Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

In Practical 4 we hardened a Linux server doing many different steps. For some o

ID: 3602903 • Letter: I

Question

In Practical 4 we hardened a Linux server doing many different steps. For some of the steps below, describe in a few words (3-6 words) what security benefit was provided. Just edit this list with your (short) answers and submit in Canvas. Research your answers with Google, etc. What is LTS and what are the potential benefits of using LTS? Why always upgrade software? Why turn off unneeded network services? Also, name two tools/commands that can identify a machine's active services Install and configure Firewall - ufw - Disable ping with sysctl settings . Scan logs and ban suspicious hosts Fail2Ban . Check for RootKits RKHunter and CHKRootKit Running Tiger Also, what attack surface does Tiger protect?

Explanation / Answer

what is LTS and what is potential benefits of LTS?

All normal releases are only supported for 9 months.

All LTS releases are supported for five years on both the desktop and the server.

IN LTS

Updates for potential security problems and bugs.

Availability of Commercial support contracts from Canonical.

Support by Landscape, Canonical's enterprise oriented server management tool set.

The primary reason for using an LTS release is that you can depend on it being updated regularly and therefore secure and stable.

Conversely an LTS release is supported for 5 years and you can upgrade directly from LTS to LTS. This gives you long-lived, solid base to target and test on that makes it super-easy to release-upgrade when you decide to. It's therefore ideal for mass deployment, high-availability systems, and just people who don't like doing release-upgrades.

In the last two LTS versions, point-updates have also been made available to support newer hardware (it's a kernel, driver and X stack), which boosts the utility of the LTS versions over their lifespan. The original stacks are maintained too.

There also is supposedly more focus on bug fixing for an LTS release. More people have a vested interest in the success of an LTS

2) why always upgrade software ?

Security Vulnerabilities

First and foremost, updates keep you safe from known security holes. This is especially important when there is a new release available for software you use, because most change logs and update notes reveal previously-known exploits that have already been patched.

update kernel linuxIf you’re using a Linux distribution like Ubuntu or Fedora, you’re also using the Linux kernel, the core that actually makes your distribution a Linux distribution. Windows also has its own kernel that its operating systems use, but Linux is highly modular and therefore the kernel is more commonly discussed as a lot can be done with it. For example, you could take the kernel, patch it up with lots of fixes, tweak other settings, strip out everything you won’t need, and then replace your original kernel with your final product, and it will run just fine (assuming it was done right). Being able to simply replace a part with something else without issue is what makes Linux great.

Security Fixes

update kernel linux

Virtually every single kernel update will have some sort of security fixes that close up holes that have been discovered. This is probably one of the most important reasons to update your kernel, as you’ll always be safer with a patched kernel. If a hacker manages to get into the kernel, a lot of damage can be done or the system simply crashes. Those are inconveniences that are easily avoided with up-to-date kernels.

Stability Improvements

update linux kernel

Not only do kernel updates bring with it security fixes, but it can fix other issues that could possibly make the system crash through regular use. Some people argue that constantly updating the kernel actually decreases the overall system stability because you’ll be running on a kernel that you’ve never used, so you cannot assume that it will work as well as the kernel you were previously running on. While this is also true, that margin is rather slim, and only people who run servers or other important systems really need to be cautious. For most normal consumer-type users, updating your kernel outweighs those issues by a lot.

Updated Drivers

update linux kernel

While those were the updates you get with minor kernel updates (say 3.2.0 to 3.2.1), let’s check out some improvements you can commonly see with major updates (think 3.2 to 3.3). First of all, every major kernel update is guaranteed to include the latest open source drivers for all of your devices. Out of all the drivers being updated, the graphics drivers are probably those that you’ll notice the most, as every refresh usually adds a bit more performance.

New Kernel Functions

Occasionally, major updates to the kernel in Linux also brings some new functions. These functions are basically parts of the kernel that programs can use to do some sort of task or operation. Additionally, other functions may have also changed. You most likely won’t break your system if you don’t update your kernel for this exact reason, but sooner or later you’ll find programs and other packages that require a certain version of the kernel. It’s best to have the latest one so you know you won’t come across that issue.

