Securing Linux Servers Best Practice Document
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
CISCO-CONFIG-COPY-MIB: Secure Copy Support
CISCO-CONFIG-COPY-MIB: Secure Copy Support The CISCO-CONFIG-COPY-MIB: Secure Copy Support feature enhances the CISCO-CONFIG-COPY-MIB by adding support for the copy Cisco IOS EXEC command, and implementing file transfers between a router and server using the secure copy protocol (scp). Feature Specifications for CISCO-CONFIG-COPY-MIB: Secure Copy Support Feature History Release Modification 12.3(2)T This feature was introduced. Supported Platforms Cisco 1710, Cisco 3600 series, Cisco 3725, Cisco 3745, Cisco 6400-NRP series, Cisco 7200, Cisco 7400, Cisco 7500, Cisco AS5300, Cisco AS5350, Cisco AS5400, Cisco AS5850, Cisco CVA 120, Cisco ICS 7750, Cisco ONS 15104, Cisco uBR 7200, Cisco uBR 925 Finding Support Information for Platforms and Cisco IOS Software Images Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel the login dialog box and follow the instructions that appear. Contents • , page 2 • How to Use Secure Copy Support, page 2 Configuration Examples for Secure Copy Support, page 3 Additional References, page 4 Command Reference, page 5 Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA © 2007 Cisco Systems, Inc. All rights reserved. CISCO-CONFIG-COPY-MIB: Secure Copy Support Information About CISCO-CONFIG-COPY-MIB Secure Copy Support Information About CISCO-CONFIG-COPY-MIB Secure Copy Support • • CISCO-CONFIG-COPY-MIB Secure Copy Implementation CISCO-CONFIG-COPY-MIB is platform-independent and provides objects to allow the copy functionality. -
NETS1028 06 Backup and Change Mgmt
Security Design Backup and Change Management System Examination System Configuration Firewalls and Filters Hardening Software Backups and Change Management Access Control and Authentication Virtual Private Networking Logging and Monitoring Security Policy and Management Support SELinux Linux Systems Security NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 Backup • Security breaches can cast doubt on entire installations or render them corrupt • Files or entire systems may have to be recovered from backup • Many tools are available to help with this task in Linux • Two of the more commonly used ones are rsync and duplicity https://en.wikipedia.org/wiki/Rsync http://duplicity.nongnu.org/features.html NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 Legacy Tools • cp is the original way to make a copy of files, but assumptions people make cause problems in using it • GUI-based drag and drop tools make the assumptions problem worse • cpio, tar are archival tools created to copy files to backup media (tape by default) - satisfactory for years but they make it cumbersome to manage backup media https://en.wikipedia.org/wiki/Manuscript_culture • Various software packages provide frontends to these tools in order to make backup/restore easier to manage and more robust NETS1028 LINUX SYSTEMS SECURITY - DENNIS SIMPSON ©2015-2021 Rsync • Rsync has a command line interface which resembles a smart cp, and provides a base for many backup software packages with GUIs • Can preserve special files such as links and devices • Can copy -
The Science DMZ
The Science DMZ Brian Tierney, Eli Dart, Eric Pouyoul, Jason Zurawski ESnet Supporting Data-Intensive Research Workshop QuestNet 2013 Gold Coast, Australia July 2, 2013 What’s there to worry about? © Owen Humphreys/National Geographic Traveler Photo Contest 2013 7/2/13 2 Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science The Science DMZ in 1 Slide Consists of three key components, all required: “Friction free” network path • Highly capable network devices (wire-speed, deep queues) • Virtual circuit connectivity option • Security policy and enforcement specific to science workflows • Located at or near site perimeter if possible Dedicated, high-performance Data Transfer Nodes (DTNs) • Hardware, operating system, libraries all optimized for transfer • Includes optimized data transfer tools such as Globus Online and GridFTP Performance measurement/test node • perfSONAR Details at http://fasterdata.es.net/science-dmz/ Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science Overview Part 1: • What is ESnet? • Science DMZ Motivation • Science DMZ Architecture Part 2: • PerfSONAR • The Data Transfer Node • Data Transfer Tools Part 3: • Science DMZ Security Best Practices • Conclusions Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science The Energy Sciences Network (ESnet) A Department of Energy Facility Naonal Fiber footprint Distributed Team of 35 Science Data Network Internaonal Collaboraons Mul3ple 10G waves 5 Lawrence Berkeley National Laboratory U.S. Department of Energy | Office of Science ESnetSC Supports Supports Research DOE at More Office than 300 of Institutions Science Across the U.S. Universities DOE laboratories The Office of Science supports: 27,000 Ph.D.s, graduate students, undergraduates, engineers, and technicians 26,000 users of open-access facilities 300 leading academic institutions 17 DOE laboratories 6 Lawrence Berkeley National Laboratory U.S. -
