Module 3

Ace your homework & exams now with Quizwiz!

Requisite

returns successful - if the current PAM module returns successful, the next rule is checked in the list unless it's the final rule, then the stack returns successful - Returns unsuccessful - additional modules are executed; however, regardless of what happens with these other modules, the stack returns with value of unsuccessful; useful as other modules may provide more info in log files

Optional

returns successful - next rule is checked in the list; if final then the stack is successful - returns unsuccessful - next rule is checked in the list; if final stack is successful (unless it's the only rule in the stack, then the stack is unsuccessful)

iptables

rule sets (chains) are applied at different places (filter points), allowing flexibility - types of rules(table) can be placed at a filtering point; --> filter points can have more than one set of rules - iptables can perform multiple functions: -----> filter data, perform NAT operation on packet, mangle packet, once a rule is matched a target is performed (accept/drop/reject/log)

Zones

rules are configured categories called zones - internal/trusted zone on network may have less restrictive rules while Internet (dmz/external) may be more restrictive

faillock

same as pam_tally2, just uses a different config file

Fail2ban

scans specific log files searching for IP addresses that attempt breaches by repeated connection attempts - config files in /etc/fail2ban/jail.conf

umask

sets default permissions for files/dirs; applied when initally created

SELinux configurations

sets up SELinux "contexts" which are similar to security groups; most admins use SELinux to secure processes that may be compromised by hackers making use of exploits - SELinux can lock down processes so that they can only access a certain set of files

SHA

similar to MD5 but uses a different algorithm

TACAS+

similar to RADIUS, cisco created

VPN as a client

similar to SSH in that it provides secure data transfer; uses public/private keys to encrypt/decrypt data -ex: OpenVPN

Add Banner

some services like FTP/SSH/web servers can let you add a banner for users to see when they first sign in; can be informational or warning about only authorized access

Dynamic rule sets

some utilities dynamically create firewall rules to thwart hacking attempts on the fly

Importance of denying hosts

stems from the fact that there are systems known to be used as launching points for hacker attacks; these hosts should always be denied access to your systems; some sites provide a list for these hosts; ex https://mxtoolbox.com

journald

stores log entries in a special file format in order to optimize log file entries

Log

tells iptables to create a log entry about packet; neither allowed nor blocked; other rules in rule set may determine result

Drop

tells iptables to discard the packet; no response sent to source; not advanced

Reject

tells iptables to return the packet to source with an error message; not advanced

Password policies

the pam_unix module provides lots of features that modify how passwords are set, ex: save last five passwords for a user and disallow reuse of those

Log management

third-party agents - syslogd/rsyslogd - logs application and system events; /etc/syslog.conf is config file

getenforce

to determine current SELinux mode

Importance of disabling root login via SSH

usually for servers directly accessible to the Internet as hackers can try to directly login as root; disabling this capacity requires the hacker to compromise a non-root account and then through that they would have to compromise the root account - modify the /etc/ssh/sshd_config file by saying 'PermitRootLogin no'

DTLS

utilizes datagram-based security features; datagram is used on packet-switched network as basic unit of transfer; uses connectionless communication method

disabled

when in this mode SELinux is not functional at all, no checks are performed when users attempt to access files

Run time

when rules are created using firewall-cmd command they affect the active firewall on the system, this is run time firewall. - If system is rebooted or firewall service restarted, rules are lost

sgid

when set on executable files this allows a program to access files using permissions of the group owner of the file. - when set on directories all new files in directory inherit the group ownership of the directory; - chmod g+s or chmod 2xxx

suid

when set on executable files, this allows a program to access files using permissions of the user owner of the file - chmod u+s or chmod 4xx

Destination

where a network packet is being sent to; filters can be applied here

Source

where network packets originate from; can be filtered from source using IP/MAC address/port

/var/log/messages

wide variety of log entries from numerous services/daemons; - i.e. crond, kernel, mail servers

PTYs

Pseudo-terminals: these are provided to a shell when a user logs in remotely (SSH) or when a new terminal window in a GUI-based environment is invoked

journalctl

handles logging process on modern linux systems; can be used to query systemd log entries

MD5

hashing algorithm creating a unique message digest that can be used to verify a file - if the file changes, the digest will also change

