Module 3
Requisite
returns successful - if the current PAM module returns successful, the next rule is checked in the list unless it's the final rule, then the stack returns successful - Returns unsuccessful - additional modules are executed; however, regardless of what happens with these other modules, the stack returns with value of unsuccessful; useful as other modules may provide more info in log files
Optional
returns successful - next rule is checked in the list; if final then the stack is successful - returns unsuccessful - next rule is checked in the list; if final stack is successful (unless it's the only rule in the stack, then the stack is unsuccessful)
iptables
rule sets (chains) are applied at different places (filter points), allowing flexibility - types of rules(table) can be placed at a filtering point; --> filter points can have more than one set of rules - iptables can perform multiple functions: -----> filter data, perform NAT operation on packet, mangle packet, once a rule is matched a target is performed (accept/drop/reject/log)
Zones
rules are configured categories called zones - internal/trusted zone on network may have less restrictive rules while Internet (dmz/external) may be more restrictive
faillock
same as pam_tally2, just uses a different config file
Fail2ban
scans specific log files searching for IP addresses that attempt breaches by repeated connection attempts - config files in /etc/fail2ban/jail.conf
umask
sets default permissions for files/dirs; applied when initally created
SELinux configurations
sets up SELinux "contexts" which are similar to security groups; most admins use SELinux to secure processes that may be compromised by hackers making use of exploits - SELinux can lock down processes so that they can only access a certain set of files
SHA
similar to MD5 but uses a different algorithm
TACAS+
similar to RADIUS, cisco created
VPN as a client
similar to SSH in that it provides secure data transfer; uses public/private keys to encrypt/decrypt data -ex: OpenVPN
Add Banner
some services like FTP/SSH/web servers can let you add a banner for users to see when they first sign in; can be informational or warning about only authorized access
Dynamic rule sets
some utilities dynamically create firewall rules to thwart hacking attempts on the fly
Importance of denying hosts
stems from the fact that there are systems known to be used as launching points for hacker attacks; these hosts should always be denied access to your systems; some sites provide a list for these hosts; ex https://mxtoolbox.com
journald
stores log entries in a special file format in order to optimize log file entries
Log
tells iptables to create a log entry about packet; neither allowed nor blocked; other rules in rule set may determine result
Drop
tells iptables to discard the packet; no response sent to source; not advanced
Reject
tells iptables to return the packet to source with an error message; not advanced
Password policies
the pam_unix module provides lots of features that modify how passwords are set, ex: save last five passwords for a user and disallow reuse of those
Log management
third-party agents - syslogd/rsyslogd - logs application and system events; /etc/syslog.conf is config file
getenforce
to determine current SELinux mode
Importance of disabling root login via SSH
usually for servers directly accessible to the Internet as hackers can try to directly login as root; disabling this capacity requires the hacker to compromise a non-root account and then through that they would have to compromise the root account - modify the /etc/ssh/sshd_config file by saying 'PermitRootLogin no'
DTLS
utilizes datagram-based security features; datagram is used on packet-switched network as basic unit of transfer; uses connectionless communication method
disabled
when in this mode SELinux is not functional at all, no checks are performed when users attempt to access files
Run time
when rules are created using firewall-cmd command they affect the active firewall on the system, this is run time firewall. - If system is rebooted or firewall service restarted, rules are lost
sgid
when set on executable files this allows a program to access files using permissions of the group owner of the file. - when set on directories all new files in directory inherit the group ownership of the directory; - chmod g+s or chmod 2xxx
suid
when set on executable files, this allows a program to access files using permissions of the user owner of the file - chmod u+s or chmod 4xx
Destination
where a network packet is being sent to; filters can be applied here
Source
where network packets originate from; can be filtered from source using IP/MAC address/port
/var/log/messages
wide variety of log entries from numerous services/daemons; - i.e. crond, kernel, mail servers
PTYs
Pseudo-terminals: these are provided to a shell when a user logs in remotely (SSH) or when a new terminal window in a GUI-based environment is invoked
journalctl
handles logging process on modern linux systems; can be used to query systemd log entries
MD5