Install a VCS Release Key Via the Web Interface and CLI Configuration Example
Install a VCS Release Key via the Web Interface and CLI Configuration Example Contents Introduction Prerequisites Requirements Components Used Configure Web Interface Release Key Installation Example CLI Release Key Installation Example Verify Web interface Verification of Release Key Installation CLI Interface Verification of Release Key Installation Troubleshoot Introduction This document describes the installation of a release key to a Cisco Video Communication Server (VCS) via the web interface and the Command Line Interface (CLI). Prerequisites Requirements Cisco recommends that you have knowledge of these topics: VCS Installation Have Installed successfully the VCS and applied a valid IP address that is reachable via web interface and or CLI. Have applied for and received a release key valid for the VCS serial number. Have access to the VCS with both root (by CLI) and the admin account by web interface or CLI. Have downloaded a VCS software upgrade image from Cisco.com. Note: Installation guides can be found here: http://www.cisco.com/c/en/us/support/unified- communications/telepresence-video-communication-server-vcs/products-installation-guides- list.html Components Used The information in this document is based on these software versions: VCS Version x8.6.1 and x8.7.3 VCS Control x7.X and x8.X releases VCS Expressway x7.X and x8.X releases PuTTY (terminal emulation software) ---Alternatively, you could use any terminal emulation software that supports SSH such as Secure CRT, TeraTerm and so on. PSCP (PuTTY Secure Copy Protocol client) ---You can use any client that supports SCP. Licensing email with a Release Key or Upgrade Key. -
BALG: Bypassing Application Layer Gateways Using Multi-Staged Encrypted Shellcodes
Sebastian Roschke, Feng Cheng, Christoph Meinel: "BALG: Bypassing Application Layer Gateways Using Multi-Staged Encrypted Shellcodes" in Proceedings of the 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011), IEEE Press, Dublin, Ireland, pp. 399-406, 5, 2011. ISBN: 978-1-4244-9219-0. BALG: Bypassing Application Layer Gateways Using Multi-Staged Encrypted Shellcodes Sebastian Roschke Feng Cheng Christoph Meinel Hasso Plattner Institute (HPI) Hasso Plattner Institute (HPI) Hasso Plattner Institute (HPI) University of Potsdam University of Potsdam University of Potsdam 14482, Potsdam, Germany 14482, Potsdam, Germany 14482, Potsdam, Germany Email: [email protected] Email: [email protected] Email: [email protected] Abstract—Modern attacks are using sophisticated and inno- easily penetrated by simple tunneling. IDS needs to handle vative techniques. The utilization of cryptography, self-modified efficient evasion techniques. ALGs provide more restrictions code, and integrated attack frameworks provide more possibili- for network access by combining filtering on the application ties to circumvent most existing perimeter security approaches, such as firewalls and IDS. Even Application Layer Gateways layer and IDS techniques, such as deep packet inspection. (ALG) which enforce the most restrictive network access can be Most of ALG implementations provide filtering due to ap- exploited by using advanced attack techniques. In this paper, plication layer protocol compliance and even allow to block we propose a new attack for circumventing ALGs. By using certain commands within a specific protocol. Although ALGs polymorphic and encrypted shellcode, multiple shellcode stages, enforce a very restrictive access policy, it is still possible to protocol compliant and encrypted shell tunneling, and reverse channel discovery techniques, we are able to effectively bypass circumvent such devices by using modern attack techniques. -
Pcoip Management Console 20.01 Administrators Guide
Installing the PCoIP Management Console and Configuring Your System Installing the PCoIP Management Console and Configuring Your System The topics in this section contain information to help you get up and running quickly. Topics that refer to specific versions of PCoIP Management Console will be identified by the release number. Migrating, upgrading, or downgrading from other versions If you are migrating to a new PCoIP Management Console version see Migrating to a Newer Version. If you need to downgrade endpoints from firmware 5.0 or later to 4.8, see Downgrading Endpoints to Firmware 4.x. © 2020 Teradici 1 Installing PCoIP Management Console using vSphere Installing PCoIP Management Console using vSphere Once you have downloaded PCoIP Management Console, deploy it as an Open Virtual Appliance (OVA) using vSphere Client. To install PCoIP Management Console using vSphere Client: 1. Download the latest PCoIP Management Console OVA file to a location accessible from your vSphere Client. 2. Log in to your vSphere Client. 3. If you have more than one ESXi host, select the desired ESXi node; otherwise, there is no need to select a node. 4. From the vSphere client’s File menu, select Deploy OVF Template. 5. In the Source window, click Browse, select the PCoIP Management Console’s OVA file, click Open and Next. 6. In the OVF Template Details window, view the information and click Next. 7. In the End User License Agreement window, read the EULA information, click Accept and then Next. 8. In the Name and Location window, enter the name for your PCoIP Management Console and click Next. -
