15. Security
Your site is dependent upon the use of the rlogin utility for remote access. For security reasons, you want to prevent the hosts in the marketing department from accessing the payroll server, but allow all others to do so. Which of the following files should you use to create this restriction? hosts.allow hosts.deny hosts hostname
hosts.deny The hosts.deny file (which resides in the /etc directory) is an optional file that can be created. If it exists, then hosts whose IP addresses are listed in this file will be denied remote access. All host IP addresses not listed in this file are allowed access.
Commands Used to Audit
The following table lists several file auditing commands:
15.6.7 Practice Questions
15.6.7 Practice Questions
Port
A logical entity that acts as a endpoint of communication to identify a given application or process on a Linux operating system.
Extended Internet Service Daemon (xinetd)
A super-server daemon that runs on many Linux distributions that is used to help manage many network services on a Linux system.
15.1.7 Practice Questions
CIST 2431
15.2.8 Practice Questions
CIST 2431
15.6.2 Encryption Facts
Encryption is a security technique that encodes information so that only someone with the proper key can decode it. This lesson covers the following topics: Types of encryption Encryption standards
15.2.7 File Auditing Facts
File auditing involves looking for files that pose a security risk to the computer. This lesson covers the following topics: File types that pose a risk Commands used to audit
General Security Procedures
General procedures for increasing network security of a Linux system include:
crontab -e
Schedules the auditing task to run on a regular basis.
Encryption Standards
Standards for symmetric and asymmetric encryption include:
Commands to Manage Root-Level Access
The following commands are used to manage root-level access to the system.
Login Blocking Process
The following list describes the tasks necessary to configure login blocking: Force all users to log out of the system: 1. Log in directly as the root user. 2. Use the w command to view all active user accounts. 3. Use pkill -KILL -u user to force the user to log out for each active user. Disable the ability to login to the system: 1. Create the /etc/nologin file. 2. Add a message to the file that will be displayed to users when they attempt to log in. *Rename or delete this file to re-enable logins.
Security Guidelines
To protect the root user account, use the following guidelines: > When performing tasks that require the root user account, use the su - command to switch to the root user and execute the command and then use the exit command to revert back to the regular user account. > As a general rule, create a user account that gives sufficient permissions to perform most daily tasks. Use this account instead of the root user account when logging in to the system.
Remove unneeded software
Unneeded software takes disk space and could introduce security risks. To remove unneeded software: 1. Run one of the following commands: > Use dnf list installed to see installed RPM packages on the computer. > Use dpkg -get-selections to see installed Debian packages on the computer. 2. Research the function of any unrecognized package to determine whether it is necessary. 3. Use yum, rpm, or dpkg to uninstall unneeded packages.
Confirm TCP wrapper configuration.
Use tcpdchk to test and display any potential or real problems with the TCP wrapper configuration. tcpdchk compares the /etc/hosts.deny and /etc/hosts.allow files against the configuration files.
Security Considerations
When considering user security, keep the following in mind: > Users should be trained to use strong passwords. Strong passwords use a mixture of numbers and letters (both upper- and lower-case) and are more than eight characters in length. > Passwords should expire periodically. > Administrators can limit the resources users can access.
Which of the following is the super daemon that is most commonly found in modern Linux distributions? xinetd init xserver inetd
xinetd Even though inetd and xinetd are both super daemons, xinetd is the one most commonly found in modern Linux distributions. Although init does manage service it does not start and stop the services on demand. xserver is not the name of a super server; it is a name for the X window environment server.
15.8.5 Practice Questions
setenforce setsebool /var/log/audit sealert
15.7.4 Practice Questions
ssh -X To ensure that SSH does not execute a remote command. ForwardX11Trusted X11Forwarding AllowTCPForwarding ssh
You are currently logged in using the badams account. You want to view the contents of the /etc/inittab file, but you are not allowed to with the badams account. Which command could you use to view the file? sudo "cat /etc/inittab" su -c "cat /etc/inittab" -l sudo -f /etc/inittab cat su cat /etc/inittab
su -c "cat /etc/inittab" -l Use the su -c "cat /etc/inittab" -l command to run a single command as the root user. -c identifies the command to run. Enclose the command in single or double quotes. Be sure to include the -l switch to log in as root. When using the sudo command, follow sudo with the command; do not use quotes or switches. su cat /etc/inittab will result in the su command attempting to switch to a user named cat.
What should you enter at the command prompt to check the TCP wrapper configuration on your system?
tcpdchk Use tcpdchk to test and display any potential or real problems with the TCP wrapper configuration. tcpdchk compares the /etc/hosts.deny and/etc/hosts.allow files against the configuration files.
requisite
Requisite is similar to required; however, if a module returns a failure, control is directly returned to the application or to the superior PAM stack.
What should you enter at the command prompt to display both listening and non-listening sockets on your Linux system?
netstat -a Use netstat -a to identify the listening and non-listening sockets on the Linux system. A socket is an endpoint of a bidirectional communication flow across a computer network. Be aware of the other common netstat options: -l lists listening sockets. -s displays statistics for each protocol. -i displays a table of all network interfaces.
User_Alias
Specifies a set of users who are allowed to execute a specific set of commands using the sudo command. e.g. User_Alias INSTALLERS = jsmith, psimms adds the users jsmith and psimms to the INSTALLERS alias.
Login blocking is enabled using the Pluggable Authentication Modules (PAM) module. What line needs to be in the /etc/pam.d/login file to configure PAM to check and see if a file named /etc/nologin exists?
auth requisite pam_nologin.so On SUSE Linux systems, the line auth requisite pam_nologin.so needs to be in the /etc/pam.d/login file to configure PAM to check and see if a file named /etc/nologin exists. On RedHat/Fedora systems, the line auth required pam_nologin.so needs to be in the /etc/pam.d/login file to configure PAM to check and see if a file named /etc/nologin exists
15.9.4 Practice Questions
aa-disable /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/ aa-unconfined --paranoid aa-complain
You are modifying the tcpd control files of the xinetd super daemon. Of the two tcpd control files, what is the full path and filename of the file that is applied first?
/etc/hosts.allow The following tcpd control files determine which computers can access the services through xinetd: /etc/hosts.deny denies services to the specified host(s) or subnets. /etc/hosts.allow permits services to the specified host(s) or subnets. Be aware of the following details: The /etc/hosts.allow is read first and applied before /etc/hosts.deny. In each of these files, if tcpd finds a matching rule, the search is stopped, and all remaining rules are ignored.
Which chage option keeps a user from changing password every two weeks? -m 33 -a 33 -W 33 -M 33
-m 33 chage -m 33 prohibits the user from changing his password for 33 days. This sets the minimum number of days that must pass after a password has been changes before a user can change the password again. Be aware of the other chage options: -M sets the maximum number of days before the password expires. -W sets the number of days before the password expires that a warning message displays. chage -a is not a valid option.
Which of the following is the associated device file for that terminal? /dev/lp0 /dev/port /dev/tty5 /dev/null
/dev/tty5 /dev/tty5 is a device file that is associated with the computer's controlling terminal or the shell's window. /dev/lp0 is a device file associated to the first parallel port. /dev/null is a device file that is associate with a null device that is commonly used for disposing unwanted output streams. /dev/port is a device associated with system ports.