Increased Speed

update kernel linux

Last but not least, many major updates to the kernel improve the overall speed of the system. While some changes can be very subtle, others aren’t and can make a big difference, such as the famed 200-line patch that increased the overall productivity of a Linux machine by quite a bit. There are even some crazier changes such as this, where Linux can run off of zero CPU cores. If you’re a speed demon (and I know many of you who use Google Chrome are), this is a good way to get a bit more juice out of your hardware.

Why turnoff unneeded network services?

Services generally refer to programs that listen for and respond to network traffic. Other services allow direct access to your computer. Examples include:

Command to identify machine’s active services:

To determine the status of the httpd service,

To display the status of all available services at once, run the service command with the command

Status –all

Install and configure firewall?

Installing ConfigServer Firewall

Step 1: Downloading

Config Server Firewall is not currently available in Debian or Ubuntu repositories, and has to be downloaded from the ConfigServer's website.

http://download.configserver.com/csf.tgz

This will download CSF to your current working directory.

Step 2: Uncompressing

The downloaded file is a compressed from of tar package, and has to be uncompressed and extracted before it can be used.

tar -xzf csf.tgz

Step 3: Installing

If you are using another firewall configuration scripts, such as UFW, you should disable it before proceeding. Iptables rules are automatically removed.

UFW can be disabled by running the following command:

ufw disable

Now it is time to execute the CSF's installer script.

cd csf

sh install.sh

The firewall is now installed, but you should check if the required iptables modules are available.

perl /usr/local/csf/bin/csftest.pl

The firewall will work if no fatal errors are reported.

Note: Your IP address was added to the whitelist if possible. In addition, the SSH port has been opened automatically, even if it uses custom port. The firewall was also configured to have testing mode enabled, which means that the iptables rules will be automatically removed five minutes after starting CSF. This should be disabled once you know that your configuration works, and you will not be locked out.

Basic Configuration

CSF can be configured by editing its configuration file csf.conf in /etc/csf:

nano /etc/csf/csf.conf

The changes can be applied with command:

csf -r

Step 1: Configuring ports

The less access there is to your VPS, the more secure your server is. However, not all ports can be closed as the clients must be able to use your services.

The ports opened by default are the following:

TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

TCP_OUT = "20,21,22,25,53,80,110,113,443"

UDP_IN = "20,21,53"

UDP_OUT = "20,21,53,113,123"

Disable ping reply permanently with sysctl settings

You can permanently disable the ping reply using the following method.

Step 1: Edit the sysctl.conf file and add the following line.

net.ipv4.icmp_echo_ignore_all = 1

Step 2: Execute sysctl -p to enforce this setting immediately.

sysctl -p

The above command loads the sysctl settings from the sysctl.conf file.

scan logs and ban suspicious hosts - fail2ban

After the ping reply is disabled using one of the above method, when somebody tries to ping your machine they will end up waiting without getting a ping reply packet even when the machine is up and running.

Every server that exists online, virtual or dedicated, has some purpose related to its existence. It could be used as mail server, file server, web server or anything else. That means, no matter how hard we try to isolate and restrict access to it, we still have to leave some ports open.

For example, email server must be able to accept incoming connections on port 25, webserver must be able to listen on port 80 etc. The most important for a server in the SSH service, that listens on port 22. We must to make sure to protect our server from unauthorized SSH access otherwise it will become easy target for brute force attacks.

The most suitable application for this purpose is Fail2ban. It is an intrusion prevention framework written in the Python programming language. It is able to run on servers that have an interface to a packet-control system or firewall installed locally. It scans log files and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. In order to install fail2ban, make sure your repositories are up to date and simply install it:

# apt-get update

# apt-get install fail2ban

Once it is installed, it puts sample configuration file in /etc/fail2ban/jail.conf. We should copy the sample configuration file in /etc/fail2ban/jail.local and then, open file for editing using our favorite text editor. A lot of the possible services that we need to protect are already inside the sample file in their own section and there is DEFAULT section in the configuration file. Some of the important settings in this file are:

Ignoreip: We can use single IP, mask or a host name. IP addresses listed here will be excluded and will always be allowed to access the server

Bantime: The time (in seconds) that a host would be blocked from the server if they are found to be in violation of any of the defined rules. The default is set for 600 (10 minutes) but it should be increased to at least 30 minutes or more.