Protocol

i.e. ICMP/TCP/UDP or telnet; can be filtered this way

No shared ID's

if multiple users user same ID (UID) their actions cant be accounted for; dont do this

sticky bit

if set on directories it makes it so files in directory can only be removed by user owner of file, the owner of the directory, or root user - chmod o+t or chmod 1xxx

Incremental

includes all files that have changed since last incremental or full backup

Standard method

is a local user/pass combo; lacks more complex security features

IP forwarding

kernel feature allowing network packets to be passed from one network to another - used to create a router on a server set the value of /proc/sys/net/ipv4/ip_forward and /proc/sys/net/ipv6/conf/all/forwarding to 1 to use

/etc/securetty

lists all the device files in which the root user can log into the system; identified by the /etc/tty# device names in the file

ulimit

lists or sets a user's account limits; common limits: - fsize = max file size allowed in memory - cpu = max CPU time allowed - nproc = max number of concurrently running processes - maxlogins - max number of concurrent logins

aa-unconfined

lists processes not restricted by AppArmor profiles

/etc/apparmor.d

location of definitions of AppArmor profiles

/etc/apparmor.d/tunables

location of files used to fine-tune AppArmor behavior

authorized_keys

location where public keys are stored in key-based SSH authentication after manually copying keys over from client to server

/etc/services

location where services are mapped to ports (traditionally)

Digital Signature

message digest - is sent to a CA to verify the signature, and this goes on the certificate - typically have an expiration date

aa-complain

mode that has AppArmor report problems

/var/log/[application]

most applications today create their own logs without needing a logging service

User-specific access

refers to using passwordless authentication using public/private keys

Differential

archives any files since last full backup

TLS

asymmetric cryptography - uses public and private keys to encrypt/decrypt data

Separation of OS data from application data

avoid allowing an application fill up filesystem with log files (as an example); partitioning is the best way to prevent this - disk partition to maximize system availability

Boot loader password

boot loader can allow a user to perform custom operations during boot process including booting to alternate kernels or runlevels; best practice to enable bootloader password

Tunnel Mode

both data and metadata are encrypted; common with client-to-site VPN

Logging

can be enacted by rules; useful for later packet inspection

chcon

change the context of a file or dir

sestatus

provides overall status info about SELinux

Integrity checks

useful to determine if a file has been changed or replaced with an imposter

Inheritance

Linux permissions don't utilize inheritance: - i.e. new files/dirs don't inherit permissions from the dir that item is created in

Chroot jail services

a service that only has access to a small portion of the filesystem such as its subdirectory so that it wont be able to modify critical system data; ex: BIND

Standard

account with UID of 1000 or higher

LDAP integration

add lines to /etc/pam.d/system-auth file to add LDAP

su

allows user to shift user accounts: - used with -options spawns new login shell

sudo

allows users (when appropriately configured) to run commands as other users (typically root users) - must be configured in /etc/sudoers file

SSH

allows you to connect to a Secure Shell service; encrypts data in a tunnel as opposed to unsecured telnet

Stateless

applies regardless of prior established connection

Stateful

applies to to any previously established connection

Discouraging use of USB devices

can be used to inject or steal data from servers; common to disable USB devices in BIOS

pam_tally2

can be used to lock a user out after unsuccessful login attempts

ls

can be used with -l to display long output with permissions listed

OTP (one-time password)

can be used with 2FA or if user loses password

sudoedit

can edit a file using sudo access with this command; chosen editor depends on varaibles (SUDO_EDITOR, VISUAL, EDITOR)

chgrp

changes group ownership of file, same usage as chown above

Persistency

changes made by iptables command only affect currently running firewall; can be made persistent by using iptables-save command

Change default ports

changing default port for a network service can deter/prevent hackers from attacking well known ports (i.e. SSH uses port 22, change this to another port)

known_hosts

client stores a server's unique fingerprint key in this file after a connection is established with an SSH server; typically left alone

Restrict cron access

code can be executed on critical systems; restrict access

FTP

commonly used protocol to transfer files between files between systems - not encrypted, including user/pass so if someone can snoop the network they can see user/pass - anonymous FTP doesnt require authentication, only use for download, not upload

Netfilter

component of kernel that performs NAT and IP forwarding

/etc/ssh

contains files that can be used to administer both the SSH and SSH client utilities

/var/log/kern.log

contains messages from the kernel

SCP

copy files to and from remote systems via Secure Shell

DenyHost

designed especially to protect SSH servers, create TCP wrapper rules: - ex: if remote system attempts to brute force attack DenyHost creates a blocking rule in /etc/hosts.deny