hashing algorithm creating a unique message digest that can be used to verify a file - if the file changes, the digest will also change
Protocol
i.e. ICMP/TCP/UDP or telnet; can be filtered this way
No shared ID's
if multiple users user same ID (UID) their actions cant be accounted for; dont do this
sticky bit
if set on directories it makes it so files in directory can only be removed by user owner of file, the owner of the directory, or root user - chmod o+t or chmod 1xxx
Incremental
includes all files that have changed since last incremental or full backup
Standard method
is a local user/pass combo; lacks more complex security features
IP forwarding
kernel feature allowing network packets to be passed from one network to another - used to create a router on a server set the value of /proc/sys/net/ipv4/ip_forward and /proc/sys/net/ipv6/conf/all/forwarding to 1 to use
/etc/securetty
lists all the device files in which the root user can log into the system; identified by the /etc/tty# device names in the file
ulimit
lists or sets a user's account limits; common limits: - fsize = max file size allowed in memory - cpu = max CPU time allowed - nproc = max number of concurrently running processes - maxlogins - max number of concurrent logins
aa-unconfined
lists processes not restricted by AppArmor profiles
/etc/apparmor.d
location of definitions of AppArmor profiles
/etc/apparmor.d/tunables
location of files used to fine-tune AppArmor behavior
authorized_keys
location where public keys are stored in key-based SSH authentication after manually copying keys over from client to server
/etc/services
location where services are mapped to ports (traditionally)
Digital Signature
message digest - is sent to a CA to verify the signature, and this goes on the certificate - typically have an expiration date
aa-complain
mode that has AppArmor report problems
/var/log/[application]
most applications today create their own logs without needing a logging service
User-specific access
refers to using passwordless authentication using public/private keys
Differential
archives any files since last full backup
TLS
asymmetric cryptography - uses public and private keys to encrypt/decrypt data
Separation of OS data from application data
avoid allowing an application fill up filesystem with log files (as an example); partitioning is the best way to prevent this - disk partition to maximize system availability
Boot loader password
boot loader can allow a user to perform custom operations during boot process including booting to alternate kernels or runlevels; best practice to enable bootloader password
Tunnel Mode
both data and metadata are encrypted; common with client-to-site VPN
Logging
can be enacted by rules; useful for later packet inspection
chcon
change the context of a file or dir
sestatus
provides overall status info about SELinux
Integrity checks
useful to determine if a file has been changed or replaced with an imposter
Inheritance
Linux permissions don't utilize inheritance: - i.e. new files/dirs don't inherit permissions from the dir that item is created in
Chroot jail services
a service that only has access to a small portion of the filesystem such as its subdirectory so that it wont be able to modify critical system data; ex: BIND
Standard
account with UID of 1000 or higher
LDAP integration
add lines to /etc/pam.d/system-auth file to add LDAP
su
allows user to shift user accounts: - used with -options spawns new login shell
sudo
allows users (when appropriately configured) to run commands as other users (typically root users) - must be configured in /etc/sudoers file
SSH
allows you to connect to a Secure Shell service; encrypts data in a tunnel as opposed to unsecured telnet
Stateless
applies regardless of prior established connection
Stateful
applies to to any previously established connection
Discouraging use of USB devices
can be used to inject or steal data from servers; common to disable USB devices in BIOS
pam_tally2
can be used to lock a user out after unsuccessful login attempts
ls
can be used with -l to display long output with permissions listed
OTP (one-time password)
can be used with 2FA or if user loses password
sudoedit
can edit a file using sudo access with this command; chosen editor depends on varaibles (SUDO_EDITOR, VISUAL, EDITOR)
chgrp
changes group ownership of file, same usage as chown above
Persistency
changes made by iptables command only affect currently running firewall; can be made persistent by using iptables-save command
Change default ports
changing default port for a network service can deter/prevent hackers from attacking well known ports (i.e. SSH uses port 22, change this to another port)
known_hosts
client stores a server's unique fingerprint key in this file after a connection is established with an SSH server; typically left alone
Restrict cron access
code can be executed on critical systems; restrict access
FTP
commonly used protocol to transfer files between files between systems - not encrypted, including user/pass so if someone can snoop the network they can see user/pass - anonymous FTP doesnt require authentication, only use for download, not upload
