Security Concepts - Linux

Editor's Notes

• #4: The root user account is the Linux system superuser and can perform any task. Some Linux commands cannot be run by anyone but the root user. The root account is created during the installation process, and it receives the account number 0 (zero); in contrast, normal (standard) user accounts receive ascending numbers beginning at 500 or 1000 depending on the distribution.
• #6: exit Return to account from which the su command was typed. When no su command has been typed, exit terminates the shell. When using a computer that uses a shell exclusively, exit logs the user out. logout Log out of the system, while leaving the system powered on. To give standard user accounts the permissions to execute a limited set of commands as the root user, use the sudo command.
• #10: There is a limited number of files on a Linux system owned by root or the root group that legitimately need the SUID or SGID permission set. Before changing permissions, first verify whether they actually have been set appropriately.
• #11: Administrators can prevent users from logging in to a Linux system. This may be necessary while troubleshooting problems or while responding to a security event.
• #15: Remove unneeded software Unneeded software takes disk space and could introduce security flaws. To remove unneeded software: Run one of the following commands: Use dnf list installed to see installed RPM packages on the computer. Use dpkg -get-selections to see installed Debian packages on the computer. Research the function of any unrecognized package to determine whether it is necessary. Use yum, rpm, or dpkg to uninstall unneeded packages. Check for unneeded network services Unneeded network services waste the computer's resources and might provide attackers with an entry point for an attack. To view a list of installed services, use one of the following commands: For init-based systems, run chkconfig at the shell prompt. For systemd-based systems, run systemctl list-unit-files at the shell prompt. Review the output of these commands and look for unusual or unrecognized services. Then use the man command and the Internet to determine whether they can be safely removed or disabled. Use chkconfig, insserv, or init to disable the service on init-based systems. On systemd distributions, you can use the systemctl disable or the systemctl mask command to disable a service. Alternatively, you could use yum, zypper, rpm, or dpkg to remove the package entirely. Locate open ports Open ports can provide information about what operating system a computer uses and can provide entry points for an attack. To locate open ports: Install the nmap utility (if not already installed). Use one of the following commands to scan for open ports: nmap -sT host_IP_address scans for open TCP ports nmap -sU host_IP_address scans for open UDP ports From the results of the scan, determine which ports to close and which services use the ports. Disable the services using those ports. Consider running nmap on the local system as well as from a different network host. This will reveal what ports are open and which services are actually allowed through the host's firewall. Check network connections Open network connections (e.g., open sockets) on a computer also create a security risk. A socket is an endpoint of a bidirectional communication flow across a computer network. Use the following netstat options to identify the open network connections on the Linux system: -a lists both listening and non-listening sockets. -l lists listening sockets. -s displays statistics for each protocol. -i displays a table of all network interfaces.
• #16: OpenSSH is a tool that encrypts network traffic over a network connection. OpenSSH is an open source implementation of the Secure Shell (SSH) protocol and implemented by default on most Linux distributions.
• #18: Symmetric Data Encryption Standard (DES) is an old encryption standard created by the National Security Agency in the 1970s. DES uses weak encryption and can be easily broken. Triple DES (3DES) is an enhanced version of DES. 3DES applies DES three times and uses a 168-bit key. Advanced Encryption Standard (AES) is a stronger encryption system that supports encryption key lengths up to 256 bits. AES is based on the Rijndael cipher developed by Joan Daemen and Vincent Rijmen. Blowfish is an older encryption system designed to replace DES. Blowfish uses 64-bit blocks and key lengths anywhere from 32 bits to 448 bits. Asymmetric Rivest, Shamir, and Adleman (RSA) is based on factoring large numbers into their prime values. RSA supports key-lengths from 1,024 to 4,096 bits. Digital Signature Algorithm (DSA) is a United States Government encryption standard often used for digital signing. DSA currently supports Secure Hashing Algorithm-1 (SHA-1), which uses key lengths between 160 and 256 bits, or SHA-2, which uses key lengths between 256 and 1024 bits. Diffie-Hellman Key Exchange was developed by Whitfield Diffie and Martin Hellman. It is a key agreement protocol that generates symmetric keys simultaneously at sender and recipient sites over non-secure channels. The Diffie-Hellman key exchange: Provides for key distribution and does not provide any cryptographic services. Is based on calculating discreet logarithms in a finite field. Is used in many algorithms and standards. Is subject to man-in-the-middle attacks and requires strong authentication to validate the endpoints.
• #20: Secure Shell (SSH) port tunneling encrypts data from non-secure protocols before sending the data over a network. Non-secure protocols, such as email and X server traffic, can be tunneled through SSH.
• #22: Public key authentication uses a public key instead of a username and password to authenticate an SSH connection.
• #24: Gnu Privacy Guard (GnuPG) is an encryption tool that encrypts and digitally signs email and also encrypts files. GnuPG is an implementation of the Pretty Good Privacy (PGP) protocol. It uses public/private key encryption to secure information.