Firewall

designed to allow or block network traffic

IPset

designed to create sets of IP addresses and the use this set to apply rules to collection of systems

MOTB

displayed when a user first logs in; provides useful information about the system being used

lastb

displays failed login attempts

Kerberos

uses a ticket-based system; server grants a ticket-granting-ticket (TGT) upon authentication, encrypts and the secret key is sent back to the client system who then can use it to authenticate to other services - kinit: used to obtain individual ticket - klist: display list of cached Kerberos tickets

Biometrics

uses fingerprints, retina scanner, etc

Multi-factor authentication

uses multiple bits of evidence for proof of identity "something you know", "something you are", "something you have"

TCP wrappers

uses simple config files to either allow or deny access from specific host/networks; only services that use the TCP wrappers library will be affected by the /etc/hosts.allow and /etc/hosts.deny files

Service

usually UID under 1000; some are referred to as daemon accounts using daemon-based software

gzip, xz, bzip2

used to compress files

Required

- returns successful - if the current PAM module returns successful, the next rule is checked in the list unless it's the final rule, then the stack returns successful - returns unsuccessful - no additional modules are executed, stack returns unsuccessful

Read, write, execute

10 characters in ls -l output denotes the permissions and file designation - if first space is blank, it is a file. if there is a 'd' it is a directory - next 9 characters in groups of three are the owner/group/other users

ufw

Debian based distros - front-end interface to create iptables rules

wheel

a group commonly used to allow non-root root access (if enabled in /etc/sudoers file)

Disk encryption

Makes it near impossible to access data unless unencrypted; only encrypted while system off - LUKS: disk encryption method common in Linux systems; use kernel module dm-crypt

Sufficient

Returns successful - no additional modules are checked - returns unsuccessful - next rules is checked in the list, if final the stack is successful.

permissive

SELinux checks but doesnt block access to files/dirs; used for logging and troubleshooting

enforcing

SELinux performs checks and blocks access to files/dirs as necessary

~/.ssh/

SSH data for individual users is stored here; used by SSH to store important data; users can modify configurations in this directory

/dev/tty#

TTY device files named /dev/tty#, where # is actually a number: - typically only seven in use on standard Linux distros; one reserved for GUI-based logins

UEFI/BIOS Password

UEFI/BIOS can allow custom booting operations - best practice to enable password

Root

_____ account is the system admin account; UID of 0; has full system control

AppArmor

a MAC (mandatory access control ) system that is similar to SELinux

TTYs

a device file associated with a terminal display which is traditionally a command-line login screen

/etc/pam.d

each file here is designed to configure a command or utility that uses PAM to authenticate user accounts

Postfix/Sendmail

email servers; no need on a local system; configure a real email server instead; disable or limit this and other services (CUPS is an example of printing isnt needed)

/proc/sys/net/ipv6/conf/all/forwarding

enables IP forwarding for all IPv6 network packets

/proc/sys/net/ipv4/ip_forward

enables ip forwarding for IPv4 network packets

Public key

encrypts data sent to Apache web server; freely given to the web browser; server decrypts with private key

logrogate

ensure the partition that holds the log file has enough room to handle them; - rotates log files to limit filesystem space that the log uses; /etc/logrotate.conf is the config file

full

everything from source is backed up; very time consuming but restoring from this is quicker

/var/log/secure

file contains log entries related to authentication and authorization operations; including when users log in, attempts to gain escalated privileges, etc

snapshot clones

frozen image of the filesystem, used with LVM; used to safely backup a live filesystem

Passwordless login

normally associated with SSH and is convenient/security feature; uses public/private key pair - enforce use of PKI - best practice when using key pairs for SSH logins

Accept

once a network packet matches the criteria of a firewall rule, a target is used to determine what action to take (Accept/Reject/Drop/Log) - accept tells iptables to allow packet and advance to next filtering point

/etc/rsylog.conf

one of the config files for rsyslogd

Transport Mode

only data is encrypted; IP information not encrypted; common with site-to-site VPN

Octal Notation

permissions assigned via numeric values

Telnet

permits remote login without encryption - dont use this

config

place where you can customize how commands like ssh, scp, and sftp work

Targeted

policies that contain rules designed to protect the system from services rather than regular users