Netfilter
component of kernel that performs NAT and IP forwarding
/etc/ssh
contains files that can be used to administer both the SSH and SSH client utilities
/var/log/kern.log
contains messages from the kernel
SCP
copy files to and from remote systems via Secure Shell
DenyHost
designed especially to protect SSH servers, create TCP wrapper rules: - ex: if remote system attempts to brute force attack DenyHost creates a blocking rule in /etc/hosts.deny
Firewall
designed to allow or block network traffic
IPset
designed to create sets of IP addresses and the use this set to apply rules to collection of systems
MOTB
displayed when a user first logs in; provides useful information about the system being used
lastb
displays failed login attempts
Kerberos
uses a ticket-based system; server grants a ticket-granting-ticket (TGT) upon authentication, encrypts and the secret key is sent back to the client system who then can use it to authenticate to other services - kinit: used to obtain individual ticket - klist: display list of cached Kerberos tickets
Biometrics
uses fingerprints, retina scanner, etc
Multi-factor authentication
uses multiple bits of evidence for proof of identity "something you know", "something you are", "something you have"
TCP wrappers
uses simple config files to either allow or deny access from specific host/networks; only services that use the TCP wrappers library will be affected by the /etc/hosts.allow and /etc/hosts.deny files
Service
usually UID under 1000; some are referred to as daemon accounts using daemon-based software
gzip, xz, bzip2
used to compress files
Required
- returns successful - if the current PAM module returns successful, the next rule is checked in the list unless it's the final rule, then the stack returns successful - returns unsuccessful - no additional modules are executed, stack returns unsuccessful
Read, write, execute
10 characters in ls -l output denotes the permissions and file designation - if first space is blank, it is a file. if there is a 'd' it is a directory - next 9 characters in groups of three are the owner/group/other users
ufw
Debian based distros - front-end interface to create iptables rules
wheel
a group commonly used to allow non-root root access (if enabled in /etc/sudoers file)
Disk encryption
Makes it near impossible to access data unless unencrypted; only encrypted while system off - LUKS: disk encryption method common in Linux systems; use kernel module dm-crypt
Sufficient
Returns successful - no additional modules are checked - returns unsuccessful - next rules is checked in the list, if final the stack is successful.
permissive
SELinux checks but doesnt block access to files/dirs; used for logging and troubleshooting
enforcing
SELinux performs checks and blocks access to files/dirs as necessary
~/.ssh/
SSH data for individual users is stored here; used by SSH to store important data; users can modify configurations in this directory
/dev/tty#
TTY device files named /dev/tty#, where # is actually a number: - typically only seven in use on standard Linux distros; one reserved for GUI-based logins
UEFI/BIOS Password
UEFI/BIOS can allow custom booting operations - best practice to enable password
Root
_____ account is the system admin account; UID of 0; has full system control
AppArmor
a MAC (mandatory access control ) system that is similar to SELinux
TTYs
a device file associated with a terminal display which is traditionally a command-line login screen
/etc/pam.d
each file here is designed to configure a command or utility that uses PAM to authenticate user accounts
Postfix/Sendmail
email servers; no need on a local system; configure a real email server instead; disable or limit this and other services (CUPS is an example of printing isnt needed)
/proc/sys/net/ipv6/conf/all/forwarding
enables IP forwarding for all IPv6 network packets
/proc/sys/net/ipv4/ip_forward
enables ip forwarding for IPv4 network packets
Public key
encrypts data sent to Apache web server; freely given to the web browser; server decrypts with private key
logrogate
ensure the partition that holds the log file has enough room to handle them; - rotates log files to limit filesystem space that the log uses; /etc/logrotate.conf is the config file
full
everything from source is backed up; very time consuming but restoring from this is quicker
/var/log/secure
file contains log entries related to authentication and authorization operations; including when users log in, attempts to gain escalated privileges, etc
snapshot clones
frozen image of the filesystem, used with LVM; used to safely backup a live filesystem
Passwordless login
normally associated with SSH and is convenient/security feature; uses public/private key pair - enforce use of PKI - best practice when using key pairs for SSH logins
Accept
once a network packet matches the criteria of a firewall rule, a target is used to determine what action to take (Accept/Reject/Drop/Log) - accept tells iptables to allow packet and advance to next filtering point