What is the full path and filename of the file you should create to disable user login on a Linux system?
/etc/nologin Create the /etc/nologin file to disable user login on a Linux system. The file can be left empty, but you can insert text into the file that will appear as a message to users when they attempt to log in. Administrators can prevent (block) users from logging in to a Linux computer while resolving serious issues and can display a message to users attempting to log in. Login blocking is enabled using the Pluggable Authentication Modules (PAM) module.
required
Failure of a PAM will ultimately lead to the PAM-API returning failure but only after the remaining stacked modules (for this service and type) have been invoked.
Restart xinetd.
Restart the xinetd to enforce the changes made to the /etc/xinetd.d daemon file(s). e.g. service inetd restart restarts the daemon on computers that use the path specified. Some distributions place the daemon in another location.
exit
Returns to the account from which the su command was typed. When no su command has been typed, exit terminates the shell. When using a computer that uses a shell exclusively, exit logs the user out e.g.. [root@ls4 ~]# exit logout [jsomes@ls4 ~]$
15.12.3 Practice Questions
Set a bootloader password. chroot jail SSH LUKS disk encryption One-time password (OTP) Fingerprint Iris pattern Public key infrastructure (PKI)
chage
Sets user passwords to expire. Be aware of the following options: -M sets the maximum number of days before the password expires. -W sets the number of days before the password expires that a warning message displays. -m sets the minimum number of days that must pass after a password has been changed before a user can change the password again. *Look in the /etc/shadow file to view current limits for users. e.g. chage -M 60 -W 10 jsmith sets the password for jsmith to expire after 60 days and gives a warning 10 days before it expires.
A system was installed by an employee that is no longer with the company, and that employee used a non-standard root password that was not documented. Which mode must you boot the system into to reset the lost root password? tty7 Single user mode tty1 Multiuser graphical mode
Single user mode single user mode is required to reset the root password. multiuser graphical mode provides a graphical user interface and does not allow the root password to be reset. tty7 is used to access the GUI using the command Ctrl+Alt+F7. tty1 is a virtual terminal accessed using the command Ctrl+Alt+F1.
Cmnd_Alias
Specifies a set of commands that users can execute using the sudo command. e.g. Cmnd_Alias INSTALL = /bin/rpm, /usr/bin/up2date, /user/bin/yum assigns the rpm, up2date, and yum commands to the INSTALL alias. Users associated with the INSTALL alias can execute these commands.
Runas_Alias
Specifies a username that is used when running commands with sudo. Usually, this is just root. e.g. Runas_Alias DATABASE = root specifies that sudo commands are run as the root user.
Types of Encryption
There are two encryption types:
Removing unnecessary software increases the security of your Linux system. If your system uses RPM for package management, what can you enter at the command prompt to look for unnecessary software that might be installed on your system?
dnf list installed On a system that uses RPM for package management, you can enter any of these commands to look for unnecessary software that might be installed on your system: dnf list installed yum list installed rpm -qa
You have used su to switch to the root user account to do system administration tasks. Now you want to revert back to your regular user account. Which command should you use? exit off break logoff
exit Use the exit command to terminate the su shell and revert back to the user you previously logged in as.
What do you enter at the command prompt to prevent the shell from using too much of the system's resources?
ulimit Use ulimit to limit computer resources used for applications launched from the shell. Limits can be hard or soft limits. Soft limits can be temporarily exceeded up to the hard limit setting. Users can modify soft limits, but only root can modify hard limits. Options include the following: -c limits the size of a core dump file. The value is in blocks. -f limits the file size of files created using the shell session. The value is in blocks. -n limits the maximum number of open files. -t limits the amount of CPU time a process can use. This is set in seconds. -u limits the number of concurrent processes a user can run. -d limits the maximum amount of memory a process can use. The value is in kilobytes. -H sets a hard resource limit. -S sets a soft resource limit. -a displays current limits. The default shows soft limits.
What do you enter at the command prompt to edit the /etc/sudoers file?
visudo The /etc/sudoers file can only be edited using the visudo command. To give standard user accounts the permissions to execute commands as the root user, use the sudo command coupled with the /etc/sudoers file. Be aware of the following facts about the sudo command and the /etc/sudoers file: When users need to execute the command, they use the sudo command followed by the command they want to execute. Users are prompted for a password to execute the command. This is the current user account password, not the root account password. Users and the commands they are entitled to execute are specified in the /etc/sudoers file. sudo logs information about the users and the commands they run as well as failed attempts to use sudo in the /var/log/security log.
You need to block all users from logging in to the Linux system while you resolve a serious issue. You first need to force all active users to logout. Which command should you enter to display a list of all active users?
w Use the w command to view all active user accounts. Administrators can prevent users from logging in to a Linux computer while resolving serious issues and can display a message to users who attempt to log in. To force all users to log out of the system: Log in directly as the root user. Use the w command to view all active user accounts. Use pkill -KILL -u user to force the user to log out for each active user.
Which of the following is an advantage of xinetd over inetd? xinetd uses separate configuration files for each managed service. xinetd does not require an external program, such as tcpd, to restrict access to its services. xinetd is written in Java and is, therefore, more secure. xinetd can listen on behalf of more than one service at a time.
xinetd uses separate configuration files for each managed service. inetd will run on any Linux distribution, but most modern distribution maintainers use xinetd instead of inetd. Instead of storing configuration settings for all managed services in a single file (as inetd does), xinetd provides greater flexibility by using separate configuration files for each managed service. The computer language xinetd is written in has nothing to do with xinetd security.
15.3.4 Practice Questions
CIST 2431
Sam, a system administrator, is implementing measures to harden the Linux systems on the network. Sam wants to modify kernel parameters at runtime to protect the system from syn flood attacks using the sysctl command. Which file would Sam modify to implement the following changes # TCP SYN Flood Protectionnet.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 2048net.ipv4.tcp_synack_retries = 3 /etc/sysconfig/iptables /etc/sysconfig/kernel /etc/sysctl.conf /proc/sys
/etc/sysctl.conf /etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysctl at boot time. /etc/sysconfig/iptables contains the current firewall configuration. /proc/sys is a directory under the /proc virtual filesystem. The parameters available for sysctl are listed under /proc/sys/. /etc/sysconfig/kernel is the configuration file used to set the default kernel.
Management wants a compilation of specific data to occur every night. The only way to accomplish this task is to copy files throughout all network hosts to one server via TFTP. Which of the following files MUST be edited to enable xinetd to manage TFTP on the Linux server? /etc/tftpd /etc/xinetd.d/tftp /etc/services /etc/tftpd.conf
/etc/xinetd.d/tftp Virtually all Linux distributions today use the newer version of inetd called xinetd. If this is the case, then the correct file would be /etc/xinetd.d/tftp. /etc/xinetd.d contains separate configuration files for daemons being managed by xinetd.
15.1 Root Usage
As you study this section, answer the following questions: Which utility should you use to launch the /etc/sudoers file? What is the syntax for the /etc/sudoers file? How can you use su to execute a command without switching into another login console? Which su option will switch to another user and include the user's environment variables? How does the command prompt appear for a standard user account versus the root user account? In this section, you will learn to: Use su to switch to another user. Configure sudo to allow a specific user to complete specific commands with privileged access.