Privileged Ports

port 1-1023 reserved for commonly used protocols

LDAP

protocol providing directory services information, can store info like hostnames; RADIUS/TACAS+ is more robust

RADIUS

protocol that allows client system to authenticate via server, provides AAA (authentication, authorization, accounting); managed centrally

SSL/TLS

protocol used by VPN's to provide secure transport of data, TLS is more common and SSL is deprecated: - commonly used in web server communication, email transport, and VoIP

Finger

provides info about computers/users; long-time use to provide a report on a user; unencrypted; dont use in modern systems

CVE monitoring

provides info about publicly known vulnerabilities; admin should monitor relevant reports and implement fixes for vulnerabilities asap

tar

purpose of command is to merge multiple files into a single file

getfacl

reads the ACL report generated by setfactl

firewalld

red hat based distros - used to configure iptables rules - managed firewall-cmd command

Image

refers to format used for backup of data; ex: tar, ISO

Ports

unique number used to address a service on a system; packets contain source/destination port; can be filtered based on this

Tokens

unique value generated by hardware device or software program - hardware: typically small device on key fob, generates token - software: generated by program, like an app or mobile device

Importance of enabling SSL/TLS

used by HTTPS - provides secure manner of connecting for web services

Pluggable authentication modules (PAM)

used by almost all Linux utilities to attempt to authenticate users. Examples of what it can do: - can be used to enforce more robust password requirements - limit days/times users can login to the system - limit locations users can login from - can set or unset environment variables; can have one set of variables for local login, one for SSH logins, one for FTP, etc. - can restrict user accounts - limit where the root user can login from

dd

used for backing up data and creating files; commonly used to backup an entire drive

id_rsa.pub

used for password authentication in conjunction wit ssh-agent/ssh-add utilties

id_rsa

used for password authentication in conjunction with the ssh0agent and ssh-add utilities

IPSec

used in VPNs for authentication and to encrypt network packets; performs actions at OSI Layer 3, where TLS/SSL operate above Layer 3

ssh-add

used to add RSA/DSA encryption keys to the SSH agent's cache: -ex: use it after ssh-agent to cache keys

chmod

used to change permissions on files; octal method - permissions assigned numeric values - read=4, write=2, execute=1 - permissions set like 'chmod 754' filename' means file is rwxr-xr-- - symbolic method - u/g/o/a and +/-/= and r/w/x combinations to set/remove permissions

chown

used to change user owner or group owner of a file or dir; ex: 'chown tim abc.txt' will change ownership of abc.txt to tim user - useful option: -R for recursive change, -v for verbose

sshd_config

used to configure the SSH server; many options in this file that can be configured

ssh-copy-id

used to copy login keys to a remote system

cpio

used to create archives

chage

used to determine amount of time between password changes

aa-disable

used to disable an AppArmor profile (rule set describing how to restrict a process)

visudo

used to edit /etc/sudoers and it does formatting checks

PKI

used to ensure a server is really where user intended to go as opposed to a rogue server - often provides means to encrypt data between server/user

ssh-keygen

used to generate authentication keys

Importance of enabling auditd

used to log user account activity; determine if user has performed any unauthorized activity

zip

used to merge multiple files into a single, compressed file

sssh_config

used to modify the behavior of the SSH client utilities likes ssh/scp/sftp; affects all users but users can override these settings by creating the ~/.ssh/config

Disable ctrl+alt+delete

used to prevent rebooting servers when they shouldn't be

restorcecon

used to restore the default security context of a file or dir. -R will do it recursively

getsebool

used to see Boolean strings; boolean is either true/false value

ls -Z

used to see a security context for a specific file

ps -Z

used to see security context for running process

setsebool

used to set an SELinux Boolean

setfacl

used to set an access control list (ACL) for a file or dir - format is: 'setfacl -option what:who:permission file/dir'

setenforce

used to set different policy modes

rsync

useful to copy files remotely across the network

SFTP

uses SSH to securely transfer files across network


Related study sets

COMPTIA A+ 220-902 - DOMAIN 5.0 - OPERATIONAL PROCEDURES

View Set

Lesson 5 - Eysenck's Theory of the Criminal Personality

View Set

Chapter 12 - Head and Neck, with Basic Vision and Hearing Basics

View Set

Chemistry: First 12 Elements of the Periodic Table

View Set

Corp Finance-Test 1-HW Questions

View Set