/etc/rsylog.conf
one of the config files for rsyslogd
Transport Mode
only data is encrypted; IP information not encrypted; common with site-to-site VPN
Octal Notation
permissions assigned via numeric values
Telnet
permits remote login without encryption - dont use this
config
place where you can customize how commands like ssh, scp, and sftp work
Targeted
policies that contain rules designed to protect the system from services rather than regular users
Privileged Ports
port 1-1023 reserved for commonly used protocols
LDAP
protocol providing directory services information, can store info like hostnames; RADIUS/TACAS+ is more robust
RADIUS
protocol that allows client system to authenticate via server, provides AAA (authentication, authorization, accounting); managed centrally
SSL/TLS
protocol used by VPN's to provide secure transport of data, TLS is more common and SSL is deprecated: - commonly used in web server communication, email transport, and VoIP
Finger
provides info about computers/users; long-time use to provide a report on a user; unencrypted; dont use in modern systems
CVE monitoring
provides info about publicly known vulnerabilities; admin should monitor relevant reports and implement fixes for vulnerabilities asap
tar
purpose of command is to merge multiple files into a single file
getfacl
reads the ACL report generated by setfactl
firewalld
red hat based distros - used to configure iptables rules - managed firewall-cmd command
Image
refers to format used for backup of data; ex: tar, ISO
Ports
unique number used to address a service on a system; packets contain source/destination port; can be filtered based on this
Tokens
unique value generated by hardware device or software program - hardware: typically small device on key fob, generates token - software: generated by program, like an app or mobile device
Importance of enabling SSL/TLS
used by HTTPS - provides secure manner of connecting for web services
Pluggable authentication modules (PAM)
used by almost all Linux utilities to attempt to authenticate users. Examples of what it can do: - can be used to enforce more robust password requirements - limit days/times users can login to the system - limit locations users can login from - can set or unset environment variables; can have one set of variables for local login, one for SSH logins, one for FTP, etc. - can restrict user accounts - limit where the root user can login from
dd
used for backing up data and creating files; commonly used to backup an entire drive
id_rsa.pub
used for password authentication in conjunction wit ssh-agent/ssh-add utilties
id_rsa
used for password authentication in conjunction with the ssh0agent and ssh-add utilities
IPSec
used in VPNs for authentication and to encrypt network packets; performs actions at OSI Layer 3, where TLS/SSL operate above Layer 3
ssh-add
used to add RSA/DSA encryption keys to the SSH agent's cache: -ex: use it after ssh-agent to cache keys
chmod
used to change permissions on files; octal method - permissions assigned numeric values - read=4, write=2, execute=1 - permissions set like 'chmod 754' filename' means file is rwxr-xr-- - symbolic method - u/g/o/a and +/-/= and r/w/x combinations to set/remove permissions
chown
used to change user owner or group owner of a file or dir; ex: 'chown tim abc.txt' will change ownership of abc.txt to tim user - useful option: -R for recursive change, -v for verbose
sshd_config
used to configure the SSH server; many options in this file that can be configured
ssh-copy-id
used to copy login keys to a remote system
cpio
used to create archives
chage
used to determine amount of time between password changes
aa-disable
used to disable an AppArmor profile (rule set describing how to restrict a process)
visudo
used to edit /etc/sudoers and it does formatting checks
PKI
used to ensure a server is really where user intended to go as opposed to a rogue server - often provides means to encrypt data between server/user
ssh-keygen
used to generate authentication keys
Importance of enabling auditd
used to log user account activity; determine if user has performed any unauthorized activity
zip
used to merge multiple files into a single, compressed file
sssh_config
used to modify the behavior of the SSH client utilities likes ssh/scp/sftp; affects all users but users can override these settings by creating the ~/.ssh/config
Disable ctrl+alt+delete
used to prevent rebooting servers when they shouldn't be
restorcecon
used to restore the default security context of a file or dir. -R will do it recursively
getsebool
used to see Boolean strings; boolean is either true/false value
ls -Z
used to see a security context for a specific file
ps -Z
used to see security context for running process
setsebool
used to set an SELinux Boolean
setfacl
used to set an access control list (ACL) for a file or dir - format is: 'setfacl -option what:who:permission file/dir'
setenforce
used to set different policy modes
rsync
useful to copy files remotely across the network
SFTP
uses SSH to securely transfer files across network