15.4.4 Practice Questions
CIST 2431
Which of the following would enable the rsync service to be managed by the xinetd super daemon? Create the rsync file in /etc/xinetd.d Create a link to the rsync init script in the /etc/xinetd.d directory. Add XINETD = true to the rsync init script. Type xinetd rsync on.
Create the rsync file in /etc/xinetd.d You enable services to be managed by the xinetd super server by creating a file containing the service description in the /etc/xinetd.d directory and then restarting the xinetd service. Creating a link to the rsync init script in the /etc/xinetd.d directory would not work because the xinetd service does not use standard init scripts to manage services. The xinetd service cannot be made aware of a service by executing xinetd with the service as an operand.
15.11.4 Practice Questions
DTLS IPSec With transport mode, only the payload of the IP packet is encrypted, and the original IP headers are left intact. SSL/TLS VPN
Install or verify that the TCP wrappers package is installed.
Ensure that the TCP wrappers package (tcpd) is installed with the rpm -q or dpkg -d commands. If not, use dnf, zypper, or apt-get to install it. e.g. rpm -q tcpd uses the rpm utility to determine whether tcpd is installed. dpkg -s tcpd performs the identical function on Debian distributions.
General Security Procedures
If you have application or hardware issues, check to make sure that you have not blocked an essential component in your efforts to increase security. You can check availability as follows: Software: use dnf list installed to see install RPM packages or dpkg -get-selections to see installed Debian packages. Network services: use chkconfig for init-based systems. Use systemctl list-unit-file for systemd-based systems. Ports: use nmap as previously described. Connections: use netstat as previously described. Protocols or firewall ACLS: use iptables -L for the current firewall configuration or cat/etc/sysconfig/iptables to read the firewall file.
LDAP Integration
LDAP stands for Lightweight Directory Access Protocol. It is an application protocol used over an IP network to manage and access the distributed directory information service. When authenticating or authorizing a user, pam_ldap first maps the user's login name to a distinguished name by searching the directory server. This must be possible using the local system's identity, which is specified in pam_ldap.conf. To authenticate a user, pam_ldap attempts to bind to the directory server using the distinguished name of the user (retrieved previously). Both simple and SASL authentication mechanisms are supported; in the former case, one should take care to use transport security to prevent the user's password being transmitted in the clear. Pam_ldap stores its configuration in the pam_ldap.conf file. See your man pages for the configuration options available for your distribution.
logout
Logs out of the system, while leaving the system powered on. e.g. logout logs the user out of the shell. It is identical to exit.
15.10.4 Practice Questions
MD5 id_rsa.pub id_rsa ssh-add ~/.ssh/id_dsa ssh-agent bash PubkeyAuthentication yes
Configuration Files
OpenSSH uses the following configuration files:
What is the effect of the following command? chage -M 60 -W 10 jsmith Deletes the jsmithuser account after 60 days and gives a warning 10 days before it expires. Forces jsmithto keep the password 60 days before changing it and gives a warning 10 days before changing it. Sets the password for jsmithto expire after 60 days and gives a warning 10 days before it expires. Sets the password for jsmithto expire after 6 days and gives a warning 10 days before it expires. Sets the password for jsmithto expire after 6 days and gives a warning 10 days before it expires.
Sets the password for jsmithto expire after 60 days and gives a warning 10 days before it expires. chage -M 60 -W 10 jsmith sets the password for jsmith to expire after 60 days and gives a warning 10 days before it expires. chage sets user passwords to expire. Be aware of the following options: -M sets the maximum number of days before the password expires. -W sets the number of days before the password expires that a warning message displays. -m sets the minimum number of days that must pass after a password has been changes before a user can change the password again.
Host_Alias
Specifies a list of computers on which sudo users can perform commands. e.g. Host_Alias FILESERVERS = fs1, fs2, fs3 adds the three computers to the alias. Host_Alias EVERYWHERE = *.mydomain.com creates an alias for all computers on the mydomain network.
/etc/xinetd.conf
The /etc/xinetd.conf file configures the xinetd daemon. The default configuration for this file rarely needs adjustment; however, be aware of the following parameters: > instances sets the maximum number of concurrent requests xinetd can support. > log_type configures the location where xinetd writes logs to. The default is the /var/log/xinetd.log file. > log_on_success determines whether successful connections are logged. > log_on_failure determines whether failed or disallowed connections are logged. > cps limits the number of connections per second. > includedir /etc/xinetd.d tells the xinetd daemon to use the service-specific configuration files in the /etc/xinetd.d directory.
/etc/xinetd.d
The /etc/xinetd.d directory contains a file for each network daemon managed by xinetd. The configuration file determines how xinetd will enable the network daemon. Parameters include: > disable enables and disables the daemon. > service names the daemon. The name often comes from the /etc/services file. > socket_type determines whether the socket type is a stream. > wait specifies whether the daemon is single-threaded or multi-threaded. A Yes specifies single-threaded. > user determines the user under which the daemon runs. > server lists the path to the daemon's executable. > log_on_failure defines logging specifications for failed login. Each enabled daemon requires an exception in the host-based firewall to open the port for that daemon.
15.5.3 The xinetd Daemon and TCP Wrapper Facts
The Extended Internet Service Daemon (xinetd) is a super-server daemon that runs on many Linux distributions. It manages many network services on a Linux system. This lesson covers the following topics: Key xinetd facts Configuration files Steps to use TCP wrappers to restrict daemon access
Commands to Enhance Security
The following table describes commands used to promote user security and restrictions.
Commands Used with SSH
The following table lists commands used in conjunction with SSH:
Configuration Files
Use the following files to configure the xinetd super daemon:
Network and System Security Configuration with /etc/sysctl
You can harden your Linux network and system setting using sysctl. The sysctl command is used to modify kernel parameters at runtime. /etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysctl at boot time. sysctl and settings in /etc/sysctl.conf include the ability to: > Limit network-transmitted configuration for IPv4 and IPv6. > Turn on Exec Shield buffer overflow protection. > Protect against syn flood attacks. > Turn on source IP address verification. > Protect against a spoofing attack on the IP address of the server. > Log several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects. The parameters available for sysctl are listed under /proc/sys/. Procfs is required for sysctl support in Linux. You can use sysctl to bothread and write sysctl data. The following table identifies sysctl parameters. The following table are parameters you can use with sysctl.
15.1.6 Log Out of the System
Your system administrator scheduled a system update that requires all machines to be running and all users to be logged out of the system. In this lab, your task is to log out of the system while leaving the system powered on. Complete this lab as follows: At the prompt, type logout. Press Enter to log off of the system.
Which configuration file should you edit to enable Pluggable Authentication Modules (PAM) to check for a file named /etc/nologin? /etc/pam.d/nologin /etc/login /etc/pam.d/login /etc/nologin
/etc/pam.d/login Login blocking is enabled using the Pluggable Authentication Modules (PAM) module configured in the /etc/pam.d/login file. Administrators can prevent users from logging in to a Linux computer while resolving serious issues and can display a message to users attempting to log in. Create the /etc/nologin file to disable the ability to login to the system and add a message to the file to display to users when they attempt to log in. The /etc/login and /etc/pam.d/nologin files do not exist.