Maxrwtry: This is the number of incorrect login attempts allowed for a client before they get restricted to access the server. The default is 3.

Backend: specifies the backend used to get files modification. It should be set to “auto”

Destemail: We can specify email address where we want to get notifications when IP address is banned.

Another important section is the ACTION section. Important lines here line describe that fail2ban will use the system iptables in order to ban suspicious IP address and specify the protocol that fail2ban will monitor which can be TCP or UDP.

banaction = iptables-multiport

protocol = tcp

After we are done with the default settings and actions, we should setup our SSH section which will make sure that the SSH access to our server is secured. Here is how the SSH section should look inside the configuration file:

[ssh]

enabled = true

port     = ssh

filter   = sshd

logpath = /var/log/auth.log

maxretry = 4

This section makes SSH monitoring active, it listens on the SSH port for the ssh dameon, using the log file location /var/log/auth.log and bans the IP address of the user that will have 4 failed login attempts.

After all settings are made, we need to restart fail2ban and it will start monitoring the log files according to our settings, you can also check which rules are currently applied with the following iptables command.

QUESTION:

Check for root kits - RKHUNTER and CHKROOTKIT

A rootkit is a program (or combination of several programs) designed to take fundamental control (in Unix terms “root” access, in Windows terms “Administrator” access) of a computer system, without authorization by the system’s owners and legitimate managers.

Chkrootkit Software

Chkrootkit – chkrootkit is a tool to locally check for signs of a rootkit. Type the following command to install chkrootkit.

$ sudo apt-get install chkrootkit

Start looking for rootkits, enter:

$ sudo chkrootkit

Look for suspicious strings, enter:

$ sudo chkrootkit -x | less

You need to specify the path for the external commands used by chkrootkit such as awk, grep and others. Mount /mnt/safe using nfs in read-only mode and set /mnt/safe binaries PATH as trusted one, enter:

$ sudo chkrootkit -p /mnt/safe

rkhunter software

rkhunter – rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. rkhunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications. Type the following command to install rkhunter:

$ sudo apt-get install rkhunter

The following command option tells rkhunter to perform various checks on the local system:

$ sudo rkhunter --check

The following command option causes rkhunter to check if there is a later version of any of its text data files:

$ sudo rkhunter --update

The following option tells rkhunter which directories to look in to find the various commands it requires:

$ sudo rkhunter --check --bindir /mnt/safe

QUESTION

Running Tiger ,and also what surface attack does tiger protect?

Tiger is a package consisting of Bourne Shell scripts, C code and data files which is used for checking for security problems on a UNIX system. It scans system configuration files, file systems, and user       configuration files for possible security problems and reports them.

    -A arch

              This option overrides the default value obtained for the current Architecture detected by the internal configuration engine to a Value defined by the user.

       -O os This option overrides the default value obtained for the current operating system detected by the internal configuration engine to a value defined by the user.

       -R release

              This option overrides the default value obtained for the current operating system release detected by the internal configuration engine to a value defined by the user.

      

Related Questions

In PYTHON, write a program named program71.py that starts by making an empty lis
Question #3696518
In PYTHON:Implement a function payroll() that takes two string parameters the fi
Question #3811700
In Papermaking operations for companies such as international paper company, wet
Question #359240
In Paris, hundreds of small bakeries produce bread for sale to their customers a
Question #2660395
In Part 1 of the lab you will make the following four solutions: Given the data
Question #1053503
In Part 1 of the lab you will predict the location of diffraction maxima from a
Question #2113158
In Part 1 of the procedure, if the magnitude of F_1 were increased slightly, the
Question #1529109
In Part 1 of this experiment, you will standardize the NaOH solution by using it
Question #728476
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
In Port Address Translation (PAT), how do multiple \"inside\" devices utilize a
Next
In Precipitation hardening, strengthening is produced by: Cold work Increase in

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.