or software problems are limited by MAC. SELinux has three modes that it can function in: Enforcing- This is the default state where SELinux security policy is enforced, anything not permitted by the security policy can not be done. Permissive-...

Words: 999 - Pages: 4

Premium Essay

Linux Security Technology

...|Linux Security Technology | | 1. SELinux SELinux, an implementation of Mandatory Access Control (MAC) in the Linux kernel, adds the ability to administratively define policies on all subjects (processes) and objects (devices, files, and signaled processes). This mechanism is in the Linux kernel, checking for allowed operations after standard Linux Discretionary Access Controls DAC are checked. Security-Enhanced Linux (SELinux) is a Linux feature that provides a mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls, through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of Kernel modifications and user-space tools that can be added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy itself and streamlines the volume of software charged with security policy enforcement. The key concepts underlying SELinux can be traced to several earlier projects by the United States National Security Agency (NSA), It has been integrated into the mainline Linux kernel since version 2.6. NSA, the original primary developer of SELinux, released the first version to the open source development community under the GNU GPL on December 22, 2000. Security-enhanced Linux...

Words: 1860 - Pages: 8

Premium Essay

Apply Hardening Security for Linux

...configuring services, what Linux directory typically contains server configuration files? cn=config is the is the subtree location where the default configuration is stored as a series of LDAP entries. 2. What command disables remote access to the MySQL Database? Is this a security hardening best practice? Remote access is disabled by default. Hardening security is recommended by installing the whole security package: Antivirus and Antispam, Firewall, and all of the security packages recommended by your operating system. 3. What is a Linux runlevel for a specific service or application? What command allows you to define the runlevel for a service or application? Runlevel 0 = halt Runlevel 1 = Single user mode Runlevel 2 = Basic multi-user mode (without networking)/User defineable Runlevel 3 = Full (text based) multi-user mode/Mulit-user mode Runlevel 4 = Not used Runlevel 5 = Full (GUI based) multi-user mode/Full multi-user mode Runlevel 6 = reboot /etc/rc.d 4. What is the Apache Web Server? Review the /etc/httpd/conf/httpd.conf configuration file, and point out a setting that could enhance security. The worlds most popular Web server. mod_reqtimeout.c = Set timeout and minimum data rate for receiving requests/set this to RequestReadTimeout header=10 body=30 (Allow 10 seconds to receive the request including the headers and 30 seconds for receiving the request body) 5. OpenSSH is the de facto method to remotely access Linux systems. Explain why the use...

Words: 393 - Pages: 2

Premium Essay

Linux Security

...Linux Security Project Part 1 Instructor Sandro Tuccinardi Student Brian Dupee Security Policy Outline First World bank wants to provide banking services online to its customers. The institution estimates over $100,000,000 a year in online credit card transactions for loan applications and other banking services. According to a team that was formed using a Linux an open source infrastructure would roughly as estimated give an annual cost savings in licensing fees alone can be as much as $4,000,000. The assets while using Linux open source infrastructure goal would be maintaining (CIA) triad confidentiality, integrity, and availability in the infrastructure. There is legislation, regulations, federal and state laws governing online banking. Compliance regulations such as Sarbanes–Oxley Act of 2002, Gramm–Leach–Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI DSS), Federal Information Security Management Act of 2002, Control Objectives for Information and Related Technology (COBIT). Many or part of these and more must be taken into consideration while putting this project in play. There are a couple of documents: ISO\IEC 17799 and ISO\IEC 27001. The ISO\IEC 17799 IT security technique is the policy for information security management, guidelines, principles for implementing and improving security. • security policy; • organization of information security; • asset management; • human resources security; • physical and environmental...

Words: 448 - Pages: 2

Free Essay

Linux Security

...APPLY HARDENED SECURITY FOR CONTROLLING ACCESS 1. Suppose the domain hackers.com is denied for all services in the hosts.deny and the host.allow file has the rule ALL:ALL. Will TCPWrappers allow hackers.com access? ALL:ALL, TCPWrappers will not allow hackers.com access. 2. How do you enable SELinux? Configure /etc/selinux/config file from permissive to enforcing to enable SELinux. 3. What are three modes of SELinux? Explain their basic functionality. SELinux modes are enforcing, permissive, and disabled. Enforcing is when SELinux security policy is enforced. Permissive is when SELinux prints warnings instead of enforcing, and disabled is when SELinux is fully disabled. 4. Consider the following firewall rule, and describe what this permits or denies. 5. What command would you use to allow all the traffic from the loopback? -A INPUT –I lo –j ACCEPT 6. What command would you use to view the network port configuration for the iptables? Iptables –L 7. If a service is to allow in one place and to deny in another, what is the outcome? The outcome would be to allow because access rules in hosts.allow are applied first and take precedence over rules specified in hosts.deny. 8. Is the order of the rules important? If you deny something within the IP network layer, but permit something within the TCP transport layer that uses the IP network layer that you just denied, will your TCP traffic be permitted? The order of the rules are important...

Words: 291 - Pages: 2