The root user attempted to log in to the system using tty and was denied access. The pam_securetty module uses a configuration file to determine which virtual terminals (tty#) that root is allowed to log in from. Which of the following files would the root user check to see which terminals are permitted? pam_securetty /etc/securetty pam_ldap.conf /etc/pam.d/password-auth
/etc/securetty When a root user attempts to log in to a system using tty, the pam_securetty module uses the /etc/securetty file to decide which virtual terminals (tty#) root is allowed to log in from. Pam_ldap stores its configuration in the pam_ldap.conf file. /etc/pam.d/password-auth is a pam configuration file that is used to configure settings such as the number of incorrect password attempts before locking the account. pam_securetty is a module, not a configuration file.
What is the full path and filename of the file you should edit to limit the amount of concurrent logins for a specific user?
/etc/security/limits.conf Use the /etc/security/limits.conf file to limit resource use for all applications. This is from the pam_limits module of the Plugable Authentication Modules (PAM) module set. Entries in /etc/security/limits.conf contain Entity Type Limit Value.
You need to configure which commands are allowed to be used with the sudo command. What is the full path and filename of the file you should edit?
/etc/sudoers sudo uses the /etc/sudoers file to configure the users and the commands they are entitled to execute. To give standard user accounts the permissions to execute commands as the root user, use the sudo command coupled with the /etc/sudoers file. Be aware of the following facts about the sudo command and the /etc/sudoers file: When users need to execute the command, they use the sudo command followed by the command they want to execute. Users are prompted for a password to execute the command. This is the current user account password, not the root account password. The /etc/sudoers file can only be edited using the visudo command. sudo logs information about the users and the commands they run, as well as failed attempts to use sudo, in the /var/log/security log.
You want to allow any host from westsim.com to have access to your system. Which of the following line items would you add to the /etc/hosts.allow file to accomplish this task? ALLOW: .westsim.com = YES ALLOW: .westsim.com ANY: .westsim.com ALL: .westsim.com
ALL: .westsim.com The correct line is ALL: .westsim.com. ALL means all services are available; .westsim.com means any host at westsim.com. There are no keywords such as ANY, ALLOW, or YES for the /etc/hosts.allow file.
15.3 Login Blocking
As you study this section, answer the following questions: Which command displays all active users on the Linux system? Which utility should you use to remove active users? Which file configures login blocking? How can you display a message to users when logins are blocked? Which PAM module file configures login blocking? This section helps you prepare for the following certification exam objectives:
You want to allow any host from westsim.com to have access to your system except a system called testsvr.westsim.com. Which of the following line items would you add to the /etc/hosts.allow file to accomplish this task? ALLOW: .westsim.com, testsvr.westsim.com = NO ANY: .westsim.com EXCEPT testsvr.westsim.com ALL: .westsim.com EXCEPT testsvr.westsim.com ALLOW: .westsim.com ALL EXCEPT testsvr.westsim.com
ALL: .westsim.com EXCEPT testsvr.westsim.com The correct line is ALL: .westsim.com EXCEPT testsvr.westsim.com. ALL means all services are available. .westsim.com means any host at westsim.com and the keyword EXCEPT sets the exception for testsvr.westsim.com. There are no keywords such as ANY and ALLOW for the /etc/hosts.allow file.
15.4.3 Network Security Facts
Adhering to general security procedures can simplify and enhance efforts to increase network security, This lesson covers the following topics. General security procedures. Network and system security configuration with /etc/sysctl
15.3.3 Login Blocking Facts
Administrators can prevent users from logging in to a Linux system. This may be necessary while troubleshooting problems or while responding to a security event. This lesson covers the following topics: Pluggable Authentication Modules (PAM) Login blocking process
What does the netstat -a command show? All listening and non-listening sockets All network users All listening sockets All connected hosts
All listening and non-listening sockets The netstat -a command shows the status of all listening and non-listening sockets.
sudoedit
Allows users to securely edit files. This command is equivalent to running sudo -e. When using sudoedit, users edit the desired file as themselves, and not the root account. When run, sudoedit first creates a temporary copy of the desired file. Changes are then made to that file. When done, the changes made to the temporary files are copied back to their original location, and the temporary versions are removed. To use sudoedit to limit users in the managers group to edit a specific file, edit the sudoers file and add a sudoedit line similar to the following example: %managers ALL = sudoedit /path_to_the_file. A common implementation of this is to use the wheel group. Most Linux systems use user groups as a security protocol to control access privileges. The wheel group is a special user group used on some Linux systems that controls access to the su or sudo command. Therefore, to use sudoedit to limit users in the wheel group, add a sudoedit line similar to the following example: %wheel ALL = sudoedit /path_to_the_file. e.g. sudoedit /etc/hosts.allow lets those in the group specified in the sudoers file (such as the managers group) to edit the hosts.allow file.
Lightweight Directory Access Protocol (LDAP)
An open, vendor-neutral, industry-standard application protocol used to locate organizations, individuals, and other resources, such as files and devices in a network, on the internet or on a corporate intranet.
15.2 User Security and Restriction
As you study this section, answer the following questions: What are the characteristics of a secure password? Which chage option sets the minimum number of days a user must keep a password? What type of resources are affected by the ulimit utility? When would you need to configure the /etc/security/limits.conf file? What is the syntax of the /etc/security/limits.conf file? What does file auditing allow you to do? Key terms for this section include the following:
15.6 OpenSSH
As you study this section, answer the following questions: What are the differences between symmetric and asymmetric encryption? When would you use the Diffie-Hellman Key Exchange encryption standard? Which encryption standards are supported by SSH1? Which encryption standards are supported by SSH2? Where does a client store public keys it has received from SSH servers? Which keys are sent to the client when establishing an SSH session? Which file should you edit to configure the SSH daemon on the server? Which file overrides the client's SSH configuration on a per-user basis? What ssh command would you use to log in to a server, execute a command, and return to the local system's shell prompt? In this section, you will learn to: Configure OpenSSH. Key terms for this section include the following:
15.4 Network Security
As you study this section, answer the following questions: What is a socket? Which utility will scan for all listening and non-listening sockets? Which utility will identify open ports on the Linux system? Which commands should you use to disable unneeded services? Key terms for this section include the following:
15.7 SSH Port Tunneling
As you study this section, answer the following questions: What is the benefit of tunneling traffic through an SSH connection? Which file on the server configures SSH port tunneling? Which ssh command should you use to tunnel X server traffic? How can you send unencrypted X server traffic between a client and server? This section helps you prepare for the following certification exam objectives:
15.5 The xinetd Super Daemon
As you study this section, answer the following questions: When should you use TCP wrappers? Which types of files are stored in the /etc/xinetd.d directory? Which files configure the xinetd daemon? When should you use the /etc/host.allow or /etc/host.deny files? Which utility confirms the TCP wrapper configuration? Key terms for this section include the following:
What is the purpose of the find / type f -perm -o=x -ls command? Audit files in the root directory that have execute permissions for group owners. Audit files in the root directory that have execute permissions for the owner. Audit files in the root directory that have execute permissions for others.
Audit files in the root directory that have execute permissions for others. find / type f -perm -o=x -ls audits and displays files in the root directory that have execute permissions for others. Use the find / type f -perm command with the following options to audit for files that pose a security risk: -o=x audits for the execute permission for others. -o=w audits for the write permission for others. -g=x audits for the execute permissions for group owners. -u=x audits for the execute permission for the owner. -u=s audits for the SUID bit.