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring Release 3.6 August 2002
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring Release 3.6 August 2002 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Customer Order Number: DOC-7814742= Text Part Number: 78-14742-01 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. -
Which Time Server Option Is Best for Synchronizing Your Clocks
WHICH TIME SERVER OPTION IS BEST FOR SYNCHRONIZING YOUR CLOCKS? Any electronic device that automatically displays REGARDING MASTER the current local time – your clocks, phone, tablet, TIME CONTROLLERS computer and even most TVs – has to pull that time from a time server. AND The time server acts as a messenger of sorts; IP NETWORK CLOCKS it reads the time from a reference clock and distributes that information via a computer network (ETHERNET OR WI-FI) to your device when the device requests it. The time server could be a local network time server or an internet time server. SNTP, or Simple Network Time Protocol, is an internet standard protocol that allows a clock or device to contact a server and get the current time. It’s a simplification of the more robustNTP (Network Time Protocol) and is used in most embedded devices and computers. Once the device receives the current Coordinated Universal Time (UTC), the device applies offsets such as time zone or daylight saving time considerations, as well as the time spent on the network retrieving the time, before displaying the accurate local time. January 2018 AMERICAN TIME WHITE PAPER BY: MAX BLOM When it comes to syncing time for your organization’s clocks, you have 3 options: Let’s take a look at how each of these options work, their pros and cons, and our recommendation. Port 123 is reserved specifically for External Server IP Address NTP/SNTP communication 1 The NIST – the U.S. Department of Commerce’s National Institute of Standards and Technology – is the primary source for synchronizing time systems in the U.S. -
Endrun TECHNOLOGIES Præcis Cntp Network Time Server
Smarter Timing Solutions EndRun TECHNOLOGIES Præcis Cntp Network Time Server User’s Manual Præcis Cntp Network Time Server User’s Manual EndRun Technologies 1360 North Dutton Avenue #200 Santa Rosa, California USA 95401 Phone 707-573-8633 • Fax 707-573-8619 Preface Thank you for purchasing the Præcis Cntp Network Time Server. Our goal in developing this product is to bring precise, Universal Coordinated Time (UTC) into your network quickly, easily and reliably. Your new Præcis Cntp is fabricated using the highest quality materials and manufacturing processes available today, and will give you years of troublefree service. About EndRun Technologies Founded in 1998 and headquartered in Santa Rosa, California, we are the leaders in the exciting new time and frequency distribution technology based on the Code Division Multiple Access (CDMA) mobile telecommunications infrastructure. Our innovative designs and painstaking attention to the details of efficient manufacturability have made us the first to bring this technology to the broad synchronization market at prices small businesses can afford. EndRun Technologies markets this technology in three major product lines: Network Time Sources/Servers – These units are configured for optimum performance in operation with network servers/networks running the Internet protocol known as the Network Time Protocol (NTP). Instrumentation Time and Frequency References – These products provide UTC traceable time and frequency signals for use in precision test and measurement instrumentation. OEM Time and Frequency Engines – These products provide the core time and frequency capabilities to our customers who require lower cost and tighter integration with their own products. About this manual This manual will guide you through simple installation and set up procedures. -
Configuring SSH and Telnet