What is the purpose of the find / type f -perm -u=s -ls command? Audit files in the root directory that have execute permissions for group owners. Audit files in the root directory that have execute permissions for others. Audit files in the root directory that have execute permissions for the owner. Audit files in the root directory that have the SUID bit set.
Audit files in the root directory that have the SUID bit set. find / type f -perm -u=s -ls audits and displays files in the root directory that have the SUID bit set. Use the find / type f -perm command with the following options to audit for files that pose a security risk: -o=x audits for the execute permission for others. -o=w audits for the write permission for others. -g=x audits for the execute permissions for group owners. -u=x audits for the execute permission for the owner. -u=s audits for the SUID bit.
find / type f -perm
Audits for files that pose a security risk. Be aware of the following options: -o=x audits for the execute permission for others. -o=w audits for the write permission for others. -g=x audits for the execute permissions for group owners. -g=s audits for the SGID bit. -u=s audits for the SUID bit. *Include the -ls option to display the results with the long listing. e.g. find / -type f -perm -u=s -ls find / -type f -perm -g=s -ls find / -type f -perm -o=x -ls find / -type f -perm -g=x -ls find / -type f -perm -u=x,o=w -ls
Key Facts
Be aware that SSH: Uses a public and private key pair to encrypt and transfer a symmetric key that is then used by both hosts to encrypt and decrypt transmissions during the SSH session. The public key is available to all users. The private key is kept secure and is never shared. Can use associated key management software and scripts to automate the exchange of public keys. Can be used to create a secure tunnel through which other unsecure network protocols, such as IMAP, POP3, SMTP, and X server traffic can be transmitted. Is available in two versions: SSH version 1 (SSH1) is an older, less secure version of SSH. SSH1 only supports RSA encryption. SSH version 2 (SSH2) is the current standard SSH implementation. It can use either DSA or RSA encryption.
Key Facts
Be aware that the xinetd daemon: > Starts and stops network daemons as necessary to provide port security and conserve resources. > Receives requests for network services from client computers. > Acts as an intermediary between the user requesting a network service and the actual daemon that provides the service. > Can be configured to grant and deny access to specific services based on the IP address of the computer making the request. This is done using a separate package called TCP wrappers. > Increases server latency and might not be optimal for servers with very high request volumes. > Must be restarted after configuration changes. The inetd daemon is a super-daemon (similar to xinetd) that was used on older Linux distributions. Like xinetd, the inetd daemon acts as a mediator for connection requests to network services running on the Linux host. It accepts connection requests from client systems, starts the requested service, and the forwards the requests from clients to the newly started daemon. When the transaction is complete and the connection from the client is terminated, the daemon is stopped on the Linux host. Unlike the xinetd daemon, all of the services managed by inetd are configured using a single configuration file (/etc/inetd.conf). Each line in this file configures a single service to be managed by inetd using the following syntax:service_name socket_type protocol flags user executable arguments
15.5.4 Practice Questions
CIST 2431
Steps to Establish an SSH Connection
Computers use the following steps when establishing a session using SSH:
last
Displays a list of all users logged in (and out) since the /var/log/wtmp file was created. Options include the following: -n num limits the number of lines that last outputs. -f filename reads from the file filename instead of the system's wtmp file. -x prints run level changes, shutdowns, and time changes in addition to the normal records. -a displays the hostname in the last column. -i prints the IP address instead of the hostname. -w instructs last to print out the fields in the wtmp file with full field widths. --debug prints verbose internal information. -s prints seconds when displaying dates. -y prints years when displaying dates. -V prints last's version number. last shows all of the users logged in and out since the /var/log/wtmp file was created. last -a displays the hostname in the last column.
Commands to Manage Limited Root-Level Access
Each of these aliases are defined independently within the /etc/sudoers file. To grant users elevated access to the system, these aliases need to be associated with each other to define exactly what will happen. The syntax is as follows: User_Alias Host_Alias = (user) Cmnd_Alias For example, the aliases defined in the table above can be associated with each other using the following entry in /etc/sudoers: INSTALLERS FILESERVERS = (root) INSTALL Using this entry, the users associated with the INSTALLERS user alias are allowed to run the commands in the INSTALL command alias on the hosts contained in the FILESERVERS host alias as the root user. *If Runas_Alias is omitted, the default is to run the commands as the root user. The following table describes the commands for configuring and using sudo.
15.1.5 Switch Users
Earlier in the day, you created a user account for Brenda Cassini (bcassini). When she tries to log in, she can't. You realize that you misspelled her username as bcasini. You are logged on as wadams, so you will have to address this issue as the root user. The root password is 1worm4b8. In this lab, your task is to: Change the user account name from bcasini to bcassini. Change the home directory to /home/bcassini. When you're finished, view the /etc/passwd file to verify the changes. *There is more than one procedure that can be used to make the required changes. It is possible to complete these tasks with a single command using the su -c "command" syntax. Complete this lab as follows: Procedure 1 > At the prompt, type su - and press Enter to change to the root user. > Type 1worm4b8 as the root password and press Enter. > Type usermod -l bcassini bcasini and press Enter to change the account name. > Type usermod -d /home/bcassini bcassini and press Enter to change bcassini's home directory. > Use cat /etc/passwd and press Enter to verify the changes. Procedure 2 > At the prompt in the wadams account, type su -c "usermod -l bcassini -d /home/bcassini bcasini" and press Enter to complete this task using a single command. > Type 1worm4b8 as the root password and press Enter.
Edit the daemon files in /etc/xinetd.d.
Edit and save the /etc/xinetd.d daemon file(s) for the daemon(s) as follows: > Comment out the existing server= line with the number symbol (#). > Add the line server = /usr/sbin/tcpd to send requests through tcpd so it can grant or deny access. > Add the line server_args = path_to_executable to provide the tcpd daemon with the path to the executable file of the service. > Set the disable line to no. e.g. # server = /usr/bin/rsync tells the computer to treat this line as a comment and ignore it. server = /usr/sbin/tcpd replaces the direct path to the executable with the path to tcpd so the request can be filtered. server_args = /usr/bin/rsync specifies the executable to be started if access is granted. disable = no enables the service through xinetd.d.
You manage a Linux server that occasionally needs to provide ftp services at irregular intervals. To save on resources, you want to have the ftp server service running only when it is needed, and stopped the rest of the time. Which of the following solutions would satisfy these requirements and require the LEAST amount of effort? Manually start and stop the ftp service at regular intervals. Create a link to the ftp services init script in the /etc/rc3.d directory. Write a shell script that starts the ftp server at random times. Enable the ftp service to be managed by the xinetd service.
Enable the ftp service to be managed by the xinetd service. The xinetd service is also known as a super server. A super server is a service that listens on behalf of other services, starting them only when they are requested, and stopping them when finished. Starting the ftp service at random or scheduled times may not allow the service to be available when needed. Creating a link to the ftp services init script in the /etc/rc3.d directory would only enable the service to start automatically in runlevel 3.
You want to limit Telnet access to three specific users. Which of the following strategies will BEST accomplish this goal? Enter IP address entries for the three users in the /etc/hosts.allow file. Enter the three users' IP addresses in the /etc/usertty file. Create invalid remote shells for all but the three users allowed access. Set a limit for Telnet in the /etc/inetd.conf file.
Enter IP address entries for the three users in the /etc/hosts.allow file. Use the /etc/hosts.allow file to list the IP address of the only hosts allowed access. In the /etc/inetd.conf file, you can only enable or disable telnet completely and cannot place users limits there. The /etc/usertty file can hold restrictions for users based on username, but cannot hold restrictions based on IP address.
sudo
Executes a command as the root user. To use this command, first type sudo and then type the command as you normally would. e.g. sudo yum install sysstat installs the sysstat package as the root user.
File Types that Pose a Risk
File types that pose a security risk to a computer, include: > Executable files owned by the root user that have the SUID (Set User ID) permission. With the SUID permission, executables will run with the owner permissions, not with the permissions of the user who runs them. > Executable files owned by the root group that have the SGID (Set Group ID) permission. With the SGID permission, executables will run with the group permissions, not with the permissions of the user who runs them. > Files that have the write and execute permissions for others (everyone on the Linux system who is not a user or group owner of the file). If the file is writable by others, anyone can replace the file with a malicious script to create a security risk. *There is a limited number of files on a Linux system owned by root or the root group that legitimately need the SUID or SGID permission set. Before changing permissions, first verify whether they actually have been set appropriately.
sufficient
If a module succeeds and no prior required module has failed, the PAM framework returns success to the application or to the superior PAM stack immediately without calling any further modules in the stack. A failure of a sufficient module is ignored, and processing of the PAM module stack continues unaffected.
What effect does the ulimit -t 600 command have on a Linux system? Limits the concurrent processes a user can run to 10. Limits CPU time for a process to 600 minutes. Limits the maximum number of processes to 600. Limits CPU time for a process to 10 minutes.
Limits CPU time for a process to 10 minutes. ulimit -t 600 limits CPU time for a process to 10 minutes. The value is set in seconds. This sets both hard and soft limits. Use ulimit to limit computer resources used for applications launched from the shell. Limits can be hard of soft limits. Soft limits can be temporarily exceeded up to the hard limit setting. Users can modify soft limits, but only root can modify hard limits. Be aware of the other ulimit options: -c limits the size of a core dump file. The value is in blocks. -f limits the file size of files created using the shell session. The value is in blocks. -n limits the maximum number of open files. -u limits the number of concurrent processes a user can run. -d limits the maximum amount of memory a process can use. The value is in kilobytes. -H sets a hard resource limit. -S sets a soft resource limit. -a displays current limits. The default shows soft limits.
ulimit
Limits computer resources used for applications launched from the shell. Limits can be hard or soft limits. Soft limits can be temporarily exceeded up to the hard limit setting. Users can modify soft limits, but only root can modify hard limits. Options include the following: -c limits the size of a core dump file. The value is in blocks. -f limits the file size of files created using the shell session. The value is in blocks. -n limits the maximum number of open files. -t limits the amount of CPU time a process can use. This is set in seconds. -u limits the number of concurrent processes a user can run. -d limits the maximum amount of memory a process can use. The value is in kilobytes. -H sets a hard resource limit. -S sets a soft resource limit. -a displays current limits. The default shows soft limits. e.g. ulimit -H -f 1024 uses a hard limit to limit the size of files to 1020 KB. ulimit -H -a shows current hard limits. ulimit -a shows the current soft limits. ulimit -S -u 10 sets a soft limit that limits the number of processes that a single user can use to 10. ulimit -t 600 limits CPU time for a process to 10 minutes. This sets both hard and soft limits. ulimit -d unlimited removes all restrictions for process memory usage.
Within the /etc/security/limits.conf file, you notice the following entry: @guests hard maxlogins 3 What effect does this line have on the Linux system? Limits concurrent logins from the same user to three. Limits the number of maximum logins from the guest group to three. Limits the total amount of memory used by the guest group to 3 MB Limits the maximum file size that the guest group can create to 3GB.
Limits the number of maximum logins from the guest group to three. @guests hard maxlogins 3 limits the number of max logins from the guest group to three. Use the /etc/security/limits.conf file to limit resource use for all applications. Entries in /etc/security/limits.conf contain the following Entity Type Limit Value. jsmith hard fsize 1024 limits the maximum file size that jsmith can create to 1024 KB.* hard maxlogins 1 limits concurrent logins from the same user to one.* soft cpu 10 sets a soft limit of 10 minutes on the amount of CPU time any single process for any user can take.rss hard rss 5000 limits the total amount of memory available to a single user to 5 MB
You are the only Linux administrator for a very small company. You are constantly asked to fix one problem or another as they occur. Which of the following is the BEST way to log into the system each morning? Log in as a regular user and then use su as needed to solve problems. Log in as a superuser in order to be able to troubleshoot problems. Log in as the root user so you can solve problems as they occur. Log in as the user who has the most problems each day so you can more quickly fix the problems.
Log in as a regular user and then use su as needed to solve problems. As a general rule of thumb, you should never log in as a root or superuser because of the damage you could do if you accidentally entered a wrong command. You should log in as a regular user and use su (super user) when you need to solve problems. You should never log in as another user.
Pluggable Authentication Modules (PAM)
Login blocking is enabled using the Pluggable Authentication Modules (PAM) module configured in the /etc/pam.d/login file. PAM: > Is a set of modules that enables various authentication systems on a Linux computer. > Can employ modules concurrently. For example, one PAM module can be used to enable biometric logins while another enables standard user and password authentication. The auth requisite pam_nologin.so line in the /etc/pam.d/login file configures PAM to check and see if a file named /etc/nologin exists. *On some distributions (such as Fedora) the /etc/pam.d/login file uses the syntax of auth required pam_nologin.so to enable login blocking. If /etc/nologin does exist and the user is not root, authentication is blocked and an optional message is displayed to the end user.
Modify tcpd control files.
Modify the following tcpd control files to determine which computers can access the services: /etc/hosts.deny denies services to the specified host(s) or subnets. /etc/hosts.allow permits services to the specified host(s) or subnets. Be aware of the following details: The /etc/hosts.allow file is read first and applied before /etc/hosts.deny. In each of these files, the search is stopped and all remaining rules are ignored if tcpd finds a matching rule Both files have the following syntax: Use service: ipaddresses to specify the host(s). Use service: subnet to specify a subnet. e.g. ALL: 192.168.0.0/255.255.255.0 specifies all computers on the 192.168.*.* network. ALL specifies all services. The subnet mask follows the network. ftp: 192.168.10.10 specifies FTP access for only the computer with the IP address of 192.168.10.10 sshd: 192.168. specifies sshd access for all computers on the 192.168.*.* network. sshd: ALL specifies sshd access for all computers. sshd: ALL EXCEPT fs1 specifies sshd access for all computers but fs1.