Configuring SSH and Telnet This chapter describes how to configure Secure Shell Protocol (SSH) and Telnet on Cisco NX-OS devices. This chapter includes the following sections: • About SSH and Telnet, on page 1 • Licensing Requirements for SSH and Telnet, on page 3 • Prerequisites for SSH and Telnet, on page 3 • Guidelines and Limitations for SSH and Telnet, on page 3 • Default Settings for SSH and Telnet, on page 4 • Configuring SSH , on page 4 • Configuring Telnet, on page 15 • Verifying the SSH and Telnet Configuration, on page 17 • Configuration Example for SSH, on page 18 • Configuration Example for SSH Passwordless File Copy, on page 19 • Additional References for SSH and Telnet, on page 21 About SSH and Telnet This section includes information about SSH and Telnet. SSH Server You can use the SSH server to enable an SSH client to make a secure, encrypted connection to a Cisco NX-OS device. SSH uses strong encryption for authentication. The SSH server in the Cisco NX-OS software can interoperate with publicly and commercially available SSH clients. The user authentication mechanisms supported for SSH are RADIUS, TACACS+, LDAP, and the use of locally stored usernames and passwords. SSH Client The SSH client feature is an application that runs over the SSH protocol to provide device authentication and encryption. The SSH client enables a Cisco NX-OS device to make a secure, encrypted connection to another Cisco NX-OS device or to any other device that runs the SSH server. This connection provides an outbound Configuring SSH and Telnet 1 Configuring SSH and Telnet SSH Server Keys connection that is encrypted. -
A Backup-As-A-Service (Baas) Software Solution
Universidade de Brasília Institute of Exact Sciences Department of Computer Science A Backup-as-a-Service (BaaS) Software Solution Heitor M. de Faria Dissertation presented as partial requirement for conclusion on the Professional Master in Applied Computing Advisor Prof. Dra. Priscila Solis Brasília 2018 Universidade de Brasília Institute of Exact Sciences Department of Computer Science A Backup-as-a-Service (BaaS) Software Solution Heitor M. de Faria Dissertation resented as partial requirement for conclusion do Professional Master in Applied Computing Prof. Dra. Priscila Solis (Advisor) CIC/UnB Prof. Dr. Jacir Bordim Dr. Georges Amvame-Nzê Universidade de Brasília Universidade de Brasília Prof. Dr. Marcelo Ladeira Coordinator of the Post-graduation Program in Applied Computing Brasília, July 1st, 2018 Abstract Backup is a replica of any data that can be used to restore its original form. However, the total amount of digital data created worldwide more than doubles every two years and is expected reach 44 trillions of gigabytes in 2020, bringing constant new challenges to backup processes. Enterprise backup is one of the oldest and most performed tasks by in- frastructure and operations professionals. Still, most backup systems have been designed and optimized for outdated environments and use cases. That fact, generates frustration over currently backup challenges and leads to a greater willingness to modernize and to consider new technologies. Traditional backup and archive solutions are no longer able to meet users current needs. The ideal modern currently backup and recovery software product should not only provide features to attend a traditional data center, but also allow the integration and exploration of the growing Cloud, including “backup client as a service” and “backup storage as a service”. -
Improving Read Performance with BP-Dags for Storage-Efficient File Backup
Send Orders for Reprints to [email protected] 90 The Open Electrical & Electronic Engineering Journal, 2013, 7, 90-97 Open Access Improving Read Performance with BP-DAGs for Storage-Efficient File Backup Tianming Yang*, Jing Zhang and Ningbo Hao International College, Huanghuai University, Henan, 463000, China Abstract: The continued growth of data and high-continuity of application have raised a critical and mounting demand on storage-efficient and high-performance data protection. New technologies, especially the D2D (Disk-to-Disk) de- duplication storage are therefore getting wide attention both in academic and industry in the recent years. Existing de- duplication systems mainly rely on duplicate locality inside the backup workload to achieve high throughput but suffer from read performance degrading under conditions of poor duplicate locality. This paper presents the design and perform- ance evaluation of a D2D-based de-duplication file backup system, which employs caching techniques to improve write throughput while encoding files as graphs called BP-DAGs (Bi-pointer-based Directed Acyclic Graphs). BP-DAGs not only satisfy the 'unique' chunk storing policy of de-duplication, but also help improve file read performance in case of poor duplicate locality workloads. Evaluation results show that the system can achieve comparable read performance than non de-duplication backup systems such as Bacula under representative workloads, and the metadata storage overhead for BP-DAGs are reasonably low. Keywords: Data De-duplication, File Backup, Storage-Efficient, Read Performance. 1. INTRODUCTION schemes are emerging to provide more storage-efficient and high performance data protection for enterprises [9-13]. Data explosion [1] has been forcing backups to expand storage capacity, which makes modern enterprises face sig- In de-duplication, files or streams are divided into chunks nificant cost pressures and data management challenges.