Locking Accounts After Failed Login Attempts
Often times, hackers or unethical employees attempt to log in using existing accounts that are not their own. Since this is not their account, they will attempt to guess the user's password. This type of attack can be weakened by placing a limit on the number of time the password can be entered incorrectly and after reaching this threshold, locking the account. You can do this using the pam_tally2 command. pam_tally2 comes in two parts, which include pam_tally2.so (the pam module) and pam_tally2, a stand-alone program, that can be used to interrogate and manipulate the counter file. To lock and unlock an account after a specific number of incorrect password attempts, you must add two lines to both the /etc/pam.d/system-auth and the /etc/pam.d/password-auth files. > In the "auth" section of each file, add the following: auth required pam_tally2.so file=/var/log/tallylog deny=3 even_deny_root unlock_time=900 > The options for the above line are defined as follows: - file=/var/log/tallylog - the default log file where login counts are kept. This is a binary file. - deny=3 - deny access after three attempts and lock the user account. - even_deny_root - apply this policy for the root user. - unlock_time=900 - after failing the specified number of times, the account will be locked for 900 seconds (15 minutes), after which the account will be unlocked > In the "account" section of each file add the following: account required pam_tally2.so *The commands used in this example were for Centos. How pam_tally2 is implemented on your distribution may vary.
15.6.6 OpenSSH Configuration Facts
Open Secure Shell (OpenSSH) is a suite of utilities that provides secure network connections for remote login and file transfer. OpenSSH uses the SSH protocol for authentication and encryption. This lesson covers the following topics: Configuration files Commands used SSH
Check network connections
Open network connections (e.g., open sockets) on a computer also create a security risk. A socket is an endpoint of a bidirectional communication flow across a computer network. Use the following netstat options to identify the open network connections on the Linux system: -a lists both listening and non-listening sockets. -l lists listening sockets. -s displays statistics for each protocol. -i displays a table of all network interfaces.
Locate open ports
Open ports can provide information about what operating system a computer uses and can provide entry points for an attack. To locate open ports: 1. Install the nmap utility (if not already installed). 2. Use one of the following commands to scan for open ports: > nmap -sT host_IP_address scans for open TCP ports > nmap -sU host_IP_address scans for open UDP ports 3. From the results of the scan, determine which ports to close and which services use the ports. 4. Disable the services using those ports. 5. Consider changing default port assignments to different ports. Consider running nmap on the local system as well as from a different network host. This will reveal what ports are open and which services are actually allowed through the host's firewall.
15.6.3 OpenSSH Facts
OpenSSH is a tool that encrypts network traffic over a network connection. OpenSSH is an open source implementation of the Secure Shell (SSH) protocol and implemented by default on most Linux distributions. This lesson covers the following topics: Key facts Steps to establish an SSH connection
visudo
Opens the /etc/sudoers file for editing. The command opens the vi editor and checks the file for sudo syntax errors before saving and exiting. e.g. visudo opens the /etc/sudoers file in the text editor.
Teletypewriter (TTY)
Over the years, TTY has had many meanings. Early user terminals, which were connected to computers, were electromechanical teleprinters or teletypewriters (TeleTYpewriter, TTY). Since then, TTY has been used as the name for the text-only console; but now, this text-only console is a virtual console, not a physical console. On a Linux system, a new text-only console can be accessed (logged into) by pressing a combination of keys, such as Ctrl+Alt+F2 for TTY2.
Linux Pluggable Authentication Module (PAM)
PAM provides dynamic authentication support for applications and services in a Linux system, such as login and su.
su
Switches to the root user account. Be aware of the following su options: su -l user_name switches to the specified user in a login shell. su user_name (without the dash, but with the username) switches to the user, but does not load that user's environment variables. su - user_name (with the dash and username) switches to the user and loads the user's environmental variables. su - (with the dash but no username) switches to the root user and loads the root user's environmental variables. su (no dash or username) switches to the root user but does not load the root user's environmental variables. -c "command" executes a single command as the root user. > The command is enclosed in either single or double quotation marks. > Include -l user to execute the command as a user other than root. *su requires the user's password before switching to the account except when switching from root to a normal user. e.g. su -l jsomes switches to the jsomes user account with jsomes' environment variables. su - switches to the root account using root's environment variables. su -c "ls /home/rgurate" switches to the root user and executes the ls command on the user rgurate's home directory.
Steps to Use TCP Wrappers to Restrict Daemon Access
TCP wrappers (tcpd) use the IP addresses of incoming network packets to allow or deny access to computers or daemons. Xinetd can use TCP wrappers to restrict access to enabled daemons. To use TCP wrappers with xinetd, consider the following steps:
TCP wrappers (tcpd)
TCP wrappers use the IP addresses of incoming network packets to allow or deny access to computers or daemons. Xinetd can use TCP wrappers to restrict access to enabled daemons.
PAM Overview
The Linux Pluggable Authentication Modules (PAM) provide dynamic authentication support for applications and services in a Linux system, such as login and su. PAM separates the tasks of authentication into four independent management groups: account management, authentication management, password management, and session management. In other words, these groups take care of the different aspects of a typical user's request for a restricted service. > Account modules check that the specified account is a valid authentication target under current conditions. This may include conditions like account expiration, time of day, and that the user has access to the requested service. > Authentication modules verify the user's identity by requesting and checking a password or other secret. They may also pass authentication information on to other systems like a keyring. > Password modules are responsible for updating passwords and are generally coupled to modules employed in the authentication step. They may also be used to enforce strong passwords. > Session modules define actions that are performed at the beginning and end of sessions. A session starts after the user has successfully authenticated. When using PAM, the system administrator is free to choose how individual service-providing applications will authenticate users. This dynamic configuration is set by the contents of the single Linux-PAM configuration file /etc/pam.conf. Alternatively, the configuration can be set by individual configuration files located in the /etc/pam.d/ directory. The presence of this directory will cause Linux-PAM to ignore /etc/pam.conf. When working with PAM configuration files, be aware that for the simple syntax, valid control values are as follows:
15.1.4 root User Facts
The root user account is the Linux system superuser and can perform any task. Some Linux commands cannot be run by anyone but the root user. The root account is created during the installation process, and it receives the account number 0 (zero). In contrast, normal (standard) user accounts receive ascending numbers beginning at 500 or 1000, depending on the distribution. This lesson covers the following topics: Security guidelines Commands to manage root-level access Commands to manage limited root-level access
Commands to Manage Limited Root-Level Access
To give standard user accounts the permissions to execute a limited set of commands as the root user, use the sudo command coupled with the /etc/sudoers file. Be aware of the following facts about the sudo command and the /etc/sudoers file: > When users need to execute the command, they use the sudo command followed by the command they want to execute, such as sudo nano myfile. The user is then prompted for their own password prior to running the command, not the root account password. > Users and the commands they are allowed to execute with elevated privileges are specified in the /etc/sudoers file. > The /etc/sudoers file must be edited using the visudo command using the root account. > sudo logs information about the users and the commands they run, as well as failed attempts to use sudo in the /var/log/security log. The following table describes the sections used to configure the /etc/sudoers file.
Which of the following is the main purpose of the xinetd service? To listen for internet traffic on the external network interface. To listen for http requests. To act as a firewall for your Linux system. To receive client requests for network services and start and stop them on demand.
To receive client requests for network services and start and stop them on demand. Xinetd is what is known as a super server. Its purpose is to listen on behalf of other network services and start and stop them on demand. It can be configured to listen to traffic on any interface for any service. The firewall on a Linux system is managed by iptables on kernel 2.4 and newer systems and ipchains on kernel 2.2 and earlier systems. Apache is the most common web server (a server that listens and responds to http requests). Xinetd can be configured to listen for http requests and start and stop the Apache server on demand, but doing so is not xinetd's main purpose.
Check for unneeded network services
Unneeded network services waste the computer's resources and might provide attackers with an entry point for an attack. To view a list of installed services, use one of the following commands: > For init-based systems, run chkconfig at the shell prompt. > For systemd-based systems, run systemctl list-unit-files at the shell prompt. Review the output of these commands and look for unusual or unrecognized services. Then use the man command and the internet to determine whether they can be safely removed or disabled. Use chkconfig, insserv, or init to disable the service on init-based systems. On systemd distributions, you can use the systemctl disable or the systemctl mask command to disable a service. Alternatively, you could use yum, zypper, rpm, or dpkg to remove the package entirely.
Options for /etc/security/limits.conf
Use the /etc/security/limits.conf file to limit resource utilization by users. This file is from the pam_limits module of the Pluggable Authentication Modules (PAM) module set. Entries in /etc/security/limits.conf use the following syntax: Domain Type Limit Value The following table describes the entry options in the /etc/security/limits.conf file:
tty Security
When a root user attempts to log in to a system using tty, the pam_securetty module uses the /etc/securetty file to decide which virtual terminals (tty#) root is allowed to log in from. In older distributions, /etc/securetty was referenced by programs like login directly, but PAM handles this on its own. Therefore, changes to the /etc/securetty file affect anything using PAM with a configuration file that uses pam_securetty. When using the /etc/securetty file, consider the following: > If /etc/securetty doesn't exist, root is allowed to login from any tty. > If /etc/securetty exist and is empty, root access will be restricted to single user mode or programs that are not restricted by pam_securetty (such as su, sudo, ssh, scp, and sftp). > Removing a tty# (where # is a number) entry from this file will disable a root user from logging on using the associated /dev/tty# terminal. > A pseudo-terminal (pty) is a pair of virtual character devices that provide a bidirectional communication channel. One end of the channel is called the master; the other end is called the slave. The slave end of the pseudo-terminal provides an interface that behaves exactly like a classic terminal. Adding entries to the /etc/securetty file (such as pts/[0-9]) allow programs that use pseudo-terminals and pam_securetty to log in into root, assuming the allocated pty is one of the ones listed. Best practice is to exclude these entries because it's a security risk since it would allow, for example, someone to login into root via telnet, which sends passwords in plain text.
Using pam_faillock
You can lock a user's account for failed password attempts using the pam_faillock module. This is accomplished in a similar fashion by adding the required lines to the same two files used with pam_tally2; /etc/pam.d/system-auth and /etc/pam.d/password-auth. Although similar, the commands added are slightly different as shown here: For both files, add the following in the "auth" section: auth required pam_faillock.so preauth silent audit deny=3 unlock_time=900 auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=900 For both files, add the following in the "account" section account required pam_faillock.so The options for the above line are defined as follows: > audit - enables user auditing. > deny - used to define the number of attempts (three in this case), after which the user account should be locked. > unlock_time - sets the time (900 seconds = 15 minutes) for which the account should remain locked.
15.2.5 User Security Facts
Your job as a system administrator includes protecting computer systems and the information they contain from harm, theft, and unauthorized use. Your best security measure is to train users to be security-savvy. There are also commands and configuration files you can use to enhance security. This lesson covers the following topics: Security considerations Commands to enhance security Options for /etc/security/limits.conf PAM overview Locking accounts after failed login attempts LDAP integration tty securetty
What chage command should you enter at the command prompt to set the password for jsmith to expire after 60 days and give a warning 10 days before it expires?
chage -M 60 -W 10 jsmith chage -M 60 -W 10 jsmith sets the password for jsmith to expire after 60 days and gives a warning 10 days before it expires. Use chage to set user passwords to expire. Be aware of the following options: -M sets the maximum number of days before the password expires. -W sets the number of days before the password expires that a warning message displays. -m sets the minimum number of days that must pass after a password has been changes before a user can change the password again. Look in the /etc/shadow file to see current limits for users.
You need to increase the security of your Linux system by finding and closing open ports. Which of the following commands should you use to locate open ports? netstat traceroute nmap nslookup
nmap Use nmap to locate open ports. Open ports can provide information about which operating system a computer uses and might provide entry points or information about ways to formulate an attack. Use one of the following commands to scan for open ports: nmap -sT scans for TCP ports nmap -sU scans for UDP ports netstat shows the status of listening and non-listening sockets. A socket is an endpoint of a bidirectional communication flow across a computer network. nslookup is for name resolution requests. traceroute tests and displays the connectivity between devices.
What should you enter at the command prompt to scan for open TCP ports on your Linux system?
nmap -sT Use nmap -sT to scan for open TCP ports. Open ports can provide information about what operating system a computer uses and might provide entry points or information about ways to formulate an attack. Use nmap -sU to scan for open UDP ports.
Which of the following is a pair of virtual character devices that provide a bidirectional communication channel? (One end of the channel is called the master; the other end is called the slave.) /dev/console /dev/null virtual terminal (tty) pseudo-terminal (pty)
pseudo-terminal (pty) pseudo-terminal (pty) is a pair of virtual character devices that provide a bidirectional communication channel. One end of the channel is called the master, and the other end is called the slave. virtual terminal (tty) is a tty device. /dev/null is a device file that is associate with a null device that is commonly used for disposing unwanted output streams. /dev/console is the system console.
You are limiting the total amount of memory a user can take up when they use the X Windows System. Which of the following limit keywords should you use? rss nproc data cpu
rss Use the /etc/security/limits.conf file to limit resource use for all applications. Entries in /etc/security/limits.conf contain Entity Type Limit Value. Limits in the /etc/security/limits.conf file include the following: rss limits the total amount of memory a user can use. The value uses kilobytes. core limits the size of core dump files. The value uses kilobytes. data limits the amount of ram an application can use. The value uses kilobytes. fsize limits maximum file size. The value uses kilobytes. nofile limits the number of concurrently open data files. cpu limits the amount of CPU time a process can use. The value uses minutes. nproc limits the number of concurrent processes a user can have. maxlogins limits the number of concurrent logins. priority sets process priority limits. The value range is from -20 (highest priority) to 19 (lowest priority) with 0 being the default.
You have logged in as a regular user when a frantic phone call comes in. The ABCD process must be started on the server now, but can only be run by root. Which command would you use to start this process? su ABCD ABCD /root exit ABCD sudo ABCD
sudo ABCD Use the sudo utility to run the specified utility as the superuser (root). This same task can be accomplished with the command su -c ABCD, but not with su ABCD (which attempts to change you to a user named ABCD).
Unnecessary network services might provide attackers with an entry point for an attack. To view a list of services, or units, installed or running on a systemd-based system, what could you enter at the command prompt?
systemctl list-units To view a list of services, or units, running on a systemd-based system, you can enter either systemctl or systemctl list-units. systemctl list-unit-files lets you see all the units installed on your system.
PAM is configured on your system to look for the presence of the nologin file in the /etc directory. If the nologin file exists, user login is disabled, and only the root user can log in. If your current working directory is root's home directory, which command would you enter to quickly create an empty nologin file in the /etc directory?
touch /etc/nologin You can quickly create an empty file using the touch command. Since your current working directory is the root user's home directory, you have to use the full path to create the nologin file in the /etc directory. Entering touch /etc/nologin will create the nologin file in the /